Installing NGINX Ingress Operator on Azure RedHat OpenShift

A quick post on how to get NGINX Ingress Operator working on your OpenShift cluster

Utkarsh Shigihalli
3 min readFeb 26, 2023

NGINX Ingress is a type of Kubernetes ingress resource which lets you load balance services to your workloads on your Kubernetes cluster such as OpenShift. Installing NGINX ingress is similar to other custom resources you install on your cluster.

In the Red Hat OpenShift world though, including Azure Red Hat OpenShift, the recommended way to bring in custom resources is through OpenShift Operators via Operator Hub.

Installing NGINX Ingress Operator

Sign in to the cluster and head to Operator Hub and search for NGINX

You will see Nginx Ingress Operator — which is a certified operator.

Click on it and click Install

In the next screen, you will be selecting the update channel and namespace. In our case, we would like this operator to be available to all the namespaces in the cluster. I will leave the namespace as-is as it is recommended by the Operator.

Finally, select Manual for Update approval — This will ensure there are no automatic updates of the operator.

This is essential as versions of the Ingress Controller, Kubernetes version and Operator versions are interlinked and unintentional update of operator can cause unintended consequences. Read more: https://docs.nginx.com/nginx-ingress-controller/technical-specifications/#supported-kubernetes-versions

Once, we click install, it will ask for approval since we selected Manual the update channel. Click Approve

You will see the installation completed soon after and we can verify the installed operator from theInstalled Operators screen.

Install Security Context Constraints (SCC)

Before we install the ingress controller, we need to install SCC on our cluster, which binds additional permissions to the nginx ingress service accounts.

The YAML is available here

kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
name: nginx-ingress-admin
allowPrivilegedContainer: true
runAsUser:
type: MustRunAs
uid: 101
seLinuxContext:
type: MustRunAs
fsGroup:
type: MustRunAs
supplementalGroups:
type: MustRunAs
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowHostDirVolumePlugin: false
allowHostIPC: false
readOnlyRootFilesystem: false
volumes:
- secret
defaultAddCapabilities:
- "NET_BIND_SERVICE"
requiredDropCapabilities:
- ALL
users:
- 'system:serviceaccount:*:nginx-ingress'

That is it! In the future post, we will see how to use the operator to expose the service.

--

--

Utkarsh Shigihalli

Microsoft MVP | Developer | Passionate about Cloud, .NET and DevOps