|
| 1 | +--- |
| 2 | +title: "Red Hat OpenShift" |
| 3 | +description: Learn about deploying Coder in OpenShift Container Platform |
| 4 | +--- |
| 5 | + |
| 6 | +This deployment guide shows you how to customize your [OpenShift Container |
| 7 | +Platform] cluster in order to deploy Coder. The OpenShift Container Platform |
| 8 | +includes default security features, notably the `restricted` [Security Context |
| 9 | +Constraint], which can interfere with applications, including Coder. |
| 10 | + |
| 11 | +This guide describes customizations to the OpenShift cluster as well as Coder |
| 12 | +that ensure an optimal user experience. |
| 13 | + |
| 14 | +[OpenShift Container Platform]: https://www.openshift.com/products/container-platform |
| 15 | +[Security Context Constraint]: https://docs.openshift.com/container-platform/4.7/authentication/managing-security-context-constraints.html |
| 16 | + |
| 17 | +## Prerequisites |
| 18 | + |
| 19 | +* An OpenShift cluster with a Project (Kubernetes namespace) for Coder |
| 20 | +* OpenShift command-line tools (`oc` and `kubectl`) |
| 21 | + |
| 22 | +## Option 1: Add the environments service account to anyuid or nonroot |
| 23 | + |
| 24 | +Coder's default base images for workspaces, such as `enterprise-base`, run as |
| 25 | +the `coder` user (UID 1000). By default, the OpenShift platform does not |
| 26 | +allow running with this user, as service accounts use the `restricted` Security |
| 27 | +Context Constraint by default, and must run with a project-specific UID. |
| 28 | + |
| 29 | +Coder creates workspaces in pods with the service account `environments`, and |
| 30 | +we recommend adding this service account to the `anyuid` or `nonroot` Security |
| 31 | +Context Constraint using: |
| 32 | + |
| 33 | +```console |
| 34 | +$ oc adm policy add-scc-to-user nonroot -z environments |
| 35 | +clusterrole.rbac.authorization.k8s.io/system:openshift:scc:nonroot added: "environments" |
| 36 | +$ oc adm policy who-can use scc nonroot |
| 37 | +resourceaccessreviewresponse.authorization.openshift.io/<unknown> |
| 38 | + |
| 39 | +Namespace: coder |
| 40 | +Verb: use |
| 41 | +Resource: securitycontextconstraints.security.openshift.io |
| 42 | + |
| 43 | +Users: system:admin |
| 44 | + system:serviceaccount:coder:environment |
| 45 | +``` |
| 46 | + |
| 47 | +## Option 2: Build images compatible with OpenShift |
| 48 | + |
| 49 | +In order to run Coder workspaces without modifying Security Context Constraints, |
| 50 | +you can modify the user and permissions from the base images. First, determine |
| 51 | +the UID range for the project using: |
| 52 | + |
| 53 | +```console |
| 54 | +$ oc describe project coderName: coder |
| 55 | +Created: 10 days ago |
| 56 | +Labels: <none> |
| 57 | +Annotations: openshift.io/description= |
| 58 | + openshift.io/display-name= |
| 59 | + openshift.io/requester=kube:admin |
| 60 | + openshift.io/sa.scc.mcs=s0:c26,c10 |
| 61 | + openshift.io/sa.scc.supplemental-groups=1000670000/10000 |
| 62 | + openshift.io/sa.scc.uid-range=1000670000/10000 |
| 63 | +Display Name: <none> |
| 64 | +Description: <none> |
| 65 | +Status: Active |
| 66 | +Node Selector: <none> |
| 67 | +Quota: <none> |
| 68 | +Resource limits: <none> |
| 69 | +``` |
| 70 | + |
| 71 | +Create a `BuildConfig` that outputs an image with a UID in the given range |
| 72 | +(in this case, sa.scc.uid-range begins with 1000670000): |
| 73 | + |
| 74 | +```yaml |
| 75 | +kind: BuildConfig |
| 76 | +apiVersion: build.openshift.io/v1 |
| 77 | +metadata: |
| 78 | + name: example |
| 79 | + namespace: coder |
| 80 | +spec: |
| 81 | + triggers: |
| 82 | + - type: ConfigChange |
| 83 | + runPolicy: Serial |
| 84 | + source: |
| 85 | + type: Dockerfile |
| 86 | + dockerfile: | |
| 87 | + FROM docker.io/codercom/enterprise-base:ubuntu |
| 88 | +
|
| 89 | + # Switch to root |
| 90 | + USER root |
| 91 | +
|
| 92 | + # As root, change the coder user id |
| 93 | + RUN usermod --uid=1000670000 coder |
| 94 | +
|
| 95 | + # Go back to the user 'coder' |
| 96 | + USER coder |
| 97 | + strategy: |
| 98 | + type: Docker |
| 99 | + dockerStrategy: |
| 100 | + imageOptimizationPolicy: SkipLayers |
| 101 | + output: |
| 102 | + to: |
| 103 | + kind: ImageStreamTag |
| 104 | + name: 'enterprise-base:latest' |
| 105 | +``` |
| 106 | +
|
| 107 | +When creating workspaces, [configure Coder to connect to the internal OpenShift |
| 108 | +registry](../../admin/registries/index.md) and use this base image. |
0 commit comments