Openshift Deploy

Learn how to deploy Akto on Openshift cluster

Openshift is RedHat's managed private cluster offering - based on Docker and orchestration by Kubernetes.

Steps to get Akto running on your Openshift cluster -

  1. You can use same steps as Helm Deploy to deploy Akto.

  2. Add service account to get permissions for traffic connector.

  3. You can use Kubernetes Daemonset connector or eBPF on mTLS as your traffic connector.

Add the following to the Daemonset connector -

They listen to any interface by default - which might NOT be allowed in some Openshift clusters. If that's the case, contact support@akto.io - we can help listen traffic on br-ex interface.

     containers:
      - name: mirror-api-logging
        ... 
        # add the following lines to add additional privileges
        privileged: true	
        securityContext:
          runAsUser: 0
          privileged: true

Service account manifest

On Openshift, for a pod to be able to listen to node traffic (eg. a daemonset pod), it needs to be assigned some special permissions.

1. Create a Service Account

apiVersion: v1
kind: ServiceAccount
metadata:
  name: akto-daemonset-serviceaccount
  annotations:
    "scc.openshift.io/scc": "akto-daemonset-scc"
  1. Create a Security Context Constraint. Substitute <NAMESPACE> with Akto daemonset yaml namespace.

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: akto-daemonset-scc
allowPrivilegedContainer: true
allowHostNetwork: true
requiredDropCapabilities:
- NET_ADMIN
seLinuxContext:
  type: RunAsAny
runAsUser:
  type: RunAsAny
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: MustRunAs
users:
- system:serviceaccount:<NAMESPACE>:akto-daemonset-serviceaccount
  1. Add SCC to service account

oc adm policy add-scc-to-user akto-daemonset-scc -z akto-daemonset-serviceaccount

Last updated