Agent can be run under nonroot-v2 SCC. This means you will probably need to manually assign the SCC to service accounts.
Installation steps are following:
-
create dedicated project (namespace)
NS_NAME="octopus-agent-<name>" oc new-project $NS_NAME --description="Octopus Deploy kubernetes agent <name>" --display-name="Octopus Deploy k8s agent" -
Assign
nonroot-v2SCC to SAs- Agent
NS_NAME="octopus-agent-<name>" AGENT_SERVICE_ACCOUNT="octopus-agent-tentacle" oc adm policy add-scc-to-user nonroot-v2 -z $AGENT_SERVICE_ACCOUNT -n $NS_NAME- Pod scripts
NS_NAME="octopus-agent-<name>" POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-scripts" oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME- Auto-upgrader
NS_NAME="octopus-agent-<name>" POD_SCRIPTS_SERVICE_ACCOUNT="octopus-agent-auto-upgrader" oc adm policy add-scc-to-user nonroot-v2 -z $POD_SCRIPTS_SERVICE_ACCOUNT -n $NS_NAME -
To make sure that you will not have problems with PV StorageClass requires to have explicit UID to match one from securityContext. Here is important part of your StorageClass
mountOptions:mountOptions: - uid=999 - forceuid - file_mode=0775 #rwx for user required - dir_mode=0775 #rwx for user required -
Agent and script pods support running in non-root mode. UID/GID should be 999. Run
helm installcommand with extra values:agent: securityContext: runAsUser: 999 runAsGroup: 999 fsGroup: 999 fsGroupChangePolicy: "OnRootMismatch" scriptPods: securityContext: runAsUser: 999 runAsGroup: 999 fsGroup: 999 fsGroupChangePolicy: "OnRootMismatch" persistence: storageClassName: {your-custom-value} #required - use name from previous step
Help us continuously improve
Please let us know if you have any feedback about this page.
Page updated on Monday, May 25, 2026