For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
  • About NVIDIA OpenShell
    • Overview
    • How It Works
    • Installation
    • Container Gateway
    • Supported Agents
    • Release Notes
  • Get Started
    • Quickstart
    • Tutorials
  • Manage OpenShell
    • Sandboxes
    • Gateways
    • Providers
    • Providers v2
    • Policies
    • Policy Advisor
    • Inference Routing
  • Providers
    • Google Vertex AI
  • Observability
    • Accessing Logs
    • Logging
    • OCSF JSON Export
  • Kubernetes
    • Setup
    • Managing Certificates
    • Ingress
    • Access Control
    • OpenShift
  • Reference
    • Gateway Auth
    • Default Policy
    • Policy Schema
    • Compute Drivers
    • Gateway Config
    • Support Matrix
  • Security
    • Security Best Practices
  • Resources
    • License
NVIDIANVIDIA
Developer-friendly docs for your API
Privacy Policy | Your Privacy Choices | Terms of Service | Accessibility | Corporate Policies | Product Security | Contact

Copyright © 2026, NVIDIA Corporation.

LogoLogoOpenShell
On this page
  • Prerequisites
  • Install
  • Connect to the gateway
  • Next Steps
Kubernetes

OpenShift

||View as Markdown|
Previous

Access Control

Next

Gateway Authentication

The OpenShift install path is experimental. It currently requires running sandbox pods under the privileged SCC and installing the gateway with TLS and the PKI init job disabled. Use only for evaluation on a private network.

OpenShift’s Security Context Constraints reject the chart’s default pod security settings. Installing on OpenShift requires precreating the namespace, granting the privileged SCC to the sandbox service account, and overriding a few chart values so the cluster admission controller can assign UIDs and FS groups itself.

Prerequisites

  • OpenShift 4.x cluster with oc configured
  • Helm 3.x
  • Agent Sandbox controller and CRDs installed

Install

1

Create the namespace

Pre-create the namespace so the SCC binding can be applied before the chart installs:

$oc create ns openshell
2

Grant the privileged SCC to sandbox pods

Sandbox pods run under the openshell-sandbox service account in the openshell namespace and require the privileged SCC:

$oc adm policy add-scc-to-user privileged -z openshell-sandbox -n openshell
3

Install the chart with OpenShift overrides

$helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \
>  --version <version> \
>  --namespace openshell \
>  --set pkiInitJob.enabled=false \
>  --set server.disableTls=true \
>  --set podSecurityContext.fsGroup=null \
>  --set securityContext.runAsUser=null
OverrideReason
pkiInitJob.enabled=falseSkips the built-in TLS PKI Job. TLS must also be disabled unless you provide TLS Secrets another way.
server.disableTls=trueThe gateway has no certificates without pkiInitJob, so it must run plaintext.
podSecurityContext.fsGroup=null / securityContext.runAsUser=nullClear the chart’s hardcoded UID and fsGroup so OpenShift’s SCC admission can assign them.

The gateway still needs the sandbox JWT signing Secret. When disabling pkiInitJob without enabling cert-manager, pre-create that Secret before installing the chart.

4

Wait for the gateway to be ready

$oc -n openshell rollout status statefulset/openshell

Connect to the gateway

The gateway is now running over plaintext HTTP. Connect with oc port-forward:

$oc -n openshell port-forward svc/openshell 8080:8080

Register the gateway with the CLI:

$openshell gateway add http://127.0.0.1:8080 --local --name openshift
$openshell status

Next Steps

  • For TLS-enabled deployments, refer to Managing Certificates after SCC-compatible PKI is supported.
  • To expose the gateway externally, refer to Ingress.
  • To configure OIDC authentication, refer to Access Control.