Install OpenShift dependencies and define SCC permissions

This guide explains how to install Mission Control in an OpenShift environment. OpenShift is a cloud-native platform built on Kubernetes that provides automated installation, upgrades, and lifecycle management for containerized applications.

Prerequisites

Before you begin, ensure you have:

  • A working KOTS CLI installation

  • An OpenShift cluster running version 4.8 or later

  • Access to the oc command-line tool

Install Mission Control and configure service accounts

Follow these steps to install Mission Control in your OpenShift environment:

  1. Install the cert-manager operator in your OpenShift cluster. For detailed instructions, see the Red Hat OpenShift documentation.

  2. Configure cert-manager for proper secret cleanup. For more information, see Configure cert-manager for proper secret cleanup.

  3. Install the KOTS CLI if you haven’t already.

  4. Install Mission Control by following the instructions in Install Mission Control with KOTS.

    You must use the same application name for the data plane installation as you used for the control plane installation. This ensures proper communication and resource management between the planes.

  5. Configure permissions for Mission Control service accounts using one of the following methods:

  • Use the pre-defined nonroot-v2 SCC

  • Create a custom SCC

Run the following commands to grant access to Mission Control service accounts:

oc adm policy add-scc-to-user nonroot-v2 -z loki
oc adm policy add-scc-to-user nonroot-v2 -z mission-control
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-agent
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-aggregator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-cass-operator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-dex
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-k8ssandra-operator
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-kube-state-metrics
oc adm policy add-scc-to-user nonroot-v2 -z mission-control-mimir

Define the SCC in a YAML file, and then apply it to your cluster.

After creating the SCC or applying policy changes, allow a few minutes for pods to schedule properly.

For more granular control, create a custom SCC with the necessary permissions for Mission Control service accounts. Use the following example SCC definition:

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: mission-control
runAsUser:
  type: MustRunAsNonRoot
seLinuxContext:
  type: RunAsAny
fsGroup:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
volumes:
- '*'
requiredDropCapabilities:
- ALL
allowedCapabilities:
- NET_BIND_SERVICE
allowHostNetwork: true
allowHostDirVolumePlugin: false
users:
- system:serviceaccount:mission-control:loki
- system:serviceaccount:mission-control:mission-control
- system:serviceaccount:mission-control:mission-control-agent
- system:serviceaccount:mission-control:mission-control-aggregator
- system:serviceaccount:mission-control:mission-control-cass-operator
- system:serviceaccount:mission-control:mission-control-dex
- system:serviceaccount:mission-control:mission-control-k8ssandra-operator
- system:serviceaccount:mission-control:mission-control-kube-state-metrics
- system:serviceaccount:mission-control:mission-control-mimir

Configure cert-manager for proper secret cleanup

Mission Control deletes the certificate objects when you delete a MissionControlCluster, which then deletes all the certificate secrets. However, the default settings of cert-manager leave the generated secrets behind when the upstream certificates are deleted.

To ensure proper cleanup of certificate secrets when Mission Control clusters are deleted, configure cert-manager to add ownership references on the secrets it generates.

  • Helm installation

  • Kustomize installation

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version VERSION \
  --set 'extraArgs[0]=--enable-certificate-owner-ref=true'

Replace VERSION with the version of cert-manager you want to install. DataStax recommends version 1.16.1.

Add the following argument to the cert-manager deployment in the cert-manager-controller container:

- '--enable-certificate-owner-ref=true'

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM