Read this after Install with Helm. The OpenShift
overlay is additive — it does not replace the Helm install steps.
The chart is distributed through a private registry. Request an access token from the
Tensormesh team, then authenticate before installing — see
Install with Helm → Install.
Why OpenShift needs extra config
Engine pods requesthostIPC so the LMCache cache server can share memory with vLLM
worker processes outside the pod. On OpenShift, hostIPC is forbidden by the default
restricted-v2 Security Context Constraint (SCC) — the engine pod will refuse to start.
To allow it, the engine pod must run as a ServiceAccount bound to an SCC that permits
hostIPC. The built-in privileged SCC satisfies this.
The chart handles all of that when you set openshift.enabled=true:
Creates a dedicated ServiceAccount
In the engine’s namespace, named
<release>-engine-privileged by default.Binds it to the privileged SCC
Via a
RoleBinding to the built-in system:openshift:scc:privileged ClusterRole.Install
Createvalues-openshift.yaml — pin explicit image tags (never latest):
values-openshift.yaml
Verify the SCC binding
Bring your own ServiceAccount
If your organization manages privileged ServiceAccounts centrally — for example, created by a platform team via OpenShift Operators or external policy tooling — you can opt out of the chart creating one and point the engine at an existing SA:values-openshift.yaml
What “privileged” actually means here
Theprivileged SCC grants more than just hostIPC — it also permits running as root,
host networking, and other elevated capabilities. The engine pod only uses hostIPC; the
rest is unused but available.
If your security posture forbids the built-in privileged SCC, define a custom SCC that
grants only hostIPC (plus whatever else your environment requires) and point the chart
at the ClusterRole that authorizes its use:
Next steps
Helm install reference
Full install, upgrade, and uninstall flow.
Troubleshooting
CreateContainerError, permission-denied, and SCC diagnostics.
