Installing on a set of nodes within a namespace

Install Guardium® Data Security Center on a specific set of worker nodes within a namespace.

Before you begin

Before you proceed with the installation, complete these steps:
  1. Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
  2. Prepare for installation.
  3. Log in to the OpenShift® command-line interface.
  4. Downloading the Guardium Data Security Center CASE file and set up your environment for dependencies.

About this task

To install Guardium Data Security Center on a specific set of worker nodes, use steps 1 to 6 to set a pod at the project level and schedule it to a node, annotate the worker nodes and project namespace. Then install Guardium Data Security Center on the annotated nodes.

If Guardium Data Security Center is already installed and running on all available worker nodes in the namespace, use step 7 to annotate the worker nodes and the namespace. Then, force Guardium Data Security Center pods to run only on the annotated worker nodes.

Procedure

  1. Log in to your OpenShift cluster instance by using the following command.
    cloudctl login -a https://cp-console.<cluster hostname> --skip-ssl-validation -u admin -p <ICS password> 
  2. List all the nodes in the cluster by using the following command.
    oc get nodes
  3. Assign a node label for the worker nodes on which you want to install Guardium Data Security Center.
    1. The cluster administrator must use the following commands to add, update, or remove a node label.
      For example, use the following command to change the label env.
      oc label node <node name> env=dev --overwrite
      For example, use the following command to remove the label env.
      oc label node <node name> env-
  4. Configure a default node selector for an existing namespace by adding an annotation to the namespace resource by using the openshift.io/node-selector key. The oc annotate command can add, modify, or remove a node selector annotation.
    For example,
    oc annotate namespace <your Guardium Data Security Center namespace> openshift.io/node-selector="env=dev" --overwrite
  5. Install the Guardium Data Security Center operator into your Guardium Data Security Center namespace.
    1. Choose the CASE version that you want to use.
    2. Start the build.
  6. Run the following command.
    oc get guardiumdatasecuritycenter
    The output is similar to:
    NAME      TYPE    STATUS   REASON      MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
    staging   Ready   True     Completed   Completed Reconciliation   3.6.0            3.6.0
  7. If Guardium Data Security Center is already installed, use the following steps to annotate the worker nodes and namespace. Then, forceGuardium Data Security Center to run on the annotated worker nodes:
    1. Make sure that ICS and Guardium Data Security Center are deployed to the cluster by running the following command.
      oc get guardiumdatasecuritycenter
    2. Verify that the GI pods are distributed across the worker nodes.
      oc get pods -n <your Guardium Data Security Center namespace> -o wide
    3. Label the workers.
      For example,
      oc label node worker1.iffy.cp.fyre.ibm.com env=dev
    4. Annotate the namespace.
      For example,
      oc annotate namespace <your Guardium Data Security Center namespace> openshift.io/node-selector="env=dev" -- overwrite
    5. Delete all the Guardium Data Security Center pods.
      oc delete --all pod -n <your Guardium Data Security Center namespace>
    6. Verify that the Guardium Data Security Center pods are locking to the correct worker nodes.
      For example,
      oc get pods -n <your Guardium Data Security Center namespace> -o wide