IBM Security Verify

 View Only

Build you own: Access Manager with Kubernetes

By Jon Harry posted Thu May 02, 2019 11:17 AM



In my previous post, I described how to build your own Centos 7 system, with Docker (and docker-compose) installed, so that you could run an  IBM Security Access Manager system using containers.

This post extends that system so that you can explore deployment of Access Manager via Kubernetes.  It also includes installation of Helm so that you can explore deployment using Helm Charts.

Kubernetes is an orchestration technology which controls deployment of containers in a Kubernetes cluster.  This is a common way to deploy containers onto cloud platforms such as IBM Cloud or Google Kubernetes Engine (GKE).

Helm is described as "a package manager for Kubernetes".   A Helm Chart is a definition of one or more Kubernetes deployments (usually related to a single application) which allows dynamic scripting within the YAML files which define the Kubernetes objects.

This post provides step-by-step instructions for installing:

  • minikube (a stand-alone Kubernetes cluster);
  • kubectl (the Kubernetes command-line client); and
  • helm (the Helm command-line client)

onto your test system.

Once you have completed the steps in this post, you’ll be able to use my Access Manager with Kubernetes and my Access Manager with Helm cookbooks.


This post assumes that you already have a Centos 7 system set up.  Instructions for this are in my previous post.  For my environment, I used a virtual machine running under VMWare but you could use a different hypervisor or a physical machine.  For my virtual machine I used these settings:

  • Minimum 8GB Memory
  • Minimum 30GB Disk
  • Minimum 4 CPUs
  • Enable nested hypervisor support (required for minikube)

This blog assumes you have a standard user account.  I created a standard user with username of demouser but you can choose your own name.  You will also need root access for the installation steps.

Install Kubernetes command-line client

Kubernetes clusters are managed using a REST API. The kubectl utility provides a command-line client for this REST API.

As root, enter the following commands to add the Kubernetes repository to yum and install:

cat <<EOF > /etc/yum.repos.d/kubernetes.repo

yum install -y kubectl

echo "source <(kubectl completion bash)" >> /etc/bashrc

Install Helm

Helm Charts are created and installed using the helm utility.  Install the latest version, Helm 3.

As root, enter the following commands to run the installer for Helm and set up command completion:

curl -L | bash

echo "source <(helm completion bash)" >> /etc/bashrc

Install KVM and Minikube

Minikube is a self-contained Kubernetes cluster that can run locally under a hypervisor. In this case it will be installed under the KVM hypervisor.

As root, enter the following commands to install KVM and Minikube:

yum install -y qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer bridge-utils libvirt-daemon-kvm

systemctl enable libvirtd

systemctl start libvirtd

curl -Lo minikube && chmod +x minikube && cp minikube /usr/local/bin/ && rm -f minikube

Add standard user to libvirt group

If you want a standard user to be able to start Minikube, they must be added to the libvirt group.

As root, enter the following commands (replacing demouser with the username of your standard user):

usermod -aG libvirt demouser

The installation is complete. To activate KVM you must now Reboot the system.

Set minikube configuration

Once your system has rebooted, login as the standard user that you created during Centos 7 installation. In my case the user is demouser.

Enter the following commands set minikube configuration (enabling the ingress add-on allows access to HTTP and HTTPS services using well-known ports):

minikube config set vm-driver kvm2

minikube config set memory 4096

minikube config set cpus 4

minikube config set ingress true

Start minikube for the first time

As the standard user, enter the following command to start minikube for the first time:

minikube start

This first start can take several minutes as assets are downloaded from the internet to initialize the Kubernetes system.

Test kubectl connection

When minikube is started, the configuration for kubectl is updated so that it is connected to the minikube Kubernetes cluster.

Use this following command to check that the connection has been made:

kubectl cluster-info

You should see output similar to the following:

Kubernetes master is running at
KubeDNS is running at

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Your minikube Kubernetes cluster is ready to use.

Stop minikube to release memory

If you're not going to use it right away, you can now stop minikube to reduce CPU and memory usage:

minikube stop

Prepare for Cookbooks

Clone scripts from isamdocker git repository

As the standard user, clone the git repository that contains the scripts used by my cookbooks and link into the user’s home directory:

git clone ~/isamdocker

mkdir ~/studentfiles

ln -s ~/isamdocker/studentfiles/container-install ~/studentfiles/container-install