Menu

Using the RabbitMQ Kubernetes Operators on Openshift

Overview

This guide details the Openshift-specific considerations when deploying the RabbitMQ Cluster Kubernetes Operator and the RabbitMQ Messaging Topology Kubernetes Operator. For the most part, the user experience is the same when using these operators on Openshift; the following guide details the additional work required to leverage Openshift's security practices, as well as detail on how the operators work on Openshift.

RBAC permissions for installing the Operators

In order to install the operators, you will need to be authenticated with the Openshift cluster as a user with CRUD permissions on the following resources:

  • Namespace
  • CustomResourceDefinition
  • Deployment
  • ServiceAccount
  • Role
  • ClusterRole
  • RoleBinding
  • ClusterRoleBinding
  • Service
  • ValidatingWebhookConfiguration

You may then run the installation instructions as normal with this user.

Support for Arbitrary User IDs

Openshift uses arbitrarily assigned User IDs when running Pods. Each Openshift project is allocated a range of possible UIDs, and by default Pods will fail if they are started running as a user outside of that range. For more information, see the Openshift documentation.

When deploying the operators on Openshift, the Pods used to run the operator binaries will run with an arbitrary UID within the range allocated by Openshift. This occurs by default, and does not require any modification of the operator manifests to achieve.

Some additional work is required to utilise the same security features when deploying RabbitmqClusters. By default, the RabbitMQ Cluster Operator deploys RabbitmqCluster Pods with fixed, non-root UIDs. To deploy on Openshift, it is necessary to override the Security Context for these Pods. This must be done for every RabbitmqCluster deployed under the override field:

apiVersion: rabbitmq.com/v1beta1
kind: RabbitmqCluster
metadata:
  ...
spec:
  ...
  override:
    statefulSet:
      spec:
        template:
          spec:
            containers: []
            securityContext: {}
            initContainers:
            - name: setup-container
              securityContext: {}

This resets the securityContext for the Pods to default, and ensures that RabbitMQ Pods are also assigned arbitrary user IDs in Openshift.

Getting Help and Providing Feedback

If you have questions about the contents of this guide or any other topic related to RabbitMQ, don't hesitate to ask them on the RabbitMQ mailing list.

Help Us Improve the Docs <3

If you'd like to contribute an improvement to the site, its source is available on GitHub. Simply fork the repository and submit a pull request. Thank you!