OpenShift

SDP operators are certified for the OpenShift platform and can be installed from the OperatorHub.

OpenShift installations with FIPS mode enabled are not supported. This is because neither the SDP operators, nor the supported Apache products are FIPS-compliant.

Customizing operator installations

As described in the Openshift Subscription documentation you can configure the deployed operators.

E.g. depending on the cluster size, you may need to customize the resources requested by the SDP operator containers. This is possible when installing the operators via a Subscription CustomResource.

For example, to assign 256Mi of memory to the Apache Kafka operator, you need to create a custom Subscription as follows:

---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: stackable-kafka-operator
  namespace: stackable-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: stackable-kafka-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace
  startingCSV: kafka-operator.v24.7.0
  config:
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 100m
        memory: 256Mi

In addition, You can restrict the operator to watch a specific namespace. By default, the operator watches all namespaces. For example, to restrict the Kafka operator to watching only a namespace called kafka-namespace you add the following properties to the Subscription manifest:

spec:
  config:
    env:
      - name: WATCH_NAMESPACE
        value: kafka-namespace
The described configuration mechanism currently does not work for secret and listener-operator due to restrictions on deploying DaemonSets.

Security context constraints

Starting with the release version 24.7.0, all products run with the nonroot-v2 security context constraints (SCC) on OpenShift. This security context is used by the product’s cluster role.

Operators (with two exceptions) don’t request a specific SCC to run with. Usually OpenShift will select the restricted or restricted-v2 SCC unless the cluster admins have specifically assigned a different one to the namespace where the operators are running. The two exceptions are the secret and the listener operators. These need additional permissions not available in the restricted SCCs to propagate volume mounts to the requesting pods.