Kubernetes

OpenShift

View as Markdown

The OpenShift install path is experimental. It currently requires running sandbox pods under the privileged SCC and installing the gateway with TLS and the PKI init job disabled. Use only for evaluation on a private network.

OpenShift’s Security Context Constraints reject the chart’s default pod security settings. Installing on OpenShift requires precreating the namespace, granting the privileged SCC to the default service account, and overriding a few chart values so the cluster admission controller can assign UIDs and FS groups itself.

Prerequisites

  • OpenShift 4.x cluster with oc configured
  • Helm 3.x
  • Agent Sandbox controller and CRDs installed

Install

1

Create the namespace

Pre-create the namespace so the SCC binding can be applied before the chart installs:

$oc create ns openshell
2

Grant the privileged SCC to sandbox pods

Sandbox pods run under the default service account in the openshell namespace and require the privileged SCC:

$oc adm policy add-scc-to-user privileged -z default -n openshell
3

Install the chart with OpenShift overrides

$helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \
>  --version <version> \
>  --namespace openshell \
>  --set pkiInitJob.enabled=false \
>  --set server.disableTls=true \
>  --set podSecurityContext.fsGroup=null \
>  --set securityContext.runAsUser=null
OverrideReason
pkiInitJob.enabled=falseThe PKI init Job runs as a non-root user with a fixed UID, which the SCC admission rewrites or rejects. Disabling it skips the Job; TLS must also be disabled.
server.disableTls=trueThe gateway has no certificates without pkiInitJob, so it must run plaintext.
podSecurityContext.fsGroup=null / securityContext.runAsUser=nullClear the chart’s hardcoded UID and fsGroup so OpenShift’s SCC admission can assign them.
4

Wait for the gateway to be ready

$oc -n openshell rollout status statefulset/openshell

Connect to the gateway

The gateway is now running over plaintext HTTP. Connect with oc port-forward:

$oc -n openshell port-forward svc/openshell 8080:8080

Register the gateway with the CLI:

$openshell gateway add http://127.0.0.1:8080 --local --name openshift
$openshell status

Next Steps

  • For TLS-enabled deployments, refer to Managing Certificates after SCC-compatible PKI is supported.
  • To expose the gateway externally, refer to Ingress.
  • To configure OIDC authentication, refer to Access Control.