To ensure the qpoint operator functions correctly in OpenShift, specific configurations are essential due to the additional security context constraints (SCCs) enforced by OpenShift. The Qpoint Operator, particularly its Qtap init container, requires privileged access to perform its intended operations. This level of access is necessary to intercept and manipulate network traffic, a fundamental capability for the Qpoint solution to function as designed.

To achieve this, the Qtap init container is configured to run in privileged mode. This is accomplished by setting the qpoint.io/qtap-init-run-as-privileged: "true" annotation within the Helm chart's values file. Running in privileged mode grants the container elevated permissions that are otherwise restricted by OpenShift's default SCCs.

The configuration snippet provided below outlines the necessary annotations and values required for deploying the Qpoint operator using Helm. Among these, the qpoint.io/qtap-init-run-as-privileged: "true" annotation is critical for ensuring the init container can operate with the elevated privileges needed for its network operations. Other configurations, such as port mappings (qpoint.io/qtap-init-egress-port-mapping) and logging levels (qpoint.io/qtap-log-level), are also specified to fine-tune the behavior of the qpoint operator within your OpenShift environment.

helm install qtap-operator qpoint/qtap-operator --namespace qpoint --create-namespace -f values.yaml

#values.yaml
token: "API_TOKEN"
injectPodAnnotationsConfigmap:
  annotationsYaml: |-
    qpoint.io/inject-ca: "true"
    qpoint.io/qtap-init-tag: "v0.0.8"
    qpoint.io/qtap-init-run-as-user: "0"
    qpoint.io/qtap-init-run-as-group: "0"
    qpoint.io/qtap-init-run-as-non-root: "false"
    qpoint.io/qtap-init-run-as-privileged: "true"
    qpoint.io/qtap-tag: "v0.0.20"
    qpoint.io/qtap-init-egress-port-mapping: "10080:80,10443:443"
    qpoint.io/qtap-init-egress-accept-uids: "1010"
    qpoint.io/qtap-init-egress-accept-gids: "1010"
    qpoint.io/qtap-uid: "1010"
    qpoint.io/qtap-gid: "1010"
    qpoint.io/qtap-log-level: "info"
    qpoint.io/qtap-log-encoding: "json"
    qpoint.io/qtap-log-caller: "false"
    qpoint.io/qtap-egress-http-listen: "0.0.0.0:10080"
    qpoint.io/qtap-egress-https-listen: "0.0.0.0:10443"
    qpoint.io/qtap-status-listen: "0.0.0.0:10001"
    qpoint.io/qtap-block-unknown: "false"
    qpoint.io/qtap-envoy-log-level: "error"
    qpoint.io/qtap-dns-lookup-family: "V4_ONLY"
    qpoint.io/qtap-api-endpoint: "https://api.qpoint.io"
    qpoint.io/qtap-labels-tags-filter: "app,.*name$"