OpenShift
By default, OpenShift doesn't allow running containers with the root user, but it assigns a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vCluster should run as a non-root user by default.
OpenShift also imposes some restrictions that are not common to other Kubernetes distributions.
When deploying vCluster to OpenShift you will need to follow these additional steps:
- vcluster
- helm
- kubectl
Create a values.yaml file with the following lines:
openshift:
enable: true
Then create the vCluster with the following command:
vcluster create my-vcluster -f values.yaml
Update the vcluster.yaml file described in the deployment guide.
You will need to add the openshift block as shown below:
openshift:
enable: true
Then, install helm chart using vcluster.yaml for chart values as described in the deployment guide.
Update the vcluster-1.yaml file from the previous steps.
You will need to add a new rule as shown below:
kubectl create namespace host-namespace-1
helm template my-vcluster vcluster --repo https://charts.loft.sh --set serviceCIDR=10.96.0.0/12 --set openshift.enable=true -n host-namespace-1 | kubectl apply -f -
vCluster requires create permission for the endpoints/restricted resource in the default group when running on OpenShift.
This permission is required because OpenShift has an additional built-in admission controller for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given.
Following the steps outlined above ensures that the vCluster Role includes this permission, as it is necessary for certain networking features.