Powered by Zoomin Software. For more details please contactZoomin

MarkLogic® Server on Kubernetes

Table of Contents

OpenShift configuration requirements

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 14, 2026
  • 2 minute read
    • MarkLogic Server
    • Documentation

Red Hat OpenShift has platform-specific constraints and security restrictions that require configuration changes when deploying MarkLogic clusters. You must configure alternative HAProxy port bindings to avoid port conflicts and set up Security Context Constraints to meet OpenShift's security requirements.

HAProxy configuration

By default, the Operator manifest specifies port 443 as the HAProxy frontend port. However, OpenShift reserves port 443 for system services, preventing HAProxy from binding to this port. Therefore, when port 443 is used, the HAProxy pods will fail to start due to port binding conflicts, and CrashLoopBackOff errors will occur. To avoid such issues, configure HAProxy to use an alternative port by modifying the frontendPort setting in the Operator manifest. For example:

  haproxy:
    enabled: true
    pathBasedRouting: true
    frontendPort: 8443

This configuration uses port 8443 instead of the default port 443, avoiding the conflict with OpenShift system services.

Security Context Constraints configuration

By default, MarkLogic runs as user ID (UID) 1000. However, OpenShift restricts pod UIDs to specific ranges (typically [1001030000, 1001039999]) for security purposes. This UID mismatch prevents MarkLogic pods from starting, causing the StatefulSet to remain in a non-ready state.

To resolve this issue, create a custom Security Context Constraint (SCC) that allows UID 1000, along with a dedicated ServiceAccount. Follow these steps before deploying your MarkLogic cluster:

  1. Create a Security Context Constraint

Create a custom SCC that permits UID 1000:

apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: uid-marklogic-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: false
allowPrivilegedContainer: false
allowedCapabilities: []
defaultAddCapabilities: []
fsGroup:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 1000
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
  type: MustRunAs
  uid: 1000
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: MustRunAs
  ranges:
  - min: 1000
    max: 1000
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
  1. Create a ServiceAccount

Create a dedicated ServiceAccount for MarkLogic:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: marklogic-sa
  namespace: <your-namespace>
  1. Apply the Security Context Constraint

Apply the SCC to the ServiceAccount using the OpenShift CLI:

oc adm policy add-scc-to-user uid-marklogic-scc -z marklogic-sa -n <your-namespace>
  1. Reference the ServiceAccount in your Operator manifest

Finally, specify the ServiceAccount in your MarkLogic cluster manifest:

apiVersion: marklogic.progress.com/v1
kind: MarklogicCluster
metadata:
  name: your-cluster
  namespace: <your-namespace>
spec:
  serviceAccount: marklogic-sa
  # ... rest of your configuration

For more information about OpenShift Security Context Constraints, see the OpenShift documentation.

TitleResults for “How to create a CRG?”Also Available inAlert