OpenShift Prerequisites

Note: Supported versions are listed in the Entrust CloudControl Release Notes.

• The OpenShift master (API server) must be running as a k8s_apiserver pod.
• The OCR (OpenShift Container Registry) is automatically added or removed with your OpenShift clusters. You cannot add an OCR using the same process as you would an image registry. OCRs can only be added as a part of their corresponding OpenShift cluster.

• Before you add an OpenShift cluster, your DNS must be configured so that CloudControl can connect to the corresponding OCR using the OpenShift route for the OCR. The format should be docker-registry-default.<domain.com>.

• OpenShift users must have the following privileges for CloudControl to fetch OpenShift cluster inventory and the OCR: 

  • oc adm policy add-role-to-user system:registry <username>
  • oc adm policy add-role-to-user admin <username>
  • oc adm policy add-role-to-user system:image-builder <username>
  • oc adm policy add-cluster-role-to-user system:registry <username>
  • oc adm policy add-cluster-role-to-user admin <username>
  • oc adm policy add-cluster-role-to-user system:image-builder <username>
  • oc adm policy add-cluster-role-to-user cluster-admin <username>
  • oc adm policy add-cluster-role-to-user cluster-admin system:anonymous

  Where <username> is the OpenShift user name to be used when adding an OpenShift cluster.

• Using deployment control with OpenShift requires the following: 

  • The "ValidatingAdmissionWebhook" must be enabled before you add the cluster.

  • Your DNS must be configured to allow two-way communication between the cluster and CloudControl before you add the cluster.