Installing Teleport Helm Chart to OpenShift

Here are steps to enable installing the Teleport helm chart onto a OpenShift cluster. To allow installing with the Teleport docker container you will need to set the runAsUser to 0, root, and allow the service account within the helm chart to run as any user. Below are steps to do that.

Prereq: You will need to have Helm 2 already installed with access to your project.

  1. Retrieve the chart from https://github.com/gravitational/teleport/tree/master/examples/chart/teleport
  2. Review the Readme and update the values.yaml to your required specifications. For first time installers we recommend confirming a minimal configuration first.
  3. To set the run as user to root after both - name: {{ .Chart.Name }} in the file templates/deployment.yaml add the securityContext.
      - name: {{ .Chart.Name }}
        securityContext:
          runAsUser: 0

Note: Set this in both locations if you are using high availability.

  1. Run the helm install. Ex: helm install --name=teleport ./
    The pods will fail to run initially. Run this replacing myproject with your OpenShift project name to allow the teleport service account to run any user id.
    oc adm policy add-scc-to-user anyuid system:serviceaccount:myproject:teleport

The pods will now run as the teleport service account can run as any user, such as root.

Why does that happen? OpenShift uses assigned user IDs and prevents by default running as root.