With the release of Pure Service Orchestrator v2.4.0, there is now an Operator available to install PSO.

No need for using Helm and all its associated security concerns, although that’s not to say Helm is going away. Indeed, we continue to support Helm in v2.4.0 but we look forward to seeing a Tiller-less version and evaluating how we can implement PSO with it when it becomes available.

Red Hat has historically been reluctant to support Helm in their previous OpenShift releases, but without Operator support, they had little choice but to accept Helm as a way of installing applications into the cluster.

With the release of OpenShift 3.11, this all changed. Using an Operator was defined as the correct installation methodology and Red Hat created the Operator SDK to allow developers to work on porting Helm Charts to Operators.

Pure has been working on our Operator for PSO for some time and now, with the release of v2.4.0, the Operator installation procedure is alive and well. This new installation method still deploys our FlexVolume driver, but the upcoming CSI driver will seamlessly fit into this deployment method.

How to Install the Operator

Installing the Operator is incredibly simple and below are the commands you need to run to install it on a vanilla OpenShift 3.11 cluster.

First, we need to create an appropriate Security Context Constraint (SCC in OpenShift parlance) for the Operator to run with and allow the pure-flex pods to work with privileged containers – a requirement for the FlexVolume drivers.

Create a file called hostpath-scc.yaml:

Now apply this to your cluster:

# oc apply -f hostpath-scc.yaml

Now we pull the Operator code and the latest values.yaml file from Pure’s GitHub repository:

# git clone --branch 2.4.0 https://github.com/purestorage/helm-charts.git
# cd helm-charts/operator
# wget https://raw.githubusercontent.com/purestorage/helm-charts/2.4.0/pure-k8s-plugin/values.yaml

Configure the values.yaml with your site-specific details, including details of the fleet of FlashArrays and FlashBlades you want PSO to manage.

Now install PSO using the operator:

# ./install.sh --namespace=pso --orchestrator=openshift -f values.yaml

Finally, we need to grant the service account created by the Operator access to the SCC we previously created and restart the PSO DaemonSet:

# oc adm policy add-scc-to-user hostpath -n pso -z pure

The manual SCC creation and its application to the service account will not be needed in subsequent PSO releases, but until then we have to perform this simple manual post-install process.

What does this installation look like after you have installed the PSO Operator? It’s actually very similar to the Helm installed flexVolume driver, as you would expect, just without the requirement of Helm, just with a few additional Operator-specific resources, including a Custom Resource Definition (CRD), some RBAC rules for the Operator and a new operator pod imaginatively called pso-operator<.

If you are currently running an older version of PSO, upgrading to the Operator is non-disruptive to existing persistent volumes and persistent volume claims in your cluster. However, there will be a slight disruption to in-flight volume management operations, so we recommend suspending all volume management operations before performing the upgrade. To perform the upgrade first delete the current PSO Helm Chart and then install using the procedure above, remembering to grab the new values.yaml and populating it with your site-specific data.

The Operator can also be used on any Kubernetes deployment based on v1.11 or higher, so don’t think that the Operator only works on OpenShift clusters.

All the best and Happy Helming!! – oops – I mean Happy Operating!!


With the release of PSO v2.4.1 there is now no need to create the SCC YAML file or apply the SCC policy to the PSO service account.

Thanks to Pure’s Engineering team for making simple, even simpler !!