Skip to main content

Deploy on OpenShift

By default, OpenShift doesn't allow running containers with the root user, but it assigns a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vCluster should run as a non-root user by default.

OpenShift also imposes some restrictions that are not common to other Kubernetes distributions. When deploying vCluster to OpenShift you will need to follow these additional steps:

Create a vcluster.yaml file with the following lines:

controlPlane:
statefulSet:
security:
podSecurityContext:
fsGroup: 12345
containerSecurityContext:
runAsUser: 12345
runAsNonRoot: true

rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["endpoints/restricted"]
verbs: ["create"]

Then create the vCluster with the following command:

vcluster create my-vcluster -f values.yaml
Additional permission when running on OpenShift

vCluster requires create permission for the endpoints/restricted resource in the default group when running on OpenShift. This permission is required because OpenShift has an additional built-in admission controller for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Following the steps outlined above ensures that the vCluster Role includes this permission, as it is necessary for certain networking features.