Install Mission Control on OpenShift
This guide explains how to install Mission Control in an OpenShift environment. OpenShift is a cloud-native platform built on Kubernetes that provides automated installation, upgrades, and lifecycle management for containerized applications.
Prerequisites
Before you begin, ensure you have:
-
A working KOTS CLI installation
-
An OpenShift cluster running version 4.8 or later
-
Access to the
oc
command-line tool
Install Mission Control and configure service accounts
Follow these steps to install Mission Control in your OpenShift environment:
-
Install the
cert-manager
operator in your OpenShift cluster. For detailed instructions, see the Red Hat OpenShift documentation. -
Install the KOTS CLI if you haven’t already.
-
Install Mission Control by following the instructions in Install and configure Mission Control.
-
Configure permissions for Mission Control service accounts using one of the following methods:
-
Use the pre-defined
nonroot-v2
SCC -
Create a custom SCC
Run the following commands to grant access to Mission Control service accounts:
oc adm policy add-scc-to-user nonroot-v2 -z loki
oc adm policy add-scc-to-user nonroot-v2 -z mission-control
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-agent
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-aggregator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-cass-operator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-dex
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-k8ssandra-operator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-kube-state-metrics
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-mimir
Define the SCC in a YAML file, and then apply it to your cluster.
After creating the SCC or applying policy changes, allow a few minutes for pods to schedule properly. |
For more granular control, create a custom SCC with the necessary permissions for Mission Control service accounts. Use the following example SCC definition:
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: mission-control
runAsUser:
type: MustRunAsNonRoot
seLinuxContext:
type: RunAsAny
fsGroup:
type: RunAsAny
supplementalGroups:
type: RunAsAny
volumes:
- '*'
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
allowHostNetwork: true
allowHostDirVolumePlugin: false
users:
- system:serviceaccount:mission-control:loki
- system:serviceaccount:mission-control:mission-control
- system:serviceaccount:mission-control:mission-control-agent
- system:serviceaccount:mission-control:mission-control-aggregator
- system:serviceaccount:mission-control:mission-control-cass-operator
- system:serviceaccount:mission-control:mission-control-dex
- system:serviceaccount:mission-control:mission-control-k8ssandra-operator
- system:serviceaccount:mission-control:mission-control-kube-state-metrics
- system:serviceaccount:mission-control:mission-control-mimir