OpenShift | NVIDIA OpenShell

The OpenShift install path is experimental. It currently requires running sandbox pods under the privileged SCC and installing the gateway with TLS and the PKI init job disabled. Use only for evaluation on a private network.

OpenShift’s Security Context Constraints reject the chart’s default pod security settings. Installing on OpenShift requires precreating the namespace, granting the privileged SCC to the default service account, and overriding a few chart values so the cluster admission controller can assign UIDs and FS groups itself.

Prerequisites

OpenShift 4.x cluster with oc configured
Helm 3.x
Agent Sandbox controller and CRDs installed

Install

Create the namespace

Pre-create the namespace so the SCC binding can be applied before the chart installs:

$ oc create ns openshell

Grant the privileged SCC to sandbox pods

Sandbox pods run under the default service account in the openshell namespace and require the privileged SCC:

$ oc adm policy add-scc-to-user privileged -z default -n openshell

Install the chart with OpenShift overrides

$ helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \
>   --version <version> \
>   --namespace openshell \
>   --set pkiInitJob.enabled=false \
>   --set server.disableTls=true \
>   --set podSecurityContext.fsGroup=null \
>   --set securityContext.runAsUser=null

Override	Reason
`pkiInitJob.enabled=false`	The PKI init Job runs as a non-root user with a fixed UID, which the SCC admission rewrites or rejects. Disabling it skips the Job; TLS must also be disabled.
`server.disableTls=true`	The gateway has no certificates without `pkiInitJob`, so it must run plaintext.
`podSecurityContext.fsGroup=null` / `securityContext.runAsUser=null`	Clear the chart’s hardcoded UID and fsGroup so OpenShift’s SCC admission can assign them.

Wait for the gateway to be ready

$ oc -n openshell rollout status statefulset/openshell

Connect to the gateway

The gateway is now running over plaintext HTTP. Connect with oc port-forward:

$ oc -n openshell port-forward svc/openshell 8080:8080

$ openshell gateway add http://127.0.0.1:8080 --local --name openshift
$ openshell status

Next Steps

For TLS-enabled deployments, see Managing Certificates once SCC-compatible PKI is supported.
To expose the gateway externally, see Ingress.
To configure OIDC authentication, see Access Control.