You can omit the VERSION variable to install the latest version.
You can also download the distribution manually. Download a distribution for the client host from where you will be executing the commands to access Kubernetes:
<a href=”https://packages.konghq.com/public/kuma-legacy/raw/names/kuma-darwin-amd64/versions/{“edition”=>”kuma”, “version”=>”2.9.0”, “release”=>”2.9.x”, “latest”=>true, “releaseDate”=>”2024-10-22”, “endOfLifeDate”=>”2025-10-22”, “branch”=>”release-2.9”}/kuma-{“edition”=>”kuma”, “version”=>”2.9.0”, “release”=>”2.9.x”, “latest”=>true, “releaseDate”=>”2024-10-22”, “endOfLifeDate”=>”2025-10-22”, “branch”=>”release-2.9”}-darwin-amd64.tar.gz”>macOS</a> or run brew install kumactl
and extract the archive with tar xvzf kuma-{"edition"=>"kuma", "version"=>"2.9.0", "release"=>"2.9.x", "latest"=>true, "releaseDate"=>"2024-10-22", "endOfLifeDate"=>"2025-10-22", "branch"=>"release-2.9"}.tar.gz
Once downloaded, you will find the contents of Kuma in the kuma-{"edition"=>"kuma", "version"=>"2.9.0", "release"=>"2.9.x", "latest"=>true, "releaseDate"=>"2024-10-22", "endOfLifeDate"=>"2025-10-22", "branch"=>"release-2.9"} folder. In this folder, you will find - among other files - the bin directory that stores the executables for Kuma, including the CLI client kumactl.
Note: On Kubernetes - of all the Kuma binaries in the bin folder - we only need kumactl.
So we enter the bin folder by executing: cd kuma-{"edition"=>"kuma", "version"=>"2.9.0", "release"=>"2.9.x", "latest"=>true, "releaseDate"=>"2024-10-22", "endOfLifeDate"=>"2025-10-22", "branch"=>"release-2.9"}/bin
We suggest adding the kumactl executable to your PATH (by executing: export PATH=$(pwd):$PATH) so that it’s always available in every working directory. Or - alternatively - you can also create link in /usr/local/bin/ by executing:
Starting from version 4.1 OpenShift utilizes nftables instead of iptables. So using init container for redirecting traffic to the proxy no longer works. Instead, we use the --cni-enabled flag to install the kuma-cni.
By default MutatingAdmissionWebhook and ValidatingAdmissionWebhook are disabled on OpenShift 3.11.
In order to make it work add the following pluginConfig into /etc/origin/master/master-config.yaml on the master node:
After updating master-config.yaml restart the cluster and install control-plane:
./kumactl install control-plane | oc apply -f -
This example will run Kuma in standalone mode for a “flat” deployment, but there are more advanced deployment modes like “multi-zone”.
It may take a while for OpenShift to start the Kuma resources, you can check the status by executing:
oc get pod -n kuma-system
3. Use Kuma
Kuma (kuma-cp) will be installed in the newly created kuma-system namespace! Now that Kuma has been installed, you can access the control-plane via either the GUI, oc, the HTTP API, or the CLI:
And then you can navigate to 127.0.0.1:5681 to see the HTTP API.
You can use the kumactl CLI to perform read-only operations on Kuma resources. The kumactl binary is a client to the Kuma HTTP API, you will need to first port-forward the API service with:
You will notice that Kuma automatically creates a Mesh entity with name default.
Kuma explicitly specifies UID for kuma-dp sidecar to avoid capturing traffic from kuma-dp itself. For that reason, nonrootSecurity Context Constraint has to be granted to the application namespace:
If namespace is not configured properly, we will see following error on the Deployment or DeploymentConfig
'pods "kuma-demo-backend-v0-cd6b68b54-" is forbidden: unable to validate against any security context constraint: [spec.containers[1].securityContext.securityContext.runAsUser: Invalid value: 5678: must be in the ranges: [1000540000, 1000549999]]'
4. Quickstart
Congratulations! You have successfully installed Kuma on OpenShift 🚀.