I am having trouble getting Collabora to work under Openshift 4.19 due to security standards. All the documentation I find seems to center around OpenShift 3 and the issues with routes / HAProxy / nginx , but I have yet to find anything about setting up a service account or what permissions are needed. Is there a recommended SCC for use with Collabora ?
Using the standard helm chart, the pod ends with this error:
wsd-00001-00001 2025-11-13 19:31:53.135117 +0000 [ coolwsd ] FTL Failed to initialize COOLWSD: Access to file denied: /opt/cool/child-roots/1-476bd716| wsd/COOLWSD.hpp:263 Access to file denied: /opt/cool/child-roots/1-476bd716
Trying to add in the security contexts the AIO repo defines gives me this warning and doesnât actually run anything.
Warning: would violate PodSecurity ârestricted:latestâ: allowPrivilegeEscalation != false (container âcollaboraâ must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container âcollaboraâ must set securityContext.capabilities.drop=[âALLâ]; container âcollaboraâ must not include âCAP_SYS_ADMINâ, âMKNODâ in securityContext.capabilities.add), runAsNonRoot != true (pod or container âcollaboraâ must set securityContext.runAsNonRoot=true), seccompProfile (pod or container âcollaboraâ must set securityContext.seccompProfile.type to âRuntimeDefaultâ or âLocalhostâ)
All the documentation I find seems to center around OpenShift 3 and the issues with routes / HAProxy / nginx , but I have yet to find anything about setting up a service account or what permissions are needed.
OpenShiftâs built-in router is a minimized HAProxy that doesnât support all the advanced features Collabora Online needs. Thatâs why most older docs mention OpenShift 3 workarounds with routes or external proxies.
On OpenShift 4 the same limitation still applies. COOL requires advanced HAProxy annotations and behavior that the OpenShift Router canât provide. Because of that the recommended approach is to deploy a full HAProxy Ingress inside the Collabora namespace rather than relying on the OpenShift router.
So yes, OpenShift and âHAProxy in Kubernetesâ are different. The OpenShift router is a limited, security-hardened version intended only to serve as a general ingress controller, while the HAProxy Ingress project is the full upstream version with all the features COOL depends on.
Once you deploy a proper HAProxy Ingress, Collabora runs normally without needing special SCCs or elevated privileges. The main issue isnât permissions, itâs that the OpenShift router is missing features COOL expects.
Hi Darshan - thanks for the reply ! I think I confused the issue. Iâm not at that point yet, the Collabora pod is in Crash/ Backoff because of permissions on /opt/cool/child-roots.
Doing more reading I think this boils down to Collabora wanting a container running as root and OpenShift very much not wanting containers to run as root ?
The solution to my problem was running using a service account with the anyuid policy. Also if I understand correctly, the advanced annotations are necessary to direct people editing the same document to the same pod ? If so - Iâm migrating from a single podman instance behind an Apache reverse proxy , so I have it working in a very simple setup with a single route.
For anyone having trouble with the permissions, this is what I needed for a small, simple setup:
