Red Hat OpenShift Container Platform is where many enterprises run IBM MQ in production: the MQ Operator appears in OperatorHub, platform teams already manage OAuth and SCCs, and integration with Cloud Pak for Integration is a common roadmap. OpenShift deployments for MQ mean more than kubectl apply on any cluster—you work inside projects (namespaces), Routes instead of generic Ingress controllers, Security Context Constraints that gate whether the mq user may write /mnt/mqm, and often internal image registries that mirror icr.io. Beginners copy generic Kubernetes tutorials and wonder why Routes do not terminate MQI binary traffic like HTTP, or why pods fail with forbidden uid. This tutorial walks OpenShift-specific networking for listeners and consoles, installing and subscribing to the MQ Operator, projects and quotas for MQ estates, SCC selection for MQ pods, storage classes on OpenShift with persistent volumes, integrating corporate identity, monitoring with OpenShift user workload monitoring, upgrade coordination between OpenShift version and MQ fix pack, and differences from vanilla AKS or EKS runbooks.
Isolate production MQ in dedicated projects with ResourceQuota on CPU, memory, and PVC count. Non-production environments get separate projects and RBAC so developers cannot kubectl delete prod PVCs. Labels tie QueueManager instances to cost centers. NetworkPolicy or OpenShift SDN policies segment application projects from MQ projects—only application namespaces reach port 1414.
| Method | Typical use | Note |
|---|---|---|
| ClusterIP Service | In-cluster clients only | Default for microservices in same cluster |
| Passthrough Route | MQI TLS end-to-end | Client sees MQ server cert |
| Edge Route | HTTPS console or REST | Router terminates TLS |
| LoadBalancer Service | Cloud integrated LB | When Routes not used for TCP |
Cluster admins open OperatorHub, search IBM MQ, and install the operator into openshift-operators or a dedicated namespace per your standard. Choose manual install plan approval for production. Subscription channel pins operator version; upgrading OpenShift may require upgrading operator compatibility first. After install, developers create QueueManager CRs in their projects if RBAC allows custom resource creation.
1234# Illustrative CLI — verify exact package names in your cluster oc get packagemanifests -n openshift-marketplace | grep -i mq oc describe queuemanager finance-qm -n mq-prod oc get routes -n mq-prod
MQ images expect to run as a fixed non-root UID with group access to mounted volumes. Assign anyuid or custom SCC only when IBM documentation requires it—overly permissive SCC violates compliance. fsGroup in pod security admission sets volume group ownership so /mnt/mqm is writable. Read-only root filesystem may conflict with MQ logging paths—follow IBM OpenShift guidance for your operator version rather than inventing restricted profiles that break startup.
Kubernetes is the street grid. OpenShift is the same grid plus building codes (SCC), official doorways to the street (Routes), and a store that sells pre-approved building kits (OperatorHub). MQ is the post office you install using the approved kit.
OpenShift ships storage classes for cloud disks or NFS. MQ needs ReadWriteOnce block storage for queue manager data in most designs. Test performance before go-live. Volume expansion requires storage class allowVolumeExpansion and file system grow inside pod or node steps per platform doc.
Forward pod logs to OpenShift logging stack or corporate SIEM. Prometheus metrics from MQ may integrate with user workload monitoring when enabled. Alert on operator reconciliation errors and transmission queue depth via custom rules. Include OpenShift infrastructure events during incident bridge calls.
Pod forbidden — SCC denied uid or volume type. Route not reachable — selector mismatch or TLS mode wrong for MQI. Image pull backoff — missing pull secret for icr.io mirror. CR not Ready — describe QueueManager; check storage class and LICENSE in spec.
OpenShift is a playground with safety rules and official gates. MQ is the mail room you set up using a kit from the playground store, with doors labeled so other kids know where to deliver letters.
Install MQ Operator in lab OpenShift; create QueueManager; expose Route; connect client.
Document which SCC your MQ pod uses and why.
Compare passthrough versus edge Route for your REST console URL.
1. OpenShift Routes expose:
2. SCC controls:
3. MQ Operator installs from:
4. MQ pods should run: