Run EximeeBPMS on Kubernetes / OpenShift

Community Edition

Official Kubernetes / OpenShift deployment artifacts are maintained in the eximeebpms-k8s repository, as both a Helm chart and Kustomize manifests. Both deploy the same Docker image and are equivalent – pick whichever fits your platform’s tooling. The Helm chart is also listed on ArtifactHub, where you can browse available versions and values.

Quick start

Using Helm:

helm repo add eximeebpms https://eximeebpms.github.io/eximeebpms-k8s
helm repo update
helm install my-release eximeebpms/eximeebpms

Using Kustomize:

kubectl apply -k "https://github.com/EximeeBPMS/eximeebpms-k8s/kustomize/base?ref=main"

By default both start a single replica backed by the embedded H2 database (demo/quick-start only) – H2 does not support clustering.

Highly available deployment

For a production, multi-replica deployment against an external PostgreSQL database, with a HorizontalPodAutoscaler, a PodDisruptionBudget, pod anti-affinity, and tuned probes, see:

OpenShift

The overlays/openshift Kustomize overlay is SCC-compatible (it lets OpenShift assign the container’s UID instead of hardcoding one) and adds an OpenShift Route:

kubectl apply -k "https://github.com/EximeeBPMS/eximeebpms-k8s/kustomize/overlays/openshift?ref=main"

Security defaults

Both the chart and the Kustomize base run the container as a non-root user, drop all Linux capabilities, disallow privilege escalation, run with a read-only root filesystem, and apply the RuntimeDefault seccomp profile by default. See the eximeebpms-k8s README for the full list of configurable values.

This satisfies the Pod Security Standards “Restricted” profile and the container-level checks of the CIS Kubernetes Benchmark out of the box, so both deployment methods can be used in namespaces enforcing pod-security.kubernetes.io/enforce: restricted. Rendered manifests are checked with kube-score in CI to guard against regressions.

Supply chain

  • Published images are scanned with Trivy (the build fails on CRITICAL findings) and shipped with a CycloneDX SBOM.
  • Images and the Helm chart (published as an OCI artifact to oci://ghcr.io/eximeebpms/charts/eximeebpms, in addition to the classic chart repo above) are signed keylessly with cosign using GitHub Actions OIDC – no long-lived signing key involved: ```shell cosign verify ghcr.io/eximeebpms/eximeebpms-bpm-platform:run-1.2.0
    –certificate-identity-regexp ‘https://github.com/EximeeBPMS/eximeebpms-docker/.*'
    –certificate-oidc-issuer https://token.actions.githubusercontent.com

cosign verify ghcr.io/eximeebpms/charts/eximeebpms:
–certificate-identity-regexp ‘https://github.com/EximeeBPMS/eximeebpms-k8s/.*'
–certificate-oidc-issuer https://token.actions.githubusercontent.com ```

On this page