Deploying on OpenShift

OpenShift runs the same container image as every other platform. The differences from the Kubernetes guide are:

• OpenShift enforces SecurityContextConstraints (SCCs) more strictly than vanilla Kubernetes.
• OpenShift Route objects replace Ingress (though Ingress is also supported).
• Persistent storage classes are platform-dependent (Ceph, OpenShift Data Foundation, vSphere CSI, …).

Prerequisites

• A working OpenShift cluster (4.10+). For local development, OpenShift Local works.
• Cluster-admin or namespace-admin access to create the manifests below.
• A storage class that supports ReadWriteOnce block storage.

Image

The container lives at curiosityai/curiosity. For air-gapped clusters, mirror it to your internal registry first.

Manifest

The Kubernetes manifest in Kubernetes works on OpenShift with two changes:

1. Replace Ingress with Route for OpenShift-native traffic ingress (or leave Ingress if you've installed an Ingress controller).
2. Add an SCC binding so the pod can run with a non-root UID.

OpenShift overlay:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: curiosity
  namespace: curiosity
spec:
  host: workspace.example.com
  to:
    kind: Service
    name: curiosity
  port:
    targetPort: http
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: curiosity-anyuid
  namespace: curiosity
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:openshift:scc:nonroot-v2
subjects:
  - kind: ServiceAccount
    name: default
    namespace: curiosity

Apply both files:

oc apply -f curiosity.yaml -f curiosity-openshift.yaml
oc -n curiosity rollout status statefulset/curiosity

Persistent storage

OpenShift Data Foundation (Ceph RBD) and the vSphere CSI driver both support ReadWriteOnce. For Red Hat OpenShift on the major clouds, use the cloud-native storage class (gp3-csi on ROSA, managed-csi-premium on ARO, pd-ssd-csi on Red Hat OpenShift on GCP).

Security context

Workspace runs as UID 10000 inside the container. The nonroot-v2 SCC accommodates this; if your cluster policy is stricter, customize:

spec:
  template:
    spec:
      securityContext:
        runAsUser: 10000
        runAsGroup: 10000
        fsGroup: 10000
        runAsNonRoot: true
        seccompProfile:
          type: RuntimeDefault

Configuration

All configuration uses MSK_* environment variables; see the Configuration reference. Required at minimum:

• MSK_GRAPH_STORAGE — path inside the container for the graph volume.
• MSK_ADMIN_PASSWORD — bootstrap admin password (otherwise defaults to admin/admin).
• MSK_JWT_KEY — explicit JWT signing key (avoids invalidating tokens on every restart).
• MSK_PUBLIC_ADDRESS — public-facing URL (your Route host).

Upgrades

Update the StatefulSet's image and delete the pod (because updateStrategy: OnDelete):

oc -n curiosity set image statefulset/curiosity curiosity=curiosityai/curiosity:v1.43.0
oc -n curiosity delete pod curiosity-0

Walk the broader Upgrades and migrations checklist first.

See also

• Kubernetes for the base manifest the OpenShift overlay extends.
• Configuration reference.
• Deployment.
• Backup and restore for snapshot patterns on Ceph and CSI drivers.