From 47f811889057c16fff0fb30af2536aeed5c3d643 Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Fri, 15 May 2026 12:33:51 +0300 Subject: [PATCH 1/5] agent: added openshift installation instructions --- .../targets/kubernetes-agent/index.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md index c72523c878..471759dc76 100644 --- a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md +++ b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md @@ -167,6 +167,54 @@ Look at the Helm chart [values.yaml](https://github.com/OctopusDeploy/helm-chart The Kubernetes monitor is deployed as a sub-chart to the Kubernetes agent. [Available values for the monitor are available here](https://github.com/OctopusDeploy/helm-charts/blob/main/charts/kubernetes-agent/kubernetes-monitor.md). All Kubernetes monitor values should be nested under a `kubernetesMonitor` key when deployed with the Kubernetes agent chart. +### Strict security context + +Agent and script pods can be running in `non-root` mode. UID/GID should be 999. + +```yaml +agent: + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" +scriptPods: + securityContext: + runAsUser: 999 + runAsGroup: 999 + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" +persistence: + storageClassName: {your-custom-value} #required +``` + +To make sure that you will not have problems with PV StorageClass requires to have explicit UID to match one from securityContext. Here is important part of your StorageClass `mountOptions`: + +```yaml +mountOptions: +- uid=999 +- forceuid +- file_mode=0775 #rwx for user required +- dir_mode=0775 #rwx for user required +``` + +### Openshift + +Agent can be run under `nonroot-v2` SCC. This means you will probably need to manually assing the SCC to service accounts: + +- **Agent** +```bash +NS_NAME="octopus-agent-" +AGENT_SERVICE_ACCOUNT="octopus-agent-tentacle" +oc adm policy add-scc-to-user nonroot-v2 -z $AGENT_SERVICE_ACCOUNT -n $NS_NAME +``` +- **Pod scripts** +```bash +NS_NAME="octopus-agent-" +POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-scripts" +oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME +``` + ## Configuring the agent with Tenants While the wizard doesn't support selecting Tenants or Tenant tags, the agent can be configured for tenanted deployments in two ways: From 600e7b61b6db967e9ce7802f52a4350a9757fa8d Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Mon, 18 May 2026 07:48:02 +0300 Subject: [PATCH 2/5] updated title --- src/pages/docs/kubernetes/targets/kubernetes-agent/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md index 471759dc76..2cbe18f78d 100644 --- a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md +++ b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md @@ -167,7 +167,7 @@ Look at the Helm chart [values.yaml](https://github.com/OctopusDeploy/helm-chart The Kubernetes monitor is deployed as a sub-chart to the Kubernetes agent. [Available values for the monitor are available here](https://github.com/OctopusDeploy/helm-charts/blob/main/charts/kubernetes-agent/kubernetes-monitor.md). All Kubernetes monitor values should be nested under a `kubernetesMonitor` key when deployed with the Kubernetes agent chart. -### Strict security context +### Non-root configuration Agent and script pods can be running in `non-root` mode. UID/GID should be 999. From d201cc6a3f796c4e0ca9367aaa30f46c4aa746fa Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Mon, 18 May 2026 08:05:18 +0300 Subject: [PATCH 3/5] kubernetes woker: added link to non-root mode for k8s agent --- .../docs/infrastructure/workers/kubernetes-worker/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/pages/docs/infrastructure/workers/kubernetes-worker/index.md b/src/pages/docs/infrastructure/workers/kubernetes-worker/index.md index 937022fedc..cb7a189eba 100644 --- a/src/pages/docs/infrastructure/workers/kubernetes-worker/index.md +++ b/src/pages/docs/infrastructure/workers/kubernetes-worker/index.md @@ -59,6 +59,10 @@ create new pods for each requested operation. The Kubernetes Worker allows execution permissions to be overwritten in the same way as the [Kubernetes Agent](/docs/kubernetes/targets/kubernetes-agent/permissions). +## Non-root mode + +The Kubernetes Worker non-root mode can be configured in the same way as the [Kubernetes Agent](/docs/kubernetes/targets/kubernetes-agent#non-root-mode). + ## Limitations Being securely hosted inside a kubernetes cluster comes with some limitations - the primary of which is the lack of `Docker`. From db35ffb955535679642cbe0856ee40b7e38a3ed0 Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Wed, 20 May 2026 09:54:42 +0300 Subject: [PATCH 4/5] fixed typos --- .../kubernetes/targets/kubernetes-agent/index.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md index 2cbe18f78d..7de9f40d12 100644 --- a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md +++ b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md @@ -169,7 +169,7 @@ The Kubernetes monitor is deployed as a sub-chart to the Kubernetes agent. [Avai ### Non-root configuration -Agent and script pods can be running in `non-root` mode. UID/GID should be 999. +Agent and script pods support running in non-root mode. UID/GID should be 999. ```yaml agent: @@ -200,21 +200,32 @@ mountOptions: ### Openshift -Agent can be run under `nonroot-v2` SCC. This means you will probably need to manually assing the SCC to service accounts: +Agent can be run under `nonroot-v2` SCC. This means you will probably need to manually assign the SCC to service accounts: - **Agent** + ```bash NS_NAME="octopus-agent-" AGENT_SERVICE_ACCOUNT="octopus-agent-tentacle" oc adm policy add-scc-to-user nonroot-v2 -z $AGENT_SERVICE_ACCOUNT -n $NS_NAME ``` + - **Pod scripts** + ```bash NS_NAME="octopus-agent-" POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-scripts" oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME ``` +- **Auto-upgrader** + +```bash +NS_NAME="octopus-agent-" +POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-auto-upgrader" +oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME +``` + ## Configuring the agent with Tenants While the wizard doesn't support selecting Tenants or Tenant tags, the agent can be configured for tenanted deployments in two ways: From 878b9e2fce4b3da746cb0cbc3e2983bcbf0232ca Mon Sep 17 00:00:00 2001 From: oleksandr-codefresh Date: Wed, 20 May 2026 11:16:09 +0300 Subject: [PATCH 5/5] added additional details to openshift section --- src/pages/docs/kubernetes/targets/kubernetes-agent/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md index 7de9f40d12..39a08609e4 100644 --- a/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md +++ b/src/pages/docs/kubernetes/targets/kubernetes-agent/index.md @@ -226,6 +226,8 @@ POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-auto-upgrader" oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME ``` +For additional details on the helm values for non-root setup, see the [Non-root configurationg](#non-root-configuration) section. + ## Configuring the agent with Tenants While the wizard doesn't support selecting Tenants or Tenant tags, the agent can be configured for tenanted deployments in two ways: