Skip to content

doc: OpenShift deployment guide for SPIRE signing demos #252

New issue
New issue
Open
Open
doc: OpenShift deployment guide for SPIRE signing demos#252
@Schimuneck

Description

@Schimuneck
Schimuneck
opened on Mar 27, 2026

Problem

The AgentCard demo docs assume a Kind cluster and don't cover OpenShift-specific requirements. Running the SPIRE signing, enforcement, and proactive restart demos on OpenShift requires several undocumented workarounds.

OpenShift-specific requirements discovered

1. SELinux blocks SPIRE agent socket access

The SPIRE CSI driver mounts the agent socket with SELinux label container_var_run_t:s0. Pods using the default SELinux context can't access the socket, even with 777 file permissions. The init container fails with:

transport: Error while dialing: dial unix /run/spire/agent-sockets/spire-agent.sock: connect: permission denied

Fix: Add seLinuxOptions.type: spc_t to the pod-level securityContext, and grant the service account the privileged SCC:

oc adm policy add-scc-to-user privileged -z weather-agent-sa -n agents

2. NetworkPolicy blocks operator → agent traffic

The restrictive NetworkPolicy created by the operator allows ingress only from namespaces labeled control-plane: kagenti-operator. The operator namespace (kagenti-operator-system) doesn't have this label by default.

Fix: Label the operator namespace:

oc label ns kagenti-operator-system control-plane=kagenti-operator

3. Pod security level for agents namespace

OpenShift enforces pod security standards. The agents namespace needs privileged level for CSI driver volumes:

oc label ns agents pod-security.kubernetes.io/enforce=privileged --overwrite

4. SPIFFE CSI driver SCC

The SPIRE Helm chart's CSI driver DaemonSet needs the privileged SCC. The Helm chart uses service account spire-spiffe-csi-driver (not spiffe-csi-driver):

oc adm policy add-scc-to-user privileged -z spire-spiffe-csi-driver -n spire-system

Suggested fix

Add an OpenShift-specific section to the SPIRE signing demo doc (demos/agentcard-spire-signing/demo.md) covering:

  • SCC requirements for SPIRE components and agent workloads
  • SELinux context requirements for pods accessing the SPIRE socket
  • Namespace labeling requirements (pod security, operator control-plane)
  • Trust bundle ConfigMap labeling (see related issue about ConfigMap cache scope)

Found during

E2E walkthrough of all 4 AgentCard demo scenarios on OpenShift 4.19 (ROSA), operator built from main at commit 06e0419.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions