Guidance when installing on Open Shift?

Hello!

We are going to do an installation in an OpenShift environment. We usually just go with embedded installations so we don’t know much about this. Are there any guidance you can share when doing such a type of installation? Any general questions it would be helpful to ask the customer before so that we are better prepared? Any specific things we can do or need to pay attention to? Any help would be appreciated.

Thanks!

I can say that a lot of problems that may seem “unique to openshift” often are less “openshift specific” problems, and more like “locked-down security postures that could happen in any cluster, but are much more likely to show up in openshift clusters”. These include:

  • Requiring use of an existing service account instead one created by the KOTS CLI
  • Requiring airgap
  • Requiring a specific namespace, and that all workloads and service accounts be scoped to that one single namespace

There are, of course, some openshift-specific things that are almost certain to come up

  • Requiring containers to run as non-root
  • Blocking privileged and other flags that open the door to container privilege escalation

In all cases, please ensure you provision and test in an Openshift cluster internally, or you’re certainly in for some surprises on launch day. Start drafting your documentation before you go to install with the customer. Have someone on your team playtest the documentation to make sure they can follow and succeed with it.

As for resources, this won’t be comprehensive, but I’d check out

There are many vendor documentation examples in Help creating Replicated Documentation For end user Kubernetes installs?, and a few openshift-specific deep-links provided below from industry leaders:

1 Like

One major gotcha with OpenShift is that containers run as an arbitrary uid. The uid is injected into /etc/passwd at container startup and the user is a member of the root group. The behavior can be disabled but our customers generally have policies preventing this.

The effect of this is that any files or folders that need to be writable within the container must be writable by the root group. See “Support Arbitrary User IDs” in the OpenShift docs: Guidelines | Creating Images | OpenShift Container Platform 3.11

2 Likes