OpenShift¶
Robusta supports OpenShift. To use Robusta on OpenShift, update your Helm values (generated_values.yaml) as follows:
openshift:
enabled: true
createScc: true
globalConfig:
prometheus_url: https://<PROM_HOST> # get the value for <PROM_HOST> by running oc get routes -n openshift-monitoring prometheus-k8s -o jsonpath='{.spec.host}'
alertmanager_url: https://<AM_HOST> # get the value for <AM_HOST> by running oc get routes -n openshift-monitoring alertmanager-main -o jsonpath='{.spec.host}'
Warning
Do not install Robusta in the default OpenShift project.
Installing Robusta without full admin permissions¶
If you are installing Robusta via a user that doesn't have full admin permissions on the cluster, you can ask an admin to create the Robusta SCC for you in advance, so that you can reference it in your Helm values.
First create an SCC based on openshift-scc-baseline.yaml file for the baseline SCC for the product. This SCC can be and then update your Helm values with:
openshift:
enabled: true
createScc: false
sccName: my-admins-scc # reference the existing SCC your admin created
A test installation in OpenShift can use the existing SCC anyuid.
Optional: Giving Robusta extra debug permissions¶
Note
This section only applies to Robusta Classic. The privileged SCC below is needed for a few Classic playbooks and is not relevant for HolmesGPT-based investigations.
Some lesser used Robusta Classic features require more permissions than the baseline SCC provides.
In order to support the python_debugger, java_debugger and node_disk_analyzer
playbooks, permission to run a far more privileged container needs to be granted to
the runner service account. This container runs privileged with the SYS_ADMIN and
SYS_PTRACE capabilities. The privileged SCC uses runAsUser: RunAsAny, so it does not force
a specific user; the debug container typically runs as root in order to attach to and inspect other
processes on the node.
Important: These capabilities are OPTIONAL and only needed for the native debugging features mentioned above. Most Robusta deployments work fine with the baseline SCC.
Baseline SCC is Sufficient For:¶
✅ All investigations and diagnostics
✅ KRR scans (resource right-sizing)
✅ Popeye scans (cluster analysis)
✅ Log analysis and enrichment
✅ Metrics and event analysis
✅ Alert correlation
✅ Pod restart and scaling
✅ Deployment patching
✅ All standard playbooks
Privileged SCC Only Needed For:¶
❌ Python debugger (
python_debuggerplaybook)❌ Java debugger (
java_debuggerplaybook)❌ Node disk analyzer (
node_disk_analyzerplaybook)
Enabling the Privileged SCC¶
To support these features in a production environment, you may want to only temporarily
enable this permission so that a normal request cannot bypass the less permissive SCC found
in the baseline. To enable these privileged operations in your OpenShift environment,
update the generated_values.yaml as follows:
openshift:
enabled: true
createScc: true
createPrivilegedScc: true # Optional - only if you need debugging features
You may also reference an existing SCC using the openshift.privilegedSccName value.
In test environments, you can reference the privileged SCC to enable these features in your
installation.