Documentation menu

Kubernetes agent

Use Octopus docs with AI

Octopus Kubernetes agent on Openshift

How to configure a Kubernetes agent for Openshift

Agent can be run under nonroot-v2 SCC. This means you will probably need to manually assign the SCC to service accounts.

Installation steps are following:

  1. create dedicated project (namespace)

    NS_NAME="octopus-agent-<name>"
oc new-project $NS_NAME --description="Octopus Deploy kubernetes agent <name>" --display-name="Octopus Deploy k8s agent"

  2. Assign nonroot-v2 SCC to SAs

    • Agent
    NS_NAME="octopus-agent-<name>"
AGENT_SERVICE_ACCOUNT="octopus-agent-tentacle"
oc adm policy add-scc-to-user nonroot-v2 -z $AGENT_SERVICE_ACCOUNT -n $NS_NAME
    • Pod scripts
    NS_NAME="octopus-agent-<name>"
POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-scripts"
oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME
    • Auto-upgrader
    NS_NAME="octopus-agent-<name>"
POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-auto-upgrader"
oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME

  3. To make sure that you will not have problems with PV StorageClass requires to have explicit UID to match one from securityContext. Here is important part of your StorageClass mountOptions:

    mountOptions:
- uid=999
- forceuid
- file_mode=0775 #rwx for user required
- dir_mode=0775 #rwx for user required

  4. Agent and script pods support running in non-root mode. UID/GID should be 999. Run helm install command with extra values:

    agent:
  securityContext:
    readOnlyRootFilesystem: true
    runAsUser: 999
    runAsGroup: 999
    fsGroup: 999
    fsGroupChangePolicy: "OnRootMismatch"
scriptPods:
  securityContext: 
    runAsUser: 999
    runAsGroup: 999
    fsGroup: 999
    fsGroupChangePolicy: "OnRootMismatch"
persistence:
  storageClassName: {your-custom-value} #required - use name from previous step