Deploying to OpenShift

Overview

OpenShift is Red Hat’s enterprise Kubernetes distribution, known for its built-in security layers such as Security Context Constraints (SCCs). Deploying SigNoz here keeps that hardening intact while adding end-to-end observability.

This guide walks you through creating the necessary SCC, installing SigNoz with the official Helm chart, and verifying the deployment, so you can start collecting logs, metrics, and traces from your OpenShift workloads in just a few steps.

Prerequisites

  • An existing OpenShift cluster
  • Either the oc or kubectl CLI is configured and authenticated
  • Kubernetes v1.22 or newer (architectures: x86_64, amd64, arm64)
  • Helm v3.8 or newer
  • The following table describes the hardware requirements that are needed to install SigNoz on Kubernetes:
    ComponentMinimal RequirementsRecommended
    Memory8 GB16 GB
    CPU4 cores8 cores
    Storage30 GB80 GB

Setup

Step 1: Configure Security Context Constraints (SCC)

OpenShift enforces Security Context Constraints (SCCs) to control what actions pods can perform and what resources they can access, similar to how RBAC controls user permissions.

SCCs let administrators define a pod's security conditions for admission and running in the cluster. SCCs consists following key settings:

  • RunAsUser: Specifies the user ID under which SigNoz runs. You must configure this constraint to allow a non-root user ID.

  • SELinuxContext: Sets the SELinux label for the containers. Only adjust this if SigNoz must run as root; non-root deployments usually don’t need special SELinux rules.

  • FSGroup: Specifies the fsGroup IDs for file system access. You must configure this constraint to give SigNoz group access to the files it needs.

  • Volumes: Specifies the persistent volumes used for storage. You must configure this constraint to give SigNoz access to the volumes it needs.

To run SigNoz on an OpenShift cluster, create an SCC with these key settings:

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: signoz-scc

allowPrivilegedContainer: false
runAsUser:
  type: RunAsAny        # allow any container UID
fsGroup:
  type: RunAsAny        # allow any supplemental GID
seLinuxContext:
  type: RunAsAny        # no SELinux label constraints
volumes:
  - persistentVolumeClaim # mounted PVC
  - emptyDir              # ephemeral scratch space
  - configMap             # ConfigMap files
  - projected             # combined CM/secret/etc.
  - downwardAPI           # expose pod metadata

readOnlyRootFilesystem: false
allowHostDirVolumePlugin: false 

users:
  # Bind the SCC to Required Service Accounts for SigNoz
  - system:serviceaccount:<NAMESPACE>:signoz-clickhouse
  - system:serviceaccount:<NAMESPACE>:default

Apply the SCCs to the OpenShift Cluster:

oc apply -f signoz_scc.yaml

Step 2: Install SigNoz

Helm Installation

The SigNoz Helm chart will install the following components into your Kubernetes cluster:

  • SigNoz
  • SigNoz Collector
  • Clickhouse
  • Zookeeper
  1. Find a storage class to use in your cluster:
kubectl get storageclass
  1. Create a values.yaml file that will contain the configuration for the chart. Here is a minimal example to get started:
global:
  storageClass: <storage-class>

clickhouse:
  installCustomStorageClass: true

You can find an exhaustive list of the parameters here.

Info

For OpenShift cluster, you need to set up the storageclasses with a compatible provisioner

  1. Install SigNoz:
helm repo add signoz https://charts.signoz.io
helm repo update
helm install signoz signoz/signoz \
   --namespace <namespace> --create-namespace \
   --wait \
   --timeout 1h \
   -f values.yaml

Test the installation

  1. In another terminal, port-forward Signoz on its HTTP port. (By default, signoz exposes its http server on port 8080.)
kubectl port-forward -n <namespace> svc/signoz 8080:8080
  1. Run the following command to check the health of signoz:
curl -X GET http://localhost:8080/api/v1/health
  1. If the installation is successful, you should see the following output:
{"status":"ok"}
Info

By default, retention period is set to 7 days for logs and traces, and 30 days for metrics. To change this, navigate to the General tab on the Settings page of SigNoz UI.

For more details, refer to https://signoz.io/docs/userguide/retention-period.

Step 3 (Optional): Install OpenTelemetry Demo

The OpenTelemetry Demo is a microservice-based distributed system intended to illustrate the implementation of OpenTelemetry in a near real-world environment. See more details at OpenTelemetry Demo.

  1. Get the address of the SigNoz collector:
kubectl get -n <namespace> svc/signoz-otel-collector

This value will be used in the next step to configure the OpenTelemetry Demo to send data to the SigNoz collector.

  1. Create a values.yaml file that will contain the configuration for the chart and send it to your SigNoz installation:
default:
  env:
    - name: OTEL_SERVICE_NAME
      valueFrom:
        fieldRef:
          apiVersion: v1
          fieldPath: "metadata.labels['app.kubernetes.io/component']"
    - name: OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE
      value: cumulative
    - name: OTEL_RESOURCE_ATTRIBUTES
      value: 'service.name=$(OTEL_SERVICE_NAME),service.namespace=opentelemetry-demo,service.version={{ .Values.appVersion }}'
    - name: OTEL_COLLECTOR_NAME
      value: signoz-otel-collector.<namespace>.svc.cluster.local

Note: The OTEL_COLLECTOR_NAME is the address obtained in the previous step.

  1. Install OpenTelemetry Demo:
helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
helm repo update
helm install otel-demo open-telemetry/opentelemetry-demo -f values.yaml

More details on the installation can be found here.

Step 4 (Optional): SCCs for running K8s-Infra (Kubernetes Monitoring)

We require the following SCCs to be added to the OpenShift cluster for the installation of K8s-infra for Kubernetes Monitoring

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: signoz-k8s-infra-agent-scc
allowPrivilegedContainer: false
allowHostPorts: true
runAsUser:
  type: RunAsAny        # any container UID
fsGroup:
  type: RunAsAny        # any supplemental GID
seLinuxContext:
  type: RunAsAny        # any SELinux label
volumes:
  - persistentVolumeClaim # PVC
  - configMap             # ConfigMap files
  - projected             # combined CM/secret/etc.
  - downwardAPI           # pod metadata
  - hostPath              # host directory
  - secret                # Secret files

readOnlyRootFilesystem: false
allowHostDirVolumePlugin: true
# Bind this SCC only to the k8s-infra-otel-agent SA in the namespace
users:
  - system:serviceaccount:<NAMESPACE>:k8s-infra-otel-agent

Next Steps

Was this page helpful?

Prev
Deploying to AKS
Next
Deploying to Digital Ocean
On this page
Overview
Prerequisites
Setup
Step 1: Configure Security Context Constraints (SCC)
Step 2: Install SigNoz
Step 3 (Optional): Install OpenTelemetry Demo
Step 4 (Optional): SCCs for running K8s-Infra (Kubernetes Monitoring)
Next Steps
Docs
IntroductionContributingMigrate from DatadogSigNoz API
Community
Support
Slack
Twitter
Launch Week
Changelog
Dashboard Templates
DevOps Wordle
Newsletter
More
SigNoz vs DatadogSigNoz vs New RelicSigNoz vs GrafanaSigNoz vs Dynatrace
Careers
AboutTermsPrivacySecurity & Compliance
SigNoz
All systems operational