OpenShift

Robusta supports OpenShift. To use Robusta on OpenShift, update your Helm values (generated_values.yaml) as follows:

openshift:
  enabled: true
  createScc: true

globalConfig:
  prometheus_url: https://<PROM_HOST> # get the value for <PROM_HOST> by running    oc get routes -n openshift-monitoring prometheus-k8s -o jsonpath='{.spec.host}'
  alertmanager_url: https://<AM_HOST> # get the value for <AM_HOST> by running      oc get routes -n openshift-monitoring alertmanager-main -o jsonpath='{.spec.host}'

Warning

Do not install Robusta in the default OpenShift project.

Installing Robusta without full admin permissions

If you are installing Robusta via a user that doesn't have full admin permissions on the cluster, you can ask an admin to create the Robusta SCC for you in advance, so that you can reference it in your Helm values.

First create an SCC based on openshift-scc-baseline.yaml file for the baseline SCC for the product. This SCC can be and then update your Helm values with:

openshift:
  enabled: true
  createScc: false
  sccName: my-admins-scc # reference the existing SCC your admin created

A test installation in OpenShift can use the existing SCC anyuid.

Optional: Giving Robusta extra debug permissions

Note

This section only applies to Robusta Classic. The privileged SCC below is needed for a few Classic playbooks and is not relevant for HolmesGPT-based investigations.

Some lesser used Robusta Classic features require more permissions than the baseline SCC provides.

In order to support the python_debugger, java_debugger and node_disk_analyzer playbooks, permission to run a far more privileged container needs to be granted to the runner service account. This container runs privileged with the SYS_ADMIN and SYS_PTRACE capabilities. The privileged SCC uses runAsUser: RunAsAny, so it does not force a specific user; the debug container typically runs as root in order to attach to and inspect other processes on the node.

Important: These capabilities are OPTIONAL and only needed for the native debugging features mentioned above. Most Robusta deployments work fine with the baseline SCC.

Baseline SCC is Sufficient For:

  • ✅ All investigations and diagnostics

  • ✅ KRR scans (resource right-sizing)

  • ✅ Popeye scans (cluster analysis)

  • ✅ Log analysis and enrichment

  • ✅ Metrics and event analysis

  • ✅ Alert correlation

  • ✅ Pod restart and scaling

  • ✅ Deployment patching

  • ✅ All standard playbooks

Privileged SCC Only Needed For:

  • ❌ Python debugger (python_debugger playbook)

  • ❌ Java debugger (java_debugger playbook)

  • ❌ Node disk analyzer (node_disk_analyzer playbook)

Enabling the Privileged SCC

To support these features in a production environment, you may want to only temporarily enable this permission so that a normal request cannot bypass the less permissive SCC found in the baseline. To enable these privileged operations in your OpenShift environment, update the generated_values.yaml as follows:

openshift:
  enabled: true
  createScc: true
  createPrivilegedScc: true  # Optional - only if you need debugging features

You may also reference an existing SCC using the openshift.privilegedSccName value. In test environments, you can reference the privileged SCC to enable these features in your installation.