Deploy on OpenShift

By default, OpenShift doesn't allow running containers with the root user, but it assigns a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vCluster should run as a non-root user by default.

OpenShift also imposes some restrictions that are not common to other Kubernetes distributions. When deploying vCluster to OpenShift you will need to follow these additional steps:

vcluster

Create a vcluster.yaml file with the following lines:

controlPlane:
  statefulSet:
    security:
      podSecurityContext:
        fsGroup: 12345
      containerSecurityContext:
        runAsUser: 12345
        runAsNonRoot: true

rbac:
  role:
    extraRules:
    - apiGroups: [""]
      resources: ["endpoints/restricted"]
      verbs: ["create"]

Then create the vCluster with the following command:

vcluster create my-vcluster -f values.yaml

helm

Update the vcluster.yaml file.

You will need to add the openshift block as shown below:

controlPlane:
  statefulSet:
    security:
      podSecurityContext:
        fsGroup: 12345
      containerSecurityContext:
        runAsUser: 12345
        runAsNonRoot: true

rbac:
  role:
    extraRules:
    - apiGroups: [""]
      resources: ["endpoints/restricted"]
      verbs: ["create"]

Then, install Helm chart using vcluster.yaml for chart values.

Additional permission when running on OpenShift

vCluster requires create permission for the endpoints/restricted resource in the default group when running on OpenShift. This permission is required because OpenShift has an additional built-in admission controller for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Following the steps outlined above ensures that the vCluster Role includes this permission, as it is necessary for certain networking features.