Serverless
1. Release notes
Expand section "1. Release notes" Collapse section "1. Release notes"
1. 1.1. About API versions
2. 1.2. Generally Available and Technology Preview features
3. 1.3. Deprecated and removed features
4. 1.4. Release notes for Red Hat OpenShift Serverless 1.23.0
  Expand section "1.4. Release notes for Red Hat OpenShift Serverless 1.23.0" Collapse section "1.4. Release notes for Red Hat OpenShift Serverless 1.23.0"
  1. 1.4.1. New features
  2. 1.4.2. Known issues
5. 1.5. Release notes for Red Hat OpenShift Serverless 1.22.0
  Expand section "1.5. Release notes for Red Hat OpenShift Serverless 1.22.0" Collapse section "1.5. Release notes for Red Hat OpenShift Serverless 1.22.0"
  1. 1.5.1. New features
  2. 1.5.2. Known issues
6. 1.6. Release notes for Red Hat OpenShift Serverless 1.21.0
  Expand section "1.6. Release notes for Red Hat OpenShift Serverless 1.21.0" Collapse section "1.6. Release notes for Red Hat OpenShift Serverless 1.21.0"
7. 1.7. Release notes for Red Hat OpenShift Serverless 1.20.0
  Expand section "1.7. Release notes for Red Hat OpenShift Serverless 1.20.0" Collapse section "1.7. Release notes for Red Hat OpenShift Serverless 1.20.0"
  1. 1.7.1. New features
  2. 1.7.2. Known issues
8. 1.8. Release notes for Red Hat OpenShift Serverless 1.19.0
  Expand section "1.8. Release notes for Red Hat OpenShift Serverless 1.19.0" Collapse section "1.8. Release notes for Red Hat OpenShift Serverless 1.19.0"
9. 1.9. Release notes for Red Hat OpenShift Serverless 1.18.0
  Expand section "1.9. Release notes for Red Hat OpenShift Serverless 1.18.0" Collapse section "1.9. Release notes for Red Hat OpenShift Serverless 1.18.0"
10. 1.10. Release Notes for Red Hat OpenShift Serverless 1.17.0
  Expand section "1.10. Release Notes for Red Hat OpenShift Serverless 1.17.0" Collapse section "1.10. Release Notes for Red Hat OpenShift Serverless 1.17.0"
  1. 1.10.1. New features
  2. 1.10.2. Known issues
11. 1.11. Release Notes for Red Hat OpenShift Serverless 1.16.0
  Expand section "1.11. Release Notes for Red Hat OpenShift Serverless 1.16.0" Collapse section "1.11. Release Notes for Red Hat OpenShift Serverless 1.16.0"
  1. 1.11.1. New features
  2. 1.11.2. Known issues
2. Discover
Expand section "2. Discover" Collapse section "2. Discover"
1. 2.1. About OpenShift Serverless
  Expand section "2.1. About OpenShift Serverless" Collapse section "2.1. About OpenShift Serverless"
  1. 2.1.1. Knative Serving
    
    Expand section "2.1.1. Knative Serving" Collapse section "2.1.1. Knative Serving"
    
    2.1.1.1. Knative Serving resources
  2. 2.1.2. Knative Eventing
  3. 2.1.3. Supported configurations
  4. 2.1.4. Scalability and performance
  5. 2.1.5. Additional resources
2. 2.2. About OpenShift Serverless Functions
  Expand section "2.2. About OpenShift Serverless Functions" Collapse section "2.2. About OpenShift Serverless Functions"
  1. 2.2.1. Included runtimes
  2. 2.2.2. Next steps
3. 2.3. Event sources
4. 2.4. Channels and subscriptions
  Expand section "2.4. Channels and subscriptions" Collapse section "2.4. Channels and subscriptions"
  1. 2.4.1. Channel implementation types
  2. 2.4.2. Next steps
3. Install
Expand section "3. Install" Collapse section "3. Install"
1. 3.1. Installing the OpenShift Serverless Operator
  Expand section "3.1. Installing the OpenShift Serverless Operator" Collapse section "3.1. Installing the OpenShift Serverless Operator"
  1. 3.1.1. Before you begin
    
    Expand section "3.1.1. Before you begin" Collapse section "3.1.1. Before you begin"
    
    3.1.1.1. Defining cluster size requirements
    
    3.1.1.2. Scaling your cluster using machine sets
  2. 3.1.2. Installing the OpenShift Serverless Operator
  3. 3.1.3. Additional resources
  4. 3.1.4. Next steps
2. 3.2. Installing Knative Serving
  Expand section "3.2. Installing Knative Serving" Collapse section "3.2. Installing Knative Serving"
3. 3.3. Installing Knative Eventing
  Expand section "3.3. Installing Knative Eventing" Collapse section "3.3. Installing Knative Eventing"
4. 3.4. Removing OpenShift Serverless
  Expand section "3.4. Removing OpenShift Serverless" Collapse section "3.4. Removing OpenShift Serverless"
  1. 3.4.1. Uninstalling Knative Serving
  2. 3.4.2. Uninstalling Knative Eventing
  3. 3.4.3. Removing the OpenShift Serverless Operator
    
    Expand section "3.4.3. Removing the OpenShift Serverless Operator" Collapse section "3.4.3. Removing the OpenShift Serverless Operator"
    
    3.4.3.1. Deleting Operators from a cluster using the web console
    
    3.4.3.2. Deleting Operators from a cluster using the CLI
    
    3.4.3.3. Refreshing failing subscriptions
  4. 3.4.4. Deleting OpenShift Serverless custom resource definitions
4. Knative CLI
Expand section "4. Knative CLI" Collapse section "4. Knative CLI"
1. 4.1. Installing the Knative CLI
  Expand section "4.1. Installing the Knative CLI" Collapse section "4.1. Installing the Knative CLI"
2. 4.2. Configuring the Knative CLI
3. 4.3. Knative CLI plug-ins
  Expand section "4.3. Knative CLI plug-ins" Collapse section "4.3. Knative CLI plug-ins"
  1. 4.3.1. Building events by using the kn-event plug-in
  2. 4.3.2. Sending events by using the kn-event plug-in
4. 4.4. Knative Serving CLI commands
  Expand section "4.4. Knative Serving CLI commands" Collapse section "4.4. Knative Serving CLI commands"
  1. 4.4.1. kn service commands
    
    Expand section "4.4.1. kn service commands" Collapse section "4.4.1. kn service commands"
    
    4.4.1.1. Creating serverless applications by using the Knative CLI
    
    4.4.1.2. Updating serverless applications by using the Knative CLI
    
    4.4.1.3. Applying service declarations
    
    4.4.1.4. Describing serverless applications by using the Knative CLI
  2. 4.4.2. About the Knative CLI offline mode
    
    Expand section "4.4.2. About the Knative CLI offline mode" Collapse section "4.4.2. About the Knative CLI offline mode"
    
    4.4.2.1. Creating a service using offline mode
  3. 4.4.3. kn container commands
    
    Expand section "4.4.3. kn container commands" Collapse section "4.4.3. kn container commands"
    
    4.4.3.1. Knative client multi-container support
  4. 4.4.4. kn domain commands
    
    Expand section "4.4.4. kn domain commands" Collapse section "4.4.4. kn domain commands"
    
    4.4.4.1. Creating a custom domain mapping by using the Knative CLI
    
    4.4.4.2. Managing custom domain mappings by using the Knative CLI
5. 4.5. Knative Eventing CLI commands
  Expand section "4.5. Knative Eventing CLI commands" Collapse section "4.5. Knative Eventing CLI commands"
  1. 4.5.1. kn source commands
    
    Expand section "4.5.1. kn source commands" Collapse section "4.5.1. kn source commands"
    
    4.5.1.1. Listing available event source types by using the Knative CLI
    
    4.5.1.2. Knative CLI sink flag
    
    4.5.1.3. Creating and managing container sources by using the Knative CLI
    
    4.5.1.4. Creating an API server source by using the Knative CLI
    
    4.5.1.5. Creating a ping source by using the Knative CLI
    
    4.5.1.6. Creating a Kafka event source by using the Knative CLI
6. 4.6. Functions commands
  Expand section "4.6. Functions commands" Collapse section "4.6. Functions commands"
  1. 4.6.1. Creating functions
  2. 4.6.2. Building functions
  3. 4.6.3. Deploying functions
  4. 4.6.4. Listing existing functions
  5. 4.6.5. Describing a function
  6. 4.6.6. Invoking a deployed function with a test event
    
    Expand section "4.6.6. Invoking a deployed function with a test event" Collapse section "4.6.6. Invoking a deployed function with a test event"
    
    4.6.6.1. kn func invoke optional parameters
    
    Expand section "4.6.6.1. kn func invoke optional parameters" Collapse section "4.6.6.1. kn func invoke optional parameters"
    
    4.6.6.1.1. Main parameters
    
    4.6.6.1.2. Example commands
    
    Expand section "4.6.6.1.2. Example commands" Collapse section "4.6.6.1.2. Example commands"
    
    4.6.6.1.2.1. Specifying the file with data
    
    4.6.6.1.2.2. Specifying the function project
    
    4.6.6.1.2.3. Specifying where the target function is deployed
  7. 4.6.7. Deleting a function
5. Develop
Expand section "5. Develop" Collapse section "5. Develop"
1. 5.1. Serverless applications
  Expand section "5.1. Serverless applications" Collapse section "5.1. Serverless applications"
2. 5.2. Autoscaling
  Expand section "5.2. Autoscaling" Collapse section "5.2. Autoscaling"
  1. 5.2.1. Scale bounds
    
    Expand section "5.2.1. Scale bounds" Collapse section "5.2.1. Scale bounds"
    
    5.2.1.1. Minimum scale bounds
    
    Expand section "5.2.1.1. Minimum scale bounds" Collapse section "5.2.1.1. Minimum scale bounds"
    
    5.2.1.1.1. Setting the min-scale annotation by using the Knative CLI
    
    5.2.1.2. Maximum scale bounds
    
    Expand section "5.2.1.2. Maximum scale bounds" Collapse section "5.2.1.2. Maximum scale bounds"
    
    5.2.1.2.1. Setting the max-scale annotation by using the Knative CLI
  2. 5.2.2. Concurrency
    
    Expand section "5.2.2. Concurrency" Collapse section "5.2.2. Concurrency"
    
    5.2.2.1. Configuring a soft concurrency target
    
    5.2.2.2. Configuring a hard concurrency limit
    
    5.2.2.3. Concurrency target utilization
3. 5.3. Traffic management
  Expand section "5.3. Traffic management" Collapse section "5.3. Traffic management"
  1. 5.3.1. Traffic spec examples
  2. 5.3.2. Knative CLI traffic management flags
    
    Expand section "5.3.2. Knative CLI traffic management flags" Collapse section "5.3.2. Knative CLI traffic management flags"
    
    5.3.2.1. Multiple flags and order precedence
    
    5.3.2.2. Custom URLs for revisions
    
    Expand section "5.3.2.2. Custom URLs for revisions" Collapse section "5.3.2.2. Custom URLs for revisions"
    
    5.3.2.2.1. Example: Assign a tag to a revision
    
    5.3.2.2.2. Example: Remove a tag from a revision
  3. 5.3.3. Creating a traffic split by using the Knative CLI
  4. 5.3.4. Managing traffic between revisions by using the OpenShift Container Platform web console
  5. 5.3.5. Routing and managing traffic by using a blue-green deployment strategy
4. 5.4. Routing
  Expand section "5.4. Routing" Collapse section "5.4. Routing"
5. 5.5. Event sinks
  Expand section "5.5. Event sinks" Collapse section "5.5. Event sinks"
6. 5.6. Event delivery
  Expand section "5.6. Event delivery" Collapse section "5.6. Event delivery"
  1. 5.6.1. Event delivery behavior for Knative Eventing channels
    
    Expand section "5.6.1. Event delivery behavior for Knative Eventing channels" Collapse section "5.6.1. Event delivery behavior for Knative Eventing channels"
    
    5.6.1.1. Event delivery behavior for Knative Kafka channels
    
    5.6.1.2. Delivery failure status codes
  2. 5.6.2. Configurable event delivery parameters
  3. 5.6.3. Configuring event delivery failure parameters using subscriptions
7. 5.7. Listing event sources and event source types
  Expand section "5.7. Listing event sources and event source types" Collapse section "5.7. Listing event sources and event source types"
8. 5.8. Creating an API server source
  Expand section "5.8. Creating an API server source" Collapse section "5.8. Creating an API server source"
  1. 5.8.1. Creating an API server source by using the web console
  2. 5.8.2. Creating an API server source by using the Knative CLI
    
    Expand section "5.8.2. Creating an API server source by using the Knative CLI" Collapse section "5.8.2. Creating an API server source by using the Knative CLI"
    
    5.8.2.1. Knative CLI sink flag
  3. 5.8.3. Creating an API server source by using YAML files
9. 5.9. Creating a ping source
  Expand section "5.9. Creating a ping source" Collapse section "5.9. Creating a ping source"
  1. 5.9.1. Creating a ping source by using the web console
  2. 5.9.2. Creating a ping source by using the Knative CLI
    
    Expand section "5.9.2. Creating a ping source by using the Knative CLI" Collapse section "5.9.2. Creating a ping source by using the Knative CLI"
    
    5.9.2.1. Knative CLI sink flag
  3. 5.9.3. Creating a ping source by using YAML
10. 5.10. Custom event sources
  Expand section "5.10. Custom event sources" Collapse section "5.10. Custom event sources"
  1. 5.10.1. Sink binding
    
    Expand section "5.10.1. Sink binding" Collapse section "5.10.1. Sink binding"
    
    5.10.1.1. Creating a sink binding by using YAML
    
    5.10.1.2. Creating a sink binding by using the Knative CLI
    
    Expand section "5.10.1.2. Creating a sink binding by using the Knative CLI" Collapse section "5.10.1.2. Creating a sink binding by using the Knative CLI"
    
    5.10.1.2.1. Knative CLI sink flag
    
    5.10.1.3. Creating a sink binding by using the web console
    
    5.10.1.4. Sink binding reference
    
    Expand section "5.10.1.4. Sink binding reference" Collapse section "5.10.1.4. Sink binding reference"
    
    5.10.1.4.1. Subject parameter
    
    5.10.1.4.2. CloudEvent overrides
    
    5.10.1.4.3. The include label
  2. 5.10.2. Container source
    
    Expand section "5.10.2. Container source" Collapse section "5.10.2. Container source"
    
    5.10.2.1. Guidelines for creating a container image
    
    5.10.2.2. Creating and managing container sources by using the Knative CLI
    
    5.10.2.3. Creating a container source by using the web console
    
    5.10.2.4. Container source reference
    
    Expand section "5.10.2.4. Container source reference" Collapse section "5.10.2.4. Container source reference"
    
    5.10.2.4.1. CloudEvent overrides
11. 5.11. Creating channels
  Expand section "5.11. Creating channels" Collapse section "5.11. Creating channels"
12. 5.12. Creating and managing subscriptions
  Expand section "5.12. Creating and managing subscriptions" Collapse section "5.12. Creating and managing subscriptions"
13. 5.13. Brokers
  Expand section "5.13. Brokers" Collapse section "5.13. Brokers"
  1. 5.13.1. Broker types
    
    Expand section "5.13.1. Broker types" Collapse section "5.13.1. Broker types"
    
    5.13.1.1. Channel-based broker
    
    5.13.1.2. Kafka broker
  2. 5.13.2. Creating a broker that uses default settings
    
    Expand section "5.13.2. Creating a broker that uses default settings" Collapse section "5.13.2. Creating a broker that uses default settings"
    
    5.13.2.1. Creating a broker by using the Knative CLI
    
    5.13.2.2. Creating a broker by annotating a trigger
    
    5.13.2.3. Creating a broker by labeling a namespace
    
    5.13.2.4. Deleting a broker that was created by injection
  3. 5.13.3. Kafka broker
    
    Expand section "5.13.3. Kafka broker" Collapse section "5.13.3. Kafka broker"
    
    5.13.3.1. Creating a Kafka broker by using YAML
    
    5.13.3.2. Creating a Kafka broker that uses an externally managed Kafka topic
  4. 5.13.4. Managing brokers
    
    Expand section "5.13.4. Managing brokers" Collapse section "5.13.4. Managing brokers"
    
    5.13.4.1. Listing existing brokers by using the Knative CLI
    
    5.13.4.2. Describing an existing broker by using the Knative CLI
  5. 5.13.5. Additional resources
14. 5.14. Triggers
  Expand section "5.14. Triggers" Collapse section "5.14. Triggers"
15. 5.15. Using Knative Kafka
  Expand section "5.15. Using Knative Kafka" Collapse section "5.15. Using Knative Kafka"
  1. 5.15.1. Kafka event delivery and retries
  2. 5.15.2. Kafka source
    
    Expand section "5.15.2. Kafka source" Collapse section "5.15.2. Kafka source"
    
    5.15.2.1. Creating a Kafka event source by using the web console
    
    5.15.2.2. Creating a Kafka event source by using the Knative CLI
    
    Expand section "5.15.2.2. Creating a Kafka event source by using the Knative CLI" Collapse section "5.15.2.2. Creating a Kafka event source by using the Knative CLI"
    
    5.15.2.2.1. Knative CLI sink flag
    
    5.15.2.3. Creating a Kafka event source by using YAML
  3. 5.15.3. Kafka broker
    
    Expand section "5.15.3. Kafka broker" Collapse section "5.15.3. Kafka broker"
    
    5.15.3.1. Creating a Kafka broker by using YAML
    
    5.15.3.2. Creating a Kafka broker that uses an externally managed Kafka topic
  4. 5.15.4. Creating a Kafka channel by using YAML
  5. 5.15.5. Kafka sink
    
    Expand section "5.15.5. Kafka sink" Collapse section "5.15.5. Kafka sink"
    
    5.15.5.1. Using a Kafka sink
  6. 5.15.6. Additional resources
6. Administer
Expand section "6. Administer" Collapse section "6. Administer"
1. 6.1. Global configuration
  Expand section "6.1. Global configuration" Collapse section "6.1. Global configuration"
  1. 6.1.1. Configuring the default channel implementation
  2. 6.1.2. Enabling scale-to-zero
  3. 6.1.3. Configuring the scale-to-zero grace period
  4. 6.1.4. Overriding system deployment configurations
  5. 6.1.5. Configuring the EmptyDir extension
  6. 6.1.6. HTTPS redirection global settings
  7. 6.1.7. Setting the URL scheme for external routes
  8. 6.1.8. Setting the Kourier Gateway service type
  9. 6.1.9. Enabling PVC support
  10. 6.1.10. Enabling init containers
  11. 6.1.11. Tag-to-digest resolution
    
    Expand section "6.1.11. Tag-to-digest resolution" Collapse section "6.1.11. Tag-to-digest resolution"
    
    6.1.11.1. Configuring tag-to-digest resolution by using a secret
  12. 6.1.12. Additional resources
2. 6.2. Configuring Knative Kafka
  Expand section "6.2. Configuring Knative Kafka" Collapse section "6.2. Configuring Knative Kafka"
3. 6.3. Serverless components in the Administrator perspective
  Expand section "6.3. Serverless components in the Administrator perspective" Collapse section "6.3. Serverless components in the Administrator perspective"
  1. 6.3.1. Creating serverless applications using the Administrator perspective
  2. 6.3.2. Additional resources
4. 6.4. Integrating Service Mesh with OpenShift Serverless
  Expand section "6.4. Integrating Service Mesh with OpenShift Serverless" Collapse section "6.4. Integrating Service Mesh with OpenShift Serverless"
  1. 6.4.1. Integrating Service Mesh with OpenShift Serverless natively
    
    Expand section "6.4.1. Integrating Service Mesh with OpenShift Serverless natively" Collapse section "6.4.1. Integrating Service Mesh with OpenShift Serverless natively"
    
    6.4.1.1. Creating a certificate to encrypt incoming external traffic
    
    6.4.1.2. Integrating Service Mesh with OpenShift Serverless
    
    6.4.1.3. Enabling Knative Serving metrics when using Service Mesh with mTLS
  2. 6.4.2. Integrating Service Mesh with OpenShift Serverless when Kourier is enabled
5. 6.5. Serverless administrator metrics
  Expand section "6.5. Serverless administrator metrics" Collapse section "6.5. Serverless administrator metrics"
  1. 6.5.1. Prerequisites
  2. 6.5.2. Controller metrics
  3. 6.5.3. Webhook metrics
  4. 6.5.4. Knative Eventing metrics
    
    Expand section "6.5.4. Knative Eventing metrics" Collapse section "6.5.4. Knative Eventing metrics"
    
    6.5.4.1. Broker ingress metrics
    
    6.5.4.2. Broker filter metrics
    
    6.5.4.3. InMemoryChannel dispatcher metrics
    
    6.5.4.4. Event source metrics
  5. 6.5.5. Knative Serving metrics
    
    Expand section "6.5.5. Knative Serving metrics" Collapse section "6.5.5. Knative Serving metrics"
    
    6.5.5.1. Activator metrics
    
    6.5.5.2. Autoscaler metrics
    
    6.5.5.3. Go runtime metrics
6. 6.6. Using metering with OpenShift Serverless
  Expand section "6.6. Using metering with OpenShift Serverless" Collapse section "6.6. Using metering with OpenShift Serverless"
  1. 6.6.1. Installing metering
  2. 6.6.2. Data source reports for Knative Serving metering
    
    Expand section "6.6.2. Data source reports for Knative Serving metering" Collapse section "6.6.2. Data source reports for Knative Serving metering"
    
    6.6.2.1. Data source report for CPU usage in Knative Serving
    
    6.6.2.2. Data source report for memory usage in Knative Serving
    
    6.6.2.3. Applying data source reports for Knative Serving metering
  3. 6.6.3. Queries for Knative Serving metering
    
    Expand section "6.6.3. Queries for Knative Serving metering" Collapse section "6.6.3. Queries for Knative Serving metering"
    
    6.6.3.1. Applying Queries for Knative Serving metering
  4. 6.6.4. Metering reports for Knative Serving
    
    Expand section "6.6.4. Metering reports for Knative Serving" Collapse section "6.6.4. Metering reports for Knative Serving"
    
    6.6.4.1. Running a metering report
7. 6.7. High availability
  Expand section "6.7. High availability" Collapse section "6.7. High availability"
7. Monitor
Expand section "7. Monitor" Collapse section "7. Monitor"
1. 7.1. Using OpenShift Logging with OpenShift Serverless
  Expand section "7.1. Using OpenShift Logging with OpenShift Serverless" Collapse section "7.1. Using OpenShift Logging with OpenShift Serverless"
  1. 7.1.1. About deploying cluster logging
  2. 7.1.2. About deploying and configuring cluster logging
    
    Expand section "7.1.2. About deploying and configuring cluster logging" Collapse section "7.1.2. About deploying and configuring cluster logging"
    
    7.1.2.1. Configuring and Tuning Cluster Logging
    
    7.1.2.2. Sample modified ClusterLogging custom resource
  3. 7.1.3. Using cluster logging to find logs for Knative Serving components
  4. 7.1.4. Using cluster logging to find logs for services deployed with Knative Serving
2. 7.2. Serverless developer metrics
  Expand section "7.2. Serverless developer metrics" Collapse section "7.2. Serverless developer metrics"
  1. 7.2.1. Knative service metrics exposed by default
  2. 7.2.2. Knative service with custom application metrics
  3. 7.2.3. Configuration for scraping custom metrics
  4. 7.2.4. Examining metrics of a service
    
    Expand section "7.2.4. Examining metrics of a service" Collapse section "7.2.4. Examining metrics of a service"
    
    7.2.4.1. Queue proxy metrics
  5. 7.2.5. Examining metrics of a service in the dashboard
  6. 7.2.6. Additional resources
8. Tracing requests
Expand section "8. Tracing requests" Collapse section "8. Tracing requests"
9. OpenShift Serverless support
Expand section "9. OpenShift Serverless support" Collapse section "9. OpenShift Serverless support"
1. 9.1. Getting support
2. 9.2. Gathering diagnostic information for support
  Expand section "9.2. Gathering diagnostic information for support" Collapse section "9.2. Gathering diagnostic information for support"
  1. 9.2.1. About the must-gather tool
  2. 9.2.2. About collecting OpenShift Serverless data
10. Security
Expand section "10. Security" Collapse section "10. Security"
1. 10.1. Configuring JSON Web Token authentication for Knative services
  Expand section "10.1. Configuring JSON Web Token authentication for Knative services" Collapse section "10.1. Configuring JSON Web Token authentication for Knative services"
2. 10.2. Configuring a custom domain for a Knative service
  Expand section "10.2. Configuring a custom domain for a Knative service" Collapse section "10.2. Configuring a custom domain for a Knative service"
  1. 10.2.1. Creating a custom domain mapping
  2. 10.2.2. Creating a custom domain mapping by using the Knative CLI
3. 10.3. Using a custom TLS certificate for domain mapping
  Expand section "10.3. Using a custom TLS certificate for domain mapping" Collapse section "10.3. Using a custom TLS certificate for domain mapping"
  1. 10.3.1. Adding a custom TLS certificate to a DomainMapping CR
4. 10.4. Security configuration for Knative Kafka
  Expand section "10.4. Security configuration for Knative Kafka" Collapse section "10.4. Security configuration for Knative Kafka"
11. Functions
Expand section "11. Functions" Collapse section "11. Functions"
1. 11.1. Setting up OpenShift Serverless Functions
  Expand section "11.1. Setting up OpenShift Serverless Functions" Collapse section "11.1. Setting up OpenShift Serverless Functions"
2. 11.2. Getting started with functions
  Expand section "11.2. Getting started with functions" Collapse section "11.2. Getting started with functions"
3. 11.3. Developing Node.js functions
  Expand section "11.3. Developing Node.js functions" Collapse section "11.3. Developing Node.js functions"
  1. 11.3.1. Prerequisites
  2. 11.3.2. Node.js function template structure
  3. 11.3.3. About invoking Node.js functions
    
    Expand section "11.3.3. About invoking Node.js functions" Collapse section "11.3.3. About invoking Node.js functions"
    
    11.3.3.1. Node.js context objects
    
    Expand section "11.3.3.1. Node.js context objects" Collapse section "11.3.3.1. Node.js context objects"
    
    11.3.3.1.1. Context object methods
    
    11.3.3.1.2. CloudEvent data
  4. 11.3.4. Node.js function return values
    
    Expand section "11.3.4. Node.js function return values" Collapse section "11.3.4. Node.js function return values"
    
    11.3.4.1. Returning headers
    
    11.3.4.2. Returning status codes
  5. 11.3.5. Testing Node.js functions
  6. 11.3.6. Next steps
4. 11.4. Developing TypeScript functions
  Expand section "11.4. Developing TypeScript functions" Collapse section "11.4. Developing TypeScript functions"
  1. 11.4.1. Prerequisites
  2. 11.4.2. TypeScript function template structure
  3. 11.4.3. About invoking TypeScript functions
    
    Expand section "11.4.3. About invoking TypeScript functions" Collapse section "11.4.3. About invoking TypeScript functions"
    
    11.4.3.1. TypeScript context objects
    
    Expand section "11.4.3.1. TypeScript context objects" Collapse section "11.4.3.1. TypeScript context objects"
    
    11.4.3.1.1. Context object methods
    
    11.4.3.1.2. Context types
    
    11.4.3.1.3. CloudEvent data
  4. 11.4.4. TypeScript function return values
    
    Expand section "11.4.4. TypeScript function return values" Collapse section "11.4.4. TypeScript function return values"
    
    11.4.4.1. Returning headers
    
    11.4.4.2. Returning status codes
  5. 11.4.5. Testing TypeScript functions
  6. 11.4.6. Next steps
5. 11.5. Developing Golang functions
  Expand section "11.5. Developing Golang functions" Collapse section "11.5. Developing Golang functions"
  1. 11.5.1. Prerequisites
  2. 11.5.2. Golang function template structure
  3. 11.5.3. About invoking Golang functions
    
    Expand section "11.5.3. About invoking Golang functions" Collapse section "11.5.3. About invoking Golang functions"
    
    11.5.3.1. Functions triggered by an HTTP request
    
    11.5.3.2. Functions triggered by a cloud event
    
    Expand section "11.5.3.2. Functions triggered by a cloud event" Collapse section "11.5.3.2. Functions triggered by a cloud event"
    
    11.5.3.2.1. CloudEvent trigger example
  4. 11.5.4. Golang function return values
  5. 11.5.5. Testing Golang functions
  6. 11.5.6. Next steps
6. 11.6. Developing Python functions
  Expand section "11.6. Developing Python functions" Collapse section "11.6. Developing Python functions"
  1. 11.6.1. Prerequisites
  2. 11.6.2. Python function template structure
  3. 11.6.3. About invoking Python functions
  4. 11.6.4. Python function return values
    
    Expand section "11.6.4. Python function return values" Collapse section "11.6.4. Python function return values"
    
    11.6.4.1. Returning CloudEvents
  5. 11.6.5. Testing Python functions
  6. 11.6.6. Next steps
7. 11.7. Developing Quarkus functions
  Expand section "11.7. Developing Quarkus functions" Collapse section "11.7. Developing Quarkus functions"
  1. 11.7.1. Prerequisites
  2. 11.7.2. Quarkus function template structure
  3. 11.7.3. About invoking Quarkus functions
    
    Expand section "11.7.3. About invoking Quarkus functions" Collapse section "11.7.3. About invoking Quarkus functions"
    
    11.7.3.1. Invocation examples
  4. 11.7.4. CloudEvent attributes
  5. 11.7.5. Quarkus function return values
    
    Expand section "11.7.5. Quarkus function return values" Collapse section "11.7.5. Quarkus function return values"
    
    11.7.5.1. Permitted types
  6. 11.7.6. Testing Quarkus functions
  7. 11.7.7. Next steps
8. 11.8. Function project configuration in func.yaml
  Expand section "11.8. Function project configuration in func.yaml" Collapse section "11.8. Function project configuration in func.yaml"
  1. 11.8.1. Configurable fields in func.yaml
    
    Expand section "11.8.1. Configurable fields in func.yaml" Collapse section "11.8.1. Configurable fields in func.yaml"
    
    11.8.1.1. builder
    
    11.8.1.2. builders
    
    11.8.1.3. buildEnvs
    
    11.8.1.4. envs
    
    11.8.1.5. volumes
    
    11.8.1.6. options
    
    11.8.1.7. image
    
    11.8.1.8. imageDigest
    
    11.8.1.9. labels
    
    11.8.1.10. name
    
    11.8.1.11. namespace
    
    11.8.1.12. runtime
  2. 11.8.2. Referencing local environment variables from func.yaml fields
  3. 11.8.3. Additional resources
9. 11.9. Accessing secrets and config maps from functions
  Expand section "11.9. Accessing secrets and config maps from functions" Collapse section "11.9. Accessing secrets and config maps from functions"
  1. 11.9.1. Modifying function access to secrets and config maps interactively
  2. 11.9.2. Modifying function access to secrets and config maps interactively by using specialized commands
  3. 11.9.3. Adding function access to secrets and config maps manually
    
    Expand section "11.9.3. Adding function access to secrets and config maps manually" Collapse section "11.9.3. Adding function access to secrets and config maps manually"
    
    11.9.3.1. Mounting a secret as a volume
    
    11.9.3.2. Mounting a config map as a volume
    
    11.9.3.3. Setting environment variable from a key value defined in a secret
    
    11.9.3.4. Setting environment variable from a key value defined in a config map
    
    11.9.3.5. Setting environment variables from all values defined in a secret
    
    11.9.3.6. Setting environment variables from all values defined in a config map
10. 11.10. Adding annotations to functions
  Expand section "11.10. Adding annotations to functions" Collapse section "11.10. Adding annotations to functions"
  1. 11.10.1. Adding annotations to a function
11. 11.11. Functions development reference guide
  Expand section "11.11. Functions development reference guide" Collapse section "11.11. Functions development reference guide"
  1. 11.11.1. Node.js context object reference
    
    Expand section "11.11.1. Node.js context object reference" Collapse section "11.11.1. Node.js context object reference"
    
    11.11.1.1. log
    
    11.11.1.2. query
    
    11.11.1.3. body
    
    11.11.1.4. headers
    
    11.11.1.5. HTTP requests
  2. 11.11.2. TypeScript context object reference
    
    Expand section "11.11.2. TypeScript context object reference" Collapse section "11.11.2. TypeScript context object reference"
    
    11.11.2.1. log
    
    11.11.2.2. query
    
    11.11.2.3. body
    
    11.11.2.4. headers
    
    11.11.2.5. HTTP requests
12. Integrations
Expand section "12. Integrations" Collapse section "12. Integrations"
1. 12.1. Using NVIDIA GPU resources with serverless applications
  Expand section "12.1. Using NVIDIA GPU resources with serverless applications" Collapse section "12.1. Using NVIDIA GPU resources with serverless applications"
  1. 12.1.1. Specifying GPU requirements for a service
  2. 12.1.2. Additional resources
Legal Notice

Chapter 10. Security

10.1. Configuring JSON Web Token authentication for Knative services

After the Service Mesh integration with OpenShift Serverless and Kourier has been configured on your cluster, you can enable JSON Web Token (JWT) authentication for your Knative services.

10.1.1. Enabling sidecar injection for a Knative service

You can add the sidecar.istio.io/inject="true" annotation to a Knative service to enable sidecar injection for that service.

Important

Adding sidecar injection to pods in system namespaces, such as knative-serving and knative-serving-ingress, is not supported when Kourier is enabled.

If you require sidecar injection for pods in these namespaces, see the OpenShift Serverless documentation on Integrating Service Mesh with OpenShift Serverless natively.

Prerequisites

You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.

Procedure

Add the sidecar.istio.io/inject="true" annotation to your Service resource:
Example service
```
apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: <service_name>
spec:
  template:
    metadata:
      annotations:
        sidecar.istio.io/inject: "true" 1
        sidecar.istio.io/rewriteAppHTTPProbers: "true" 2
...
```
1
Add the sidecar.istio.io/inject="true" annotation.
2
You must set the annotation sidecar.istio.io/rewriteAppHTTPProbers: "true" in your Knative service as OpenShift Serverless versions 1.14.0 and higher use an HTTP probe as the readiness probe for Knative services by default.
Apply your Service resource YAML file:
```
$ oc apply -f <filename>
```

10.1.2. Using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless

You can use the following procedure to enable using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless.

Prerequisites

You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.

Procedure

Create a RequestAuthentication resource in each serverless application namespace that is a member in the ServiceMeshMemberRoll object:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-example
  namespace: <namespace>
spec:
  jwtRules:
  - issuer: testing@secure.istio.io
    jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json

Apply the RequestAuthentication resource:
```
$ oc apply -f <filename>
```
Allow access to the RequestAuthenticaton resource from system pods for each serverless application namespace that is a member in the ServiceMeshMemberRoll object, by creating the following AuthorizationPolicy resource:
```
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: allowlist-by-paths
  namespace: <namespace>
spec:
  action: ALLOW
  rules:
  - to:
    - operation:
        paths:
        - /metrics 1
        - /healthz 2
```
1
The path on your application to collect metrics by system pod.
2
The path on your application to probe by system pod.
Apply the AuthorizationPolicy resource:
```
$ oc apply -f <filename>
```

For each serverless application namespace that is a member in the ServiceMeshMemberRoll object, create the following AuthorizationPolicy resource:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: <namespace>
spec:
  action: ALLOW
  rules:
  - from:
    - source:
       requestPrincipals: ["testing@secure.istio.io/testing@secure.istio.io"]

Apply the AuthorizationPolicy resource:
```
$ oc apply -f <filename>
```

Verification

If you try to use a curl request to get the Knative service URL, it is denied:
Example command
```
$ curl http://hello-example-1-default.apps.mycluster.example.com/
```
Example output
```
RBAC: access denied
```

Verify the request with a valid JWT.

Get the valid JWT token:

$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -

Access the service by using the valid token in the curl request header:
```
$ curl -H "Authorization: Bearer $TOKEN"  http://hello-example-1-default.apps.example.com
```
The request is now allowed:
Example output
```
Hello OpenShift!
```

10.1.3. Using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless

You can use the following procedure to enable using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless.

Prerequisites

You have installed the OpenShift Serverless Operator and Knative Serving.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.

Procedure

Create a policy in a serverless application namespace which is a member in the ServiceMeshMemberRoll object, that only allows requests with valid JSON Web Tokens (JWT):

Important

The paths /metrics and /healthz must be included in excludedPaths because they are accessed from system pods in the knative-serving namespace.

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: default
  namespace: <namespace>
spec:
  origins:
  - jwt:
      issuer: testing@secure.istio.io
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/jwks.json"
      triggerRules:
      - excludedPaths:
        - prefix: /metrics 1
        - prefix: /healthz 2
  principalBinding: USE_ORIGIN

1: The path on your application to collect metrics by system pod.
2: The path on your application to probe by system pod.

Apply the Policy resource:
```
$ oc apply -f <filename>
```

Verification

If you try to use a curl request to get the Knative service URL, it is denied:

$ curl http://hello-example-default.apps.mycluster.example.com/

Example output

Origin authentication failed.

Verify the request with a valid JWT.

Get the valid JWT token:

$ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.6/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -

Access the service by using the valid token in the curl request header:

$ curl http://hello-example-default.apps.mycluster.example.com/ -H "Authorization: Bearer $TOKEN"

The request is now allowed:

Example output

Hello OpenShift!

10.2. Configuring a custom domain for a Knative service

Knative services are automatically assigned a default domain name based on your cluster configuration. For example, <service_name>.<namespace>.example.com.

You can customize the domain for your Knative service by mapping a custom domain name that you own to a Knative service, by creating a DomainMapping resource for the service. You can also create multiple DomainMapping resources to map multiple domains and subdomains to a single service.

10.2.1. Creating a custom domain mapping

To map a custom domain name to a custom resource (CR), you must create a DomainMapping CR that maps to an Addressable target CR, such as a Knative service or a Knative route.

Prerequisites

The OpenShift Serverless Operator and Knative Serving are installed on your cluster.
Install the OpenShift CLI (oc).
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.
You have created a Knative service and control a custom domain that you want to map to that service.
Note
Your custom domain must point to the IP address of the OpenShift Container Platform cluster.

Procedure

Create a YAML file containing the DomainMapping CR in the same namespace as the target CR you want to map to:

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
 name: <domain_name> 1
 namespace: <namespace> 2
spec:
 ref:
   name: <target_name> 3
   kind: <target_type> 4
   apiVersion: serving.knative.dev/v1

1: The custom domain name that you want to map to the target CR.
2: The namespace of both the DomainMapping CR and the target CR.
3: The name of the target CR to map to the custom domain.
4: The type of CR being mapped to the custom domain.

Example service domain mapping

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
 name: example.com
 namespace: default
spec:
 ref:
   name: example-service
   kind: Service
   apiVersion: serving.knative.dev/v1

Example route domain mapping

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
 name: example.com
 namespace: default
spec:
 ref:
   name: example-route
   kind: Route
   apiVersion: serving.knative.dev/v1

Apply the DomainMapping CR as a YAML file:
```
$ oc apply -f <filename>
```

10.2.2. Creating a custom domain mapping by using the Knative CLI

You can use the kn CLI to create a DomainMapping custom resource (CR) that maps to an Addressable target CR, such as a Knative service or a Knative route.

The --ref flag specifies an Addressable target CR for domain mapping.

If a prefix is not provided when using the --ref flag, it is assumed that the target is a Knative service in the current namespace. The examples in the following procedure show the prefixes for mapping to a Knative service or a Knative route.

Prerequisites

The OpenShift Serverless Operator and Knative Serving are installed on your cluster.
You have created a Knative service or route, and control a custom domain that you want to map to that CR.
Note
Your custom domain must point to the DNS of the OpenShift Container Platform cluster.
You have installed the kn CLI tool.
You have created a project or have access to a project with the appropriate roles and permissions to create applications and other workloads in OpenShift Container Platform.

Procedure

Map a domain to a CR in the current namespace:

$ kn domain create <domain_mapping_name> --ref <target_name>

Example command

$ kn domain create example.com --ref example-service

Map a domain to a Knative service in a specified namespace:

$ kn domain create <domain_mapping_name> --ref <ksvc:service_name:service_namespace>

Example command

$ kn domain create example.com --ref ksvc:example-service:example-namespace

Map a domain to a Knative route:

$ kn domain create <domain_mapping_name> --ref <kroute:route_name>

Example command

$ kn domain create example.com --ref kroute:example-route

10.3. Using a custom TLS certificate for domain mapping

You can use an existing TLS certificate with a DomainMapping custom resource (CR) to secure the mapped service.

Prerequisites

You have completed the steps in Configuring a custom domain for a Knative service and have a working DomainMapping CR.

10.3.1. Adding a custom TLS certificate to a DomainMapping CR

You can add an existing TLS certificate with a DomainMapping custom resource (CR) to secure the mapped service.

Prerequisites

You configured a custom domain for a Knative service and have a working DomainMapping CR.
You have a TLS certificate from your Certificate Authority provider or a self-signed certificate.
You have obtained the cert and key files from your Certificate Authority provider, or a self-signed certificate.
Install the OpenShift CLI (oc).

Procedure

Create a Kubernetes TLS secret:

$ oc create secret tls <tls_secret_name> --cert=<path_to_certificate_file> --key=<path_to_key_file>

Update the DomainMapping CR to use the TLS secret you have created:

apiVersion: serving.knative.dev/v1alpha1
kind: DomainMapping
metadata:
  name: <domain_name>
  namespace: <namespace>
spec:
  ref:
    name: <service_name>
    kind: Service
    apiVersion: serving.knative.dev/v1
# TLS block specifies the secret to be used
  tls:
    secretName: <tls_secret_name>

Verification

Verify that the DomainMapping CR status is True, and that the URL column of the output shows the mapped domain with the scheme https:

$ oc get domainmapping <domain_name>

Example output

NAME                      URL                               READY   REASON
example.com               https://example.com               True

Optional: If the service is exposed publicly, verify that it is available by running the following command:
```
$ curl https://<domain_name>
```
If the certificate is self-signed, skip verification by adding the -k flag to the curl command.

10.4. Security configuration for Knative Kafka

In production, Kafka clusters are often secured using the TLS or SASL authentication methods. This section shows how to configure a Kafka channel to work against a protected Red Hat AMQ Streams cluster using TLS or SASL.

Note

If you choose to enable SASL, Red Hat recommends to also enable TLS.

10.4.1. Configuring TLS authentication

You can use the following procedure to configure TLS authentication for a Kafka channel.

Prerequisites

You have a Kafka cluster CA certificate stored as a .pem file.
You have a Kafka cluster client certificate and a key stored as .pem files.
Install the OpenShift CLI (oc).

Procedure

Create the certificate files as secrets in your chosen namespace:

$ oc create secret -n <namespace> generic <kafka_auth_secret> \
  --from-file=ca.crt=caroot.pem \
  --from-file=user.crt=certificate.pem \
  --from-file=user.key=key.pem

Important

Use the key names ca.crt, user.crt, and user.key. Do not change them.

Start editing the KnativeKafka custom resource:
```
$ oc edit knativekafka
```

Reference your secret and the namespace of the secret:

apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
  namespace: knative-eventing
  name: knative-kafka
spec:
  channel:
    authSecretName: <kafka_auth_secret>
    authSecretNamespace: <kafka_auth_secret_namespace>
    bootstrapServers: <bootstrap_servers>
    enabled: true
  source:
    enabled: true

Note

Make sure to specify the matching port in the bootstrap server.

For example:

apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
  namespace: knative-eventing
  name: knative-kafka
spec:
  channel:
    authSecretName: tls-user
    authSecretNamespace: kafka
    bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9094
    enabled: true
  source:
    enabled: true

10.4.2. Configuring SASL authentication

You can use the following procedure to configure SASL authentication for a Kafka channel.

Prerequisites

You have a username and password for the Kafka cluster.
You have chosen the SASL mechanism to use, for example PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
If TLS is enabled, you also need the ca.crt certificate file for the Kafka cluster.
Install the OpenShift CLI (oc).

Note

Red Hat recommends to enable TLS in addition to SASL.

Procedure

Create the certificate files as secrets in your chosen namespace:

$ oc create secret --namespace <namespace> generic <kafka_auth_secret> \
  --from-file=ca.crt=caroot.pem \
  --from-literal=password="SecretPassword" \
  --from-literal=saslType="SCRAM-SHA-512" \
  --from-literal=user="my-sasl-user"

Important

Use the key names ca.crt, password, and saslType. Do not change them.

Start editing the KnativeKafka custom resource:
```
$ oc edit knativekafka
```

Reference your secret and the namespace of the secret:

apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
  namespace: knative-eventing
  name: knative-kafka
spec:
  channel:
    authSecretName: <kafka_auth_secret>
    authSecretNamespace: <kafka_auth_secret_namespace>
    bootstrapServers: <bootstrap_servers>
    enabled: true
  source:
    enabled: true

Note

Make sure to specify the matching port in the bootstrap server.

For example:

apiVersion: operator.serverless.openshift.io/v1alpha1
kind: KnativeKafka
metadata:
  namespace: knative-eventing
  name: knative-kafka
spec:
  channel:
    authSecretName: scram-user
    authSecretNamespace: kafka
    bootstrapServers: eventing-kafka-bootstrap.kafka.svc:9093
    enabled: true
  source:
    enabled: true

10.4.3. Configuring SASL authentication using public CA certificates

If you want to use SASL with public CA certificates, you must use the tls.enabled=true flag, rather than the ca.crt argument, when creating the secret. For example:

$ oc create secret --namespace <namespace> generic <kafka_auth_secret> \
  --from-literal=tls.enabled=true \
  --from-literal=password="SecretPassword" \
  --from-literal=saslType="SCRAM-SHA-512" \
  --from-literal=user="my-sasl-user"

10.4.4. Additional resources

TLS and SASL on Kafka

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Chapter 10. Security

10.1. Configuring JSON Web Token authentication for Knative services

10.1.1. Enabling sidecar injection for a Knative service

10.1.2. Using JSON Web Token authentication with Service Mesh 2.x and OpenShift Serverless

10.1.3. Using JSON Web Token authentication with Service Mesh 1.x and OpenShift Serverless

10.2. Configuring a custom domain for a Knative service

10.2.1. Creating a custom domain mapping

10.2.2. Creating a custom domain mapping by using the Knative CLI

10.3. Using a custom TLS certificate for domain mapping

10.3.1. Adding a custom TLS certificate to a DomainMapping CR

10.4. Security configuration for Knative Kafka

10.4.1. Configuring TLS authentication

10.4.2. Configuring SASL authentication

10.4.3. Configuring SASL authentication using public CA certificates

10.4.4. Additional resources