Openshift Deploy
Learn how to deploy Akto on Openshift cluster
Openshift is RedHat's managed private cluster offering - based on Docker and orchestration by Kubernetes.
Steps to get Akto running on your Openshift cluster -
You can use same steps as Helm Deploy to deploy Akto.
Add service account to get permissions for traffic connector.
You can use Kubernetes Daemonset connector or eBPF on mTLS as your traffic connector.
Add the following to the Daemonset connector -
They listen to
any
interface by default - which might NOT be allowed in some Openshift clusters. If that's the case, contact [email protected] - we can help listen traffic onbr-ex
interface.
containers:
- name: mirror-api-logging
...
# add the following lines to add additional privileges
privileged: true
securityContext:
runAsUser: 0
privileged: true
Service account manifest
On Openshift, for a pod to be able to listen to node traffic (eg. a daemonset pod), it needs to be assigned some special permissions.
1. Create a Service Account
apiVersion: v1
kind: ServiceAccount
metadata:
name: akto-daemonset-serviceaccount
annotations:
"scc.openshift.io/scc": "akto-daemonset-scc"
Create a Security Context Constraint. Substitute <NAMESPACE> with Akto daemonset yaml namespace.
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: akto-daemonset-scc
allowPrivilegedContainer: true
allowHostNetwork: true
requiredDropCapabilities:
- NET_ADMIN
seLinuxContext:
type: RunAsAny
runAsUser:
type: RunAsAny
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
users:
- system:serviceaccount:<NAMESPACE>:akto-daemonset-serviceaccount
Add SCC to service account
oc adm policy add-scc-to-user akto-daemonset-scc -z akto-daemonset-serviceaccount
Last updated
Was this helpful?