Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 3. User tasks
3.1. Creating applications from installed Operators
This guide walks developers through an example of creating applications from an installed Operator using the OpenShift Container Platform web console.
3.1.1. Creating an etcd cluster using an Operator
This procedure walks through creating a new etcd cluster using the etcd Operator, managed by Operator Lifecycle Manager (OLM).
Prerequisites
- Access to an OpenShift Container Platform 4.17 cluster.
- The etcd Operator already installed cluster-wide by an administrator.
Procedure
- 
							Create a new project in the OpenShift Container Platform web console for this procedure. This example uses a project called my-etcd.
- Navigate to the Operators - Installed Operators page. The Operators that have been installed to the cluster by the cluster administrator and are available for use are shown here as a list of cluster service versions (CSVs). CSVs are used to launch and manage the software provided by the Operator. Tip- You can get this list from the CLI using: - oc get csv - $ oc get csv- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- On the Installed Operators page, click the etcd Operator to view more details and available actions. - As shown under Provided APIs, this Operator makes available three new resource types, including one for an etcd Cluster (the - EtcdClusterresource). These objects work similar to the built-in native Kubernetes ones, such as- Deploymentor- ReplicaSet, but contain logic specific to managing etcd.
- Create a new etcd cluster: - In the etcd Cluster API box, click Create instance.
- 
									The next page allows you to make any modifications to the minimal starting template of an EtcdClusterobject, such as the size of the cluster. For now, click Create to finalize. This triggers the Operator to start up the pods, services, and other components of the new etcd cluster.
 
- Click the example etcd cluster, then click the Resources tab to see that your project now contains a number of resources created and configured automatically by the Operator. - Verify that a Kubernetes service has been created that allows you to access the database from other pods in your project. 
- All users with the - editrole in a given project can create, manage, and delete application instances (an etcd cluster, in this example) managed by Operators that have already been created in the project, in a self-service manner, just like a cloud service. If you want to enable additional users with this ability, project administrators can add the role using the following command:- oc policy add-role-to-user edit <user> -n <target_project> - $ oc policy add-role-to-user edit <user> -n <target_project>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
You now have an etcd cluster that will react to failures and rebalance data as pods become unhealthy or are migrated between nodes in the cluster. Most importantly, cluster administrators or developers with proper access can now easily use the database with their applications.
3.2. Installing Operators in your namespace
If a cluster administrator has delegated Operator installation permissions to your account, you can install and subscribe an Operator to your namespace in a self-service manner.
3.2.1. Prerequisites
- A cluster administrator must add certain permissions to your OpenShift Container Platform user account to allow self-service Operator installation to a namespace. See Allowing non-cluster administrators to install Operators for details.
3.2.2. About Operator installation with OperatorHub
OperatorHub is a user interface for discovering Operators; it works in conjunction with Operator Lifecycle Manager (OLM), which installs and manages Operators on a cluster.
As a user with the proper permissions, you can install an Operator from OperatorHub by using the OpenShift Container Platform web console or CLI.
During installation, you must determine the following initial settings for the Operator:
- Installation Mode
- Choose a specific namespace in which to install the Operator.
- Update Channel
- If an Operator is available through multiple channels, you can choose which channel you want to subscribe to. For example, to deploy from the stable channel, if available, select it from the list.
- Approval Strategy
- You can choose automatic or manual updates. - If you choose automatic updates for an installed Operator, when a new version of that Operator is available in the selected channel, Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention. - If you select manual updates, when a newer version of an Operator is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the Operator updated to the new version. 
3.2.3. Installing from OperatorHub by using the web console
You can install and subscribe to an Operator from OperatorHub by using the OpenShift Container Platform web console.
Prerequisites
- Access to an OpenShift Container Platform cluster using an account with Operator installation permissions.
Procedure
- 
							Navigate in the web console to the Operators OperatorHub page. 
- Scroll or type a keyword into the Filter by keyword box to find the Operator you want. For example, type - advancedto find the Advanced Cluster Management for Kubernetes Operator.- You can also filter options by Infrastructure Features. For example, select Disconnected if you want to see Operators that work in disconnected environments, also known as restricted network environments. 
- Select the Operator to display additional information. Note- Choosing a Community Operator warns that Red Hat does not certify Community Operators; you must acknowledge the warning before continuing. 
- Read the information about the Operator and click Install.
- On the Install Operator page, configure your Operator installation: - If you want to install a specific version of an Operator, select an Update channel and Version from the lists. You can browse the various versions of an Operator across any channels it might have, view the metadata for that channel and version, and select the exact version you want to install. Note- The version selection defaults to the latest version for the channel selected. If the latest version for the channel is selected, the Automatic approval strategy is enabled by default. Otherwise, Manual approval is required when not installing the latest version for the selected channel. - Installing an Operator with Manual approval causes all Operators installed within the namespace to function with the Manual approval strategy and all Operators are updated together. If you want to update Operators independently, install Operators into separate namespaces. 
- Choose a specific, single namespace in which to install the Operator. The Operator will only watch and be made available for use in this single namespace.
- For clusters on cloud providers with token authentication enabled: - If the cluster uses AWS Security Token Service (STS Mode in the web console), enter the Amazon Resource Name (ARN) of the AWS IAM role of your service account in the role ARN field. To create the role’s ARN, follow the procedure described in Preparing AWS account.
- If the cluster uses Microsoft Entra Workload ID (Workload Identity / Federated Identity Mode in the web console), add the client ID, tenant ID, and subscription ID in the appropriate fields.
- If the cluster uses Google Cloud Platform Workload Identity (GCP Workload Identity / Federated Identity Mode in the web console), add the project number, pool ID, provider ID, and service account email in the appropriate fields.
 
- For Update approval, select either the Automatic or Manual approval strategy. Important- If the web console shows that the cluster uses AWS STS, Microsoft Entra Workload ID, or GCP Workload Identity, you must set Update approval to Manual. - Subscriptions with automatic approvals for updates are not recommended because there might be permission changes to make before updating. Subscriptions with manual approvals for updates ensure that administrators have the opportunity to verify the permissions of the later version, take any necessary steps, and then update. 
 
- Click Install to make the Operator available to the selected namespaces on this OpenShift Container Platform cluster: - If you selected a Manual approval strategy, the upgrade status of the subscription remains Upgrading until you review and approve the install plan. - After approving on the Install Plan page, the subscription upgrade status moves to Up to date. 
- If you selected an Automatic approval strategy, the upgrade status should resolve to Up to date without intervention.
 
Verification
- After the upgrade status of the subscription is Up to date, select Operators - Installed Operators to verify that the cluster service version (CSV) of the installed Operator eventually shows up. The Status should eventually resolve to Succeeded in the relevant namespace. Note- For the All namespaces… installation mode, the status resolves to Succeeded in the - openshift-operatorsnamespace, but the status is Copied if you check in other namespaces.- If it does not: - 
									Check the logs in any pods in the openshift-operatorsproject (or other relevant namespace if A specific namespace… installation mode was selected) on the WorkloadsPods page that are reporting issues to troubleshoot further. 
 
- 
									Check the logs in any pods in the 
- When the Operator is installed, the metadata indicates which channel and version are installed. Note- The Channel and Version dropdown menus are still available for viewing other version metadata in this catalog context. 
3.2.4. Installing from OperatorHub by using the CLI
					Instead of using the OpenShift Container Platform web console, you can install an Operator from OperatorHub by using the CLI. Use the oc command to create or update a Subscription object.
				
					For SingleNamespace install mode, you must also ensure an appropriate Operator group exists in the related namespace. An Operator group, defined by an OperatorGroup object, selects target namespaces in which to generate required RBAC access for all Operators in the same namespace as the Operator group.
				
					In most cases, the web console method of this procedure is preferred because it automates tasks in the background, such as handling the creation of OperatorGroup and Subscription objects automatically when choosing SingleNamespace mode.
				
Prerequisites
- Access to an OpenShift Container Platform cluster using an account with Operator installation permissions.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- View the list of Operators available to the cluster from OperatorHub: - oc get packagemanifests -n openshift-marketplace - $ oc get packagemanifests -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example 3.1. Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Note the catalog for your desired Operator. 
- Inspect your desired Operator to verify its supported install modes and available channels: - oc describe packagemanifests <operator_name> -n openshift-marketplace - $ oc describe packagemanifests <operator_name> -n openshift-marketplace- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example 3.2. Example output Tip- You can print an Operator’s version and channel information in YAML format by running the following command: - oc get packagemanifests <operator_name> -n <catalog_namespace> -o yaml - $ oc get packagemanifests <operator_name> -n <catalog_namespace> -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If more than one catalog is installed in a namespace, run the following command to look up the available versions and channels of an Operator from a specific catalog: - oc get packagemanifest \ --selector=catalog=<catalogsource_name> \ --field-selector metadata.name=<operator_name> \ -n <catalog_namespace> -o yaml - $ oc get packagemanifest \ --selector=catalog=<catalogsource_name> \ --field-selector metadata.name=<operator_name> \ -n <catalog_namespace> -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- If you do not specify the Operator’s catalog, running the - oc get packagemanifestand- oc describe packagemanifestcommands might return a package from an unexpected catalog if the following conditions are met:- Multiple catalogs are installed in the same namespace.
- The catalogs contain the same Operators or Operators with the same name.
 
- If the Operator you intend to install supports the - AllNamespacesinstall mode, and you choose to use this mode, skip this step, because the- openshift-operatorsnamespace already has an appropriate Operator group in place by default, called- global-operators.- If the Operator you intend to install supports the - SingleNamespaceinstall mode, and you choose to use this mode, you must ensure an appropriate Operator group exists in the related namespace. If one does not exist, you can create create one by following these steps:Important- You can only have one Operator group per namespace. For more information, see "Operator groups". - Create an - OperatorGroupobject YAML file, for example- operatorgroup.yaml, for- SingleNamespaceinstall mode:- Example - OperatorGroupobject for- SingleNamespaceinstall mode- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - OperatorGroupobject:- oc apply -f operatorgroup.yaml - $ oc apply -f operatorgroup.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Create a - Subscriptionobject to subscribe a namespace to an Operator:- Create a YAML file for the - Subscriptionobject, for example- subscription.yaml:Note- If you want to subscribe to a specific version of an Operator, set the - startingCSVfield to the desired version and set the- installPlanApprovalfield to- Manualto prevent the Operator from automatically upgrading if a later version exists in the catalog. For details, see the following "Example- Subscriptionobject with a specific starting Operator version".- Example 3.3. Example - Subscriptionobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For defaultAllNamespacesinstall mode usage, specify theopenshift-operatorsnamespace. Alternatively, you can specify a custom global namespace, if you have created one. ForSingleNamespaceinstall mode usage, specify the relevant single namespace.
- 2
- Name of the channel to subscribe to.
- 3
- Name of the Operator to subscribe to.
- 4
- Name of the catalog source that provides the Operator.
- 5
- Namespace of the catalog source. Useopenshift-marketplacefor the default OperatorHub catalog sources.
- 6
- Theenvparameter defines a list of environment variables that must exist in all containers in the pod created by OLM.
- 7
- TheenvFromparameter defines a list of sources to populate environment variables in the container.
- 8
- Thevolumesparameter defines a list of volumes that must exist on the pod created by OLM.
- 9
- ThevolumeMountsparameter defines a list of volume mounts that must exist in all containers in the pod created by OLM. If avolumeMountreferences avolumethat does not exist, OLM fails to deploy the Operator.
- 10
- Thetolerationsparameter defines a list of tolerations for the pod created by OLM.
- 11
- Theresourcesparameter defines resource constraints for all the containers in the pod created by OLM.
- 12
- ThenodeSelectorparameter defines aNodeSelectorfor the pod created by OLM.
 - Example 3.4. Example - Subscriptionobject with a specific starting Operator version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set the approval strategy toManualin case your specified version is superseded by a later version in the catalog. This plan prevents an automatic upgrade to a later version and requires manual approval before the starting CSV can complete the installation.
- 2
- Set a specific version of an Operator CSV.
 
- For clusters on cloud providers with token authentication enabled, such as Amazon Web Services (AWS) Security Token Service (STS), Microsoft Entra Workload ID, or Google Cloud Platform Workload Identity, configure your - Subscriptionobject by following these steps:- Ensure the - Subscriptionobject is set to manual update approvals:- Example 3.5. Example - Subscriptionobject with manual update approvals- kind: Subscription # ... spec: installPlanApproval: Manual - kind: Subscription # ... spec: installPlanApproval: Manual- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Subscriptions with automatic approvals for updates are not recommended because there might be permission changes to make before updating. Subscriptions with manual approvals for updates ensure that administrators have the opportunity to verify the permissions of the later version, take any necessary steps, and then update.
 
- Include the relevant cloud provider-specific fields in the - Subscriptionobject’s- configsection:- If the cluster is in AWS STS mode, include the following fields: - Example 3.6. Example - Subscriptionobject with AWS STS variables- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Include the role ARN details.
 - If the cluster is in Workload ID mode, include the following fields: - Example 3.7. Example - Subscriptionobject with Workload ID variables- If the cluster is in GCP Workload Identity mode, include the following fields: - Example 3.8. Example - Subscriptionobject with GCP Workload Identity variables- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <audience>
- Created in Google Cloud by the administrator when they set up GCP Workload Identity, the - AUDIENCEvalue must be a preformatted URL in the following format:- //iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id> - //iam.googleapis.com/projects/<project_number>/locations/global/workloadIdentityPools/<pool_id>/providers/<provider_id>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- <service_account_email>
- The - SERVICE_ACCOUNT_EMAILvalue is a Google Cloud service account email that is impersonated during Operator operation, for example:- <service_account_name>@<project_id>.iam.gserviceaccount.com - <service_account_name>@<project_id>.iam.gserviceaccount.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
 
- Create the - Subscriptionobject by running the following command:- oc apply -f subscription.yaml - $ oc apply -f subscription.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
							If you set the installPlanApprovalfield toManual, manually approve the pending install plan to complete the Operator installation. For more information, see "Manually approving a pending Operator update".
At this point, OLM is now aware of the selected Operator. A cluster service version (CSV) for the Operator should appear in the target namespace, and APIs provided by the Operator should be available for creation.
Verification
- Check the status of the - Subscriptionobject for your installed Operator by running the following command:- oc describe subscription <subscription_name> -n <namespace> - $ oc describe subscription <subscription_name> -n <namespace>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you created an Operator group for - SingleNamespaceinstall mode, check the status of the- OperatorGroupobject by running the following command:- oc describe operatorgroup <operatorgroup_name> -n <namespace> - $ oc describe operatorgroup <operatorgroup_name> -n <namespace>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow