Deploy on OpenShift
By default, OpenShift doesn't allow running containers with the root user, but it assigns a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vCluster should run as a non-root user by default.
OpenShift also imposes some restrictions that are not common to other Kubernetes distributions. When deploying vCluster to OpenShift you will need to follow these additional steps:
- vcluster
- helm
Create a vcluster.yaml
file with the following lines:
controlPlane:
statefulSet:
security:
podSecurityContext:
fsGroup: 12345
containerSecurityContext:
runAsUser: 12345
runAsNonRoot: true
rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["endpoints/restricted"]
verbs: ["create"]
Then create the vCluster with the following command:
vcluster create my-vcluster -f values.yaml
Update the vcluster.yaml
file.
You will need to add the openshift
block as shown below:
controlPlane:
statefulSet:
security:
podSecurityContext:
fsGroup: 12345
containerSecurityContext:
runAsUser: 12345
runAsNonRoot: true
rbac:
role:
extraRules:
- apiGroups: [""]
resources: ["endpoints/restricted"]
verbs: ["create"]
Then, install Helm chart using vcluster.yaml
for chart values.
vCluster requires create
permission for the endpoints/restricted
resource in the default group when running on OpenShift.
This permission is required because OpenShift has an additional built-in admission controller for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given.
Following the steps outlined above ensures that the vCluster Role includes this permission, as it is necessary for certain networking features.