By default, OpenShift doesn't allow running containers with the root user, but it assigns a random UID from the allowed range automatically, which means that you can skip the steps described in the Running as non-root user section of this document and your vCluster should run as a non-root user by default.
OpenShift also imposes some restrictions that are not common to other Kubernetes distributions.
When deploying vCluster to OpenShift you will need to follow these additional steps:
values.yaml file with the following lines:
Then create the vCluster with the following command:
vcluster create my-vcluster -f values.yaml
vcluster.yaml file described in the deployment guide.
You will need to add the
openshift block as shown below:
Then, install helm chart using
vcluster.yaml for chart values as described in the deployment guide.
vcluster-1.yaml file from the previous steps.
You will need to add a new rule as shown below:
kubectl create namespace host-namespace-1
helm template my-vcluster vcluster --repo https://charts.loft.sh --set serviceCIDR=10.96.0.0/12 --set openshift.enable=true -n host-namespace-1 | kubectl apply -f -
create permission for the
endpoints/restricted resource in the default group when running on OpenShift.
This permission is required because OpenShift has an additional built-in admission controller for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Following the steps outlined above ensures that the vCluster Role includes this permission, as it is necessary for certain networking features.