Cluster stuff

OpenShift¶

The Community Distribution of Kubernetes that powersRed Hat OpenShift

CI + K8S

Security Context Constraints (SCCs)¶

Managing SCCs in OpenShift
- See the Caution.
- There is a new way to do this, see https://examples.openshift.pub/deploy/scc-anyuid/#past-438.
Docs: Run As anyuid SCC

Kubernetes to OpenShift

The Runner operator is production ready but the GitLab operator is not production-ready.

OpenShift is opinionated: you can't run anything as root by default. A user ID is assigned to whatever is running (even if you tell it to run as root, you'll be ignored). You must rely on the fact that you won't be root.

OpenShift can be made to respect the user.

Create a security group, assign it to a service account. It's rather quite if you get it wrong. (Say you don't specify a namespace...)