Skip to content
Neutree Documentation

Configuring OpenShift compatibility

Issue

Section titled “Issue”

When using the Neutree in an OpenShift environment, the Security Context Constraints (SCC) in OpenShift differ from those in standard Kubernetes clusters. Deploying directly may cause the Neutree management plane and cluster Pods to fail to start or run.

You may observe the following:

  • The Neutree management plane Helm deployment fails and Pods cannot start.
  • After cluster creation, Pods are in a CrashLoopBackOff state.

Cause

Section titled “Cause”

OpenShift uses SCCs to control Pod security permissions. The default SCC policies in OpenShift are stricter than those in standard Kubernetes. Some Neutree components may require specific permissions, such as privileged mode, host network access, or specific user IDs. These permissions must be granted by creating custom SCCs.

Solution

Section titled “Solution”

For OpenShift environments, configure the appropriate SCCs separately for the management plane and clusters.

Configuring SCC for the management plane

Section titled “Configuring SCC for the management plane”

When deploying the Neutree management plane on OpenShift, create the necessary SCCs before running the Helm installation.

Steps

  1. Replace <namespace> in the following command with the namespace where the management plane is deployed, then run the command to create the SCC required for the management plane.

    Terminal window
    kubectl apply -f - <<EOF
    kind: SecurityContextConstraints
    apiVersion: security.openshift.io/v1
    metadata:
      name: neutree-controlplane-scc
      annotations:
        kubernetes.io/description: "Custom SCC for Neutree AI ControlPlane to allow root and any UID/GID."
    priority: 10000
    allowHostDirVolumePlugin: true
    allowHostIPC: true
    allowHostNetwork: true
    allowHostPID: true
    allowHostPorts: true
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: true
    allowedCapabilities:
    - '*'
    allowedUnsafeSysctls:
    - '*'
    readOnlyRootFilesystem: false
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: RunAsAny
    fsGroup:
      type: RunAsAny
    supplementalGroups:
      type: RunAsAny
    seccompProfiles:
    - '*'
    volumes:
    - '*'
    groups:
    - system:serviceaccounts:<namespace>
    EOF

  2. Verify that the SCC was created successfully:

    Terminal window
    oc get scc

    The list should include an SCC named neutree-controlplane-scc.

  3. Run the Helm installation to deploy the Neutree management plane:

    Terminal window
    helm install <release-name> <chart-name> -n <namespace>
    ParameterDescription
    <release-name>Helm release name.
    <chart-name>Management plane Helm chart name or path.
    <namespace>Namespace where the management plane is deployed.

  4. Verify the Neutree management plane Pod status:

    Terminal window
    kubectl get pods -n <namespace>

    All Pods should be in the Running state.

Configuring SCC for clusters

Section titled “Configuring SCC for clusters”

When creating a cluster on OpenShift, create an SCC for the cluster after cluster creation is complete, then recreate all cluster Pods.

Steps

  1. Create a cluster in the Neutree management interface. After cluster creation, Pods may fail to start due to permission issues.

  2. Get the namespace used by the cluster:

    Terminal window
    kubectl get ns -l neutree.ai/neutree-cluster=<cluster>,neutree.ai/neutree-workspace=<workspace>
    ParameterDescription
    <cluster>Cluster name.
    <workspace>Name of the workspace the cluster belongs to.

  3. Replace <namespace> with the cluster namespace obtained in step 2, then run the command to create the SCC required for the cluster.

    Terminal window
    kubectl apply -f - <<EOF
    kind: SecurityContextConstraints
    apiVersion: security.openshift.io/v1
    metadata:
      name: neutree-datacluster-scc
      annotations:
        kubernetes.io/description: "Custom SCC for Neutree AI Data Cluster to allow root and any UID/GID."
    priority: 10000
    allowHostDirVolumePlugin: true
    allowHostIPC: true
    allowHostNetwork: true
    allowHostPID: true
    allowHostPorts: true
    allowPrivilegeEscalation: true
    allowPrivilegedContainer: true
    allowedCapabilities:
    - '*'
    allowedUnsafeSysctls:
    - '*'
    readOnlyRootFilesystem: false
    runAsUser:
      type: RunAsAny
    seLinuxContext:
      type: RunAsAny
    fsGroup:
      type: RunAsAny
    supplementalGroups:
      type: RunAsAny
    seccompProfiles:
    - '*'
    volumes:
    - '*'
    groups:
    - system:serviceaccounts:<namespace>
    EOF

  4. Verify that the SCC was created successfully.

    Terminal window
    oc get scc

    The list should include an SCC named neutree-datacluster-scc.

  5. Replace <namespace> with the cluster namespace obtained in step 2, then run the command to recreate all Pods in the cluster.

    Terminal window
    kubectl delete pods --all -n <namespace>

  6. Verify the cluster Pod status:

    Terminal window
    kubectl get pods -n <namespace>

    All Pods should be in the Running state with no permission-related errors.

  7. Log in to the Neutree management interface, click Clusters in the left menu, and confirm that the cluster status is Running in the cluster list.

Section titled “Related link”

OpenShift official documentation - Managing Security Context Constraints