Install F5 AI Security Operator on Red Hat OpenShift

This guide walks through infrastructure requirements, prerequisites, operator deployment, and post-install configuration for deploying F5 AI Security Operator on Red Hat OpenShift.

Please contact the F5 AI Security Sales Team to get a license and container repository credentials before installation.

Minimum infrastructure requirements

To see basic requirements, navigate to the Deploy & Use tab for the F5 AI Security Operator. Select Getting Started. You'll see a series of instructions, starting with Prerequisites.

This includes Compute Unified Device Architecture CUDA as used by NVIDIA.

To view details, click here.

CPU Node

You need at least one CPU-heavy node for all deployments.

Minimum Requirements (per node)

• 16 vCPUs
• 32 GiB RAM
• x86_64 architecture
• 100 GiB persistent storage

Memory Node

You need at least one memory-optimized node for each GPU-enabled component:

• AI Guardrails (inference.enabled: true and inference.values.inference.guardrails.enabled: true in Operator YAML)
• AI RedTeam (inference.enabled: true and inference.values.inference.redteam.enabled: true in Operator YAML)

Minimum Requirements

• 4 vCPUs
• 16 GiB RAM
• x86_64 architecture
• 100 GiB persistent storage

GPU Nodes

The GPU on the enabled node must be dedicated to the application. Do not use the GPU on any other application which requires GPU resources.

• For AI Guardrails deployments of the Operator (inference.enabled: true and inference.values.inference.guardrails.enabled: true in Operator YAML)

  Minimum Requirements

  • 1x CUDA-compatible GPU (24GB VRAM minimum)
  • 4 vCPUs
  • 16 GiB RAM
  • 100 GiB persistent storage

• For AI RedTeam deployments of the Operator (inference.enabled: true and inference.values.inference.redteam.enabled: true in Operator YAML)

  Minimum Requirements

  • 1x CUDA-compatible GPU (48GB VRAM minimum)
  • 4 vCPUs
  • 32 GiB RAM
  • 200 GiB persistent storage recommended

Software requirements

Next, navigate to the Red Hat Ecosystem Catalog. Search for and install the following OpenShift Ecosystem Applications:

• Node Feature Discovery Operator
• NVIDIA GPU Operator

In both cases, proceed with the defaults.

For Red Hat documentation of the process, see the Red Hat OpenShift Container Platform docs for The Node Feature Discovery Operator.

You'll also need to set up and configure an OpenShift cluster policy as described in NVIDIA documentation: Installing the NVIDIA GPU Operator on OpenShift.

Set up the AI Security Operator

This operator requires that you:

• Pull containers from an authenticated repository
• Have an appropriate license

Create Docker Registry Secret

As discussed in the Red Hat Deploy & Use Getting started guide, you will need to create a Docker Registry secret with your Docker username, password, and email address.

oc create secret docker-registry regcred \
  -n f5-ai-sec \
  --docker-username=$DOCKER_USERNAME \
  --docker-password=$DOCKER_PASSWORD \
  --docker-email=$DOCKER_EMAIL

Install the F5 AI Security Operator from OpenShift

Navigate to the Red Hat Ecosystem Catalog. Proceed to the URL of your OpenShift cluster console. Search for and install the F5 AI Security Operator. For instructions, select the Deploy and Use tab.

After installation, as discussed in the Red Hat Getting started docs, browse the installed operator. Be prepared to:

1. Go to:
   View Operator

2. In the Operator details, click Create SecurityOperator

3. Choose yaml and copy the below Custom Resource Template.

   • Be ready with values for

     • CAI_MODERATOR_BASE_URL
     • CAI_MODERATOR_DB_HOST
     • CAI_MODERATOR_DB_ADMIN_PASSWORD
     • CAI_MODERATOR_DEFAULT_LICENSE

   • Use the license that you got from the F5 security sales team.

   apiVersion: ai.security.f5.com/v1alpha1
   kind: SecurityOperator
   metadata:
     name: security-operator-demo
     namespace: f5-ai-sec
   spec:
     registryAuth:
       existingSecret: "regcred"
     #Uncomment the below, if you want to install postgresql in the cluster (not recommended for Production)
     #postgresql:
     #  enabled: true
     #  values:
     #    postgresql:
     #      auth:
     #        password: "pass"
     jobManager:
       enabled: true
     moderator:
       enabled: true
       values:
         env:
           CAI_MODERATOR_BASE_URL: https://i-am-a-hostname.example.com
           #Uncomment the below to set external Postgres Server Url
           #CAI_MODERATOR_DB_HOST: <my-external-db-hostname>
         secrets:
           CAI_MODERATOR_DB_ADMIN_PASSWORD: "pass"
           CAI_MODERATOR_DEFAULT_LICENSE: "f5_ai_security_license"
     inference:
       enabled: true
       values:
         inference:
           redteam:
             enabled: true
           guardrails:
             enabled: true

   If you want to install the PostgreSQL database within your OpenShift cluster, uncomment the following section:

   #postgresql:
   #  enabled: true
   #  values:
   #    postgresql:
   #      auth:
   #        password: "pass"

   Note: This is not recommended for production.

4. Once customized, paste provided YAML into the Create SecurityOperator YAML text window.

5. Select Create

---

After Installation

To complete the configuration process, take the following steps:

1. Log in to your OpenShift cluster as an admin, with the OpenShift CLI. Substitute your cluster-url.

   oc login https://api.<cluster-url>:6443 --token=<TOKEN>

2. Run the following commands:

   # Grant nonroot-v2 (preferred, based on principle of least privilege)
   oc adm policy add-scc-to-user nonroot-v2 -z default -n prefect
   oc adm policy add-scc-to-user nonroot-v2 -z prefect-server -n prefect
   oc adm policy add-scc-to-user nonroot-v2 -z prefect-worker -n prefect
   
   # For cai-moderator. Lists policy command to apply for each k8s pod.
   oc adm policy add-scc-to-user nonroot-v2 -z cai-moderator-sa -n cai-moderator
   
   # For f5-ai-sec-inference
   oc adm policy add-scc-to-user nonroot-v2 -z default -n f5-ai-sec-inference
   oc adm policy add-scc-to-user nonroot-v2 -z f5-ai-sec-inference -n f5-ai-sec-inference
   
   oc -n f5-ai-sec-inference rollout restart deploy
   oc -n cai-moderator rollout restart deploy
   oc -n prefect rollout restart deploy
   oc -n prefect create job --from=cronjob/cai-workflows cai-workflows-manual-$(date +%s)

3. Create a ClusterRole

   oc apply -f - <<'YAML'
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: prefect-worker-watch-jobs
   rules:
     - apiGroups: ["batch"]
       resources: ["jobs"]
       verbs: ["get","list","watch"]
     - apiGroups: [""]
       resources: ["pods","pods/log","events"]
       verbs: ["get","list","watch"]

4. Bind it to the prefect-worker ServiceAccount

   oc apply -f - <<'YAML'
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRoleBinding
   metadata:
     name: prefect-worker-watch-jobs
   subjects:
     - kind: ServiceAccount
       name: prefect-worker
       namespace: prefect
   roleRef:
     apiGroup: rbac.authorization.k8s.io
     kind: ClusterRole
     name: prefect-worker-watch-jobs

5. Restart the prefect worker deployment

   oc -n prefect rollout restart deploy/prefect-worker