Skip to content

K8s: sys_resource revision #1509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 24 commits into from
Closed
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
be0f779
sys_resource revision
kaitlynmichael May 6, 2025
daca872
Update content/operate/kubernetes/deployment/helm.md
kaitlynmichael May 7, 2025
c344927
Update content/operate/kubernetes/deployment/helm.md
kaitlynmichael May 7, 2025
66ff6a7
K8s: Wisconsin maint 2 release notes (#1500)
kaitlynmichael May 6, 2025
124bfb4
DOC-5201 added release notes for RDI v1.6.7
andy-stark-redis May 6, 2025
6a3443d
DOC-5197 remove mentions of Debezium in RDI config docs
andy-stark-redis May 7, 2025
71c7775
Add docs for CLIENT LIST new input/output stats (#1475)
minchopaskal May 7, 2025
d358802
deleted unused images in /static/images/rc and /static/images/rv
cmilesb May 6, 2025
de5ec64
Handle duplicate images
cmilesb May 6, 2025
d03d7b7
Replace missing images
cmilesb May 6, 2025
aea2cf0
Sizing
cmilesb May 6, 2025
66ff624
Update RQE _index.md
mich-elle-luna May 7, 2025
8ac6c51
DOC-5205 RS: Emphasize upgrade prerequisites (#1512)
rrelledge May 7, 2025
83994fb
K8s: relref fixes (#1517)
kaitlynmichael May 8, 2025
abaaee8
Allow tag with v prefix (#1522)
paoloredis May 8, 2025
07c4acc
RC BYOC: Fix IAM credential steps and relref
cmilesb May 7, 2025
990fc00
Create hugo shortcode for embedding external json files (#1521)
paoloredis May 8, 2025
ad37a33
DEV: (MOD-9575) memory reporting updates (#1508)
dwdougherty May 8, 2025
b81e005
Update index.md (#1526)
nickbouldien May 8, 2025
351e628
DOC-5216 RS: Added bigstore_enabled to node REST API reference (#1527)
rrelledge May 8, 2025
790c761
add alias for link used in redis.io blog (#1518)
kaitlynmichael May 8, 2025
c12ffc5
x86 vs ARM note (#1501)
kaitlynmichael May 8, 2025
2a1c7c0
Fix formatting issue
cmilesb May 8, 2025
233670f
review suggestions
kaitlynmichael May 8, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 10 additions & 1 deletion content/operate/kubernetes/deployment/helm.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ description: Install Redis Enterprise for Kubernetes version 7.8.6 using Helm ch
linkTitle: Helm
weight: 11
---

Helm charts provide a simple way to install the Redis Enterprise for Kubernetes operator in just a few steps. For more information about Helm, go to [https://helm.sh/docs/](https://helm.sh/docs/).

{{<note>}} This feature is currently in public preview and is not supported on production workloads. Only new installations of the Redis operator are supported at this time. The steps for [creating the RedisEnterpriseCluster (REC)]({{<relref "operate/kubernetes/deployment/quick-start#create-a-redis-enterprise-cluster-rec">}}) and other custom resources remain the same.{{</note>}}
Expand All @@ -21,6 +20,8 @@ Helm charts provide a simple way to install the Redis Enterprise for Kubernetes
- [Kubernetes client (kubectl)](https://kubernetes.io/docs/tasks/tools/).
- [Helm 3.10 or later](https://helm.sh/docs/intro/install/).

If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.

### Example values

The steps below use the following placeholders to indicate command line parameters you must provide:
Expand Down Expand Up @@ -52,6 +53,10 @@ To install with Openshift, add `--set openshift.mode=true`.

To monitor the installation add the `--debug` flag. The installation runs several jobs synchronously and may take a few minutes to complete.

{{<note>}}
If you want the operator to automatically manage file descriptor limits, make sure to set `allowAutoAdjustment=true` when installing the chart. This requires enabling privilege escalation for the Redis Enterprise container. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for more information.
{{</note>}}

### Install from local directory

1. Find the latest release on the [redis-enterprise-k8s-docs](https://github.com/RedisLabs/redis-enterprise-k8s-docs/releases) repo and download the `tar.gz` source code into a local directory.
Expand All @@ -74,6 +79,10 @@ To monitor the installation add the `--debug` flag. The installation runs severa

2. Install the Helm chart, overriding specific value defaults using `--set`.

{{<note>}}
To enable automatic resource adjustment during installation, include `--set allowAutoAdjustment=true`. This requires elevated container capabilities. For more information, see [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}).
{{</note>}}

```sh
helm install <operator-name> redis/redis-enterprise-operator \
--version <release-name> \
Expand Down
11 changes: 11 additions & 0 deletions content/operate/kubernetes/deployment/openshift/openshift-cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,16 @@ description: Redis Enterprise for Kubernetes and cluster can be installed via CL
linkTitle: OpenShift CLI
weight: 60
---

Use these steps to set up a Redis Enterprise Software cluster with OpenShift.

## Prerequisites

- [OpenShift cluster](https://docs.openshift.com/container-platform/4.8/installing/index.html) with at least 3 nodes (each meeting the [minimum requirements for a development installation]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}}))
- [OpenShift CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html)

If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.

To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}).

## Deploy the operator
Expand Down Expand Up @@ -80,6 +83,10 @@ To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{<

You can rename the file to `<your_cluster_name>.yaml`, but it is not required. Examples below use `<rec_rhel>.yaml`. [Options for Redis Enterprise clusters]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API]({{<relref "/operate/kubernetes/reference/redis_enterprise_cluster_api">}}) for a full list of options.

{{<note>}}
Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details.
{{</note>}}

The REC name cannot be changed after cluster creation.

{{<note>}}
Expand All @@ -88,6 +95,10 @@ Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are no

2. Apply the custom resource file to create your Redis Enterprise cluster.

{{<note>}}
If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it.
{{</note>}}

```sh
oc apply -f <rec_rhel>.yaml
```
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,10 @@ description: OpenShift provides the OperatorHub where you can install the Redis
linkTitle: OpenShift OperatorHub
weight: 70
---

You can deploy Redis Enterprise for Kubernetes from the Red Hat OpenShift CLI. You can also use a UI, [OperatorHub](https://docs.openshift.com/container-platform/4.11/operators/index.html) (Red Hat) to install operators and create custom resources.

If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.

To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}).

## Install the Redis Enterprise operator
Expand Down Expand Up @@ -53,11 +54,13 @@ To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{<

The **Installed Operators**->**Operator details** page shows the provided APIs: **RedisEnterpriseCluster** and **RedisEnterpriseDatabase**. You can select **Create instance** to create custom resources using the OperatorHub interface.

Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view.

<note> The REC name cannot be changed after cluster creation.</note>
Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view.

{{<note>}} In versions 6.4.2-4 and 6.4.2-5, REC creation might fail when using the form view due to an error related to the cluster level LDAP. To avoid this, use the YAML view.
{{<note>}}
Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details.
{{</note>}}

<note> The REC name cannot be changed after cluster creation.</note>

For more information on creating and maintaining Redis Enterprise custom resources, see [Redis Enterprise clusters (REC)]({{< relref "/operate/kubernetes/re-clusters/" >}}) and [Redis Enterprise databases (REDB)]({{< relref "/operate/kubernetes/re-databases/" >}}).
14 changes: 12 additions & 2 deletions content/operate/kubernetes/deployment/quick-start.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ description: How to install Redis Enterprise Software for Kubernetes.
linkTitle: Kubernetes
weight: 10
---

To deploy Redis Enterprise Software for Kubernetes and start your Redis Enterprise cluster (REC), you need to do the following:

- Create a new namespace in your Kubernetes cluster.
Expand All @@ -27,7 +26,10 @@ To deploy Redis Enterprise for Kubernetes, you'll need:
- minimum of three worker nodes
- Kubernetes client (kubectl)
- access to DockerHub, RedHat Container Catalog, or a private repository that can hold the required images.
NOTE: If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.

If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.

{{<note>}}If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.{{</note>}}

### Create a new namespace

Expand Down Expand Up @@ -114,6 +116,10 @@ that contains cluster specifications.

The following example creates a minimal Redis Enterprise cluster. See the [RedisEnterpriseCluster API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_cluster_api">}}) for more information on the various options available.

{{<note>}}
Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details.
{{</note>}}

1. Create a file that defines a Redis Enterprise cluster with three nodes.

{{<note>}}
Expand Down Expand Up @@ -151,6 +157,10 @@ Each cluster must have at least 3 nodes. Single-node RECs are not supported.

See the [Redis Enterprise hardware requirements]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements.md" >}}) for more information on sizing Redis Enterprise node resource requests.

{{<note>}}
If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it.
{{</note>}}

1. Apply your custom resource file in the same namespace as `my-rec.yaml`.

```sh
Expand Down
128 changes: 128 additions & 0 deletions content/operate/kubernetes/security/allow-resource-adjustment.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
---
categories:
- docs
- operate
- kubernetes
description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.
linkTitle: Auto resource adjustment
title: Allow automatic resource adjustment
weight: 98
---

Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.

## Default behavior

Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed.

If automatic resource adjustment is disabled, the REC security context looks like this:

```yaml
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
```

## Enable automatic resource adjustment

To allow the Redis Enterprise container to adjust system resource limits automatically, set `allowAutoAdjustment` to `true`. This will grant the container elevated capabilities such as `SYS_RESOURCE`. Note that changing this value on a running cluster will trigger a rolling update.

```yaml
spec:
securityContext:
resourceLimits:
allowAutoAdjustment: true
```

Enabling automatic resource adjustment results in the following security context:

**Note:** Enabling `allowAutoAdjustment` grants the container the `SYS_RESOURCE` capability and permits privilege escalation.

```yaml
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- SYS_RESOURCE
drop:
- ALL
privileged: false
readOnlyRootFilesystem: false
```

## OpenShift upgrades

If you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint).

If running with automatic resource adjustment disabled, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after you complete the upgrade.

```sh
oc delete scc/redis-enterprise-scc-v2
```

```sh
oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z <service-account-name>
```

If running with automatic resource adjustment enabled, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})).

```sh
oc apply -f openshift/scc.yaml
```

```sh
oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
system:serviceaccount:<my-project>:<rec-name>
```

## New OpenShift installations

New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in `nonroot-v2` which is more secure and less permissive.

To enable automatic resource adjustment after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC.

1. Apply the `scc.yaml` file.

{{<warning>}}
Do not edit this file.
{{</warning>}}

```sh
oc apply -f openshift/scc.yaml
```

You should see the following output:

```sh
securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured
```

1. Provide the operator permissions for the pods.

```sh
oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
system:serviceaccount:<my-project>:<rec>
```

## SYS_RESOURCE

Some Redis Enterprise processes may require the `SYS_RESOURCE` capability to raise resource limits, such as the maximum number of open file descriptors.

Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and `SYS_RESOURCE` is not enabled, these processes may fail.

## Choose whether to enable automatic resource adjustment

Use the following guidance to decide whether to enable automatic resource adjustment:

- If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient.
- If you're running on-prem or using Kubespray, verify your file descriptor limits. You can:
- Configure limits manually and use automatic resource adjustment disabled.
- Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation.

If you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled.

Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with [Kubespray](https://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled.
Loading