We are going to do an installation in an OpenShift environment. We usually just go with embedded installations so we don’t know much about this. Are there any guidance you can share when doing such a type of installation? Any general questions it would be helpful to ask the customer before so that we are better prepared? Any specific things we can do or need to pay attention to? Any help would be appreciated.
I can say that a lot of problems that may seem “unique to openshift” often are less “openshift specific” problems, and more like “locked-down security postures that could happen in any cluster, but are much more likely to show up in openshift clusters”. These include:
Requiring use of an existing service account instead one created by the KOTS CLI
Requiring airgap
Requiring a specific namespace, and that all workloads and service accounts be scoped to that one single namespace
There are, of course, some openshift-specific things that are almost certain to come up
Requiring containers to run as non-root
Blocking privileged and other flags that open the door to container privilege escalation
In all cases, please ensure you provision and test in an Openshift cluster internally, or you’re certainly in for some surprises on launch day. Start drafting your documentation before you go to install with the customer. Have someone on your team playtest the documentation to make sure they can follow and succeed with it.
As for resources, this won’t be comprehensive, but I’d check out
One major gotcha with OpenShift is that containers run as an arbitrary uid. The uid is injected into /etc/passwd at container startup and the user is a member of the root group. The behavior can be disabled but our customers generally have policies preventing this.