1. Prepare your platform
Airgapped clusters
If your nodes are airgapped and don’t have access to common internet registries, first follow Airgapped clusters to fetch Portworx images.
Select nodes where Portworx will installed
OpenShift Container Platform 3.9 started restricting where pods can be installed (see reference),
Portworx Operator will install pods only on nodes that have the label node-role.kubernetes.io/compute=true.
If you want to install Portworx on additional nodes, you have 2 options.
To allow Portworx pods on all nodes in let’s say
kube-systemnamespace run:oc patch namespace kube-system -p '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'Alternatively, add the following label to the individual nodes where you want Portworx to run:
oc label nodes mynode1 node-role.kubernetes.io/compute=true
Add the Portworx service accounts to the privileged security context
Portworx runs as a privileged container. Hence you need to add the Portworx service accounts to the privileged security context.
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:px-account
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:portworx-pvc-controller-account
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:px-lh-account
oc adm policy add-scc-to-user anyuid system:serviceaccount:kube-system:px-lh-account
oc adm policy add-scc-to-user anyuid system:serviceaccount:default:default
oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:px-csi-accountPrepare a docker-registry credentials secret
Confirm the username/password works (e.g. user:john, passwd:s3cret)
docker login -u john -p s3cret mysecure.registry.comConfigure username/password as a Kubernetes “docker-registry” secret (e.g. “regcred”)
oc create secret docker-registry regcred \ --docker-server=mysecure.registry.com \ --docker-username=john \ --docker-password=s3cret \ --docker-email=test@acme.org \ -n kube-system