Kubernetes

OpenShift

View as Markdown

The OpenShift install path is experimental. It currently requires running sandbox pods under the privileged SCC and installing the gateway with TLS and the PKI init job disabled. Use only for evaluation on a private network.

OpenShift’s Security Context Constraints reject the chart’s default pod security settings. Installing on OpenShift requires precreating the namespace, granting the privileged SCC to the sandbox service account, and overriding a few chart values so the cluster admission controller can assign UIDs and FS groups itself.

Prerequisites

  • OpenShift 4.x cluster with oc configured
  • Helm 3.x
  • Agent Sandbox controller and CRDs installed

Install

1

Create the namespace

Pre-create the namespace so the SCC binding can be applied before the chart installs:

$oc create ns openshell
2

Grant the privileged SCC to sandbox pods

Sandbox pods run under the openshell-sandbox service account in the openshell namespace and require the privileged SCC:

$oc adm policy add-scc-to-user privileged -z openshell-sandbox -n openshell
3

Install the chart with OpenShift overrides

$helm install openshell oci://ghcr.io/nvidia/openshell/helm-chart \
>  --version <version> \
>  --namespace openshell \
>  --set pkiInitJob.enabled=false \
>  --set server.disableTls=true \
>  --set podSecurityContext.fsGroup=null \
>  --set securityContext.runAsUser=null
OverrideReason
pkiInitJob.enabled=falseSkips the built-in TLS PKI Job. TLS must also be disabled unless you provide TLS Secrets another way.
server.disableTls=trueThe gateway has no certificates without pkiInitJob, so it must run plaintext.
podSecurityContext.fsGroup=null / securityContext.runAsUser=nullClear the chart’s hardcoded UID and fsGroup so OpenShift’s SCC admission can assign them.

The gateway still needs the sandbox JWT signing Secret. When disabling pkiInitJob without enabling cert-manager, pre-create that Secret before installing the chart.

4

Wait for the gateway to be ready

$oc -n openshell rollout status statefulset/openshell

If you set workload.kind=deployment, use oc -n openshell rollout status deployment/openshell instead.

Connect to the gateway

The gateway is now running over plaintext HTTP. Connect with oc port-forward:

$oc -n openshell port-forward svc/openshell 8080:8080

Register the gateway with the CLI:

$openshell gateway add http://127.0.0.1:8080 --local --name openshift
$openshell status

Next Steps

  • For TLS-enabled deployments, refer to Managing Certificates after SCC-compatible PKI is supported.
  • To expose the gateway externally, refer to Ingress.
  • To configure OIDC authentication, refer to Access Control.