-
Notifications
You must be signed in to change notification settings - Fork 209
K8s: sys_resource revision #1509
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
Closed
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit
Hold shift + click to select a range
be0f779
sys_resource revision
kaitlynmichael daca872
Update content/operate/kubernetes/deployment/helm.md
kaitlynmichael c344927
Update content/operate/kubernetes/deployment/helm.md
kaitlynmichael 66ff6a7
K8s: Wisconsin maint 2 release notes (#1500)
kaitlynmichael 124bfb4
DOC-5201 added release notes for RDI v1.6.7
andy-stark-redis 6a3443d
DOC-5197 remove mentions of Debezium in RDI config docs
andy-stark-redis 71c7775
Add docs for CLIENT LIST new input/output stats (#1475)
minchopaskal d358802
deleted unused images in /static/images/rc and /static/images/rv
cmilesb de5ec64
Handle duplicate images
cmilesb d03d7b7
Replace missing images
cmilesb aea2cf0
Sizing
cmilesb 66ff624
Update RQE _index.md
mich-elle-luna 8ac6c51
DOC-5205 RS: Emphasize upgrade prerequisites (#1512)
rrelledge 83994fb
K8s: relref fixes (#1517)
kaitlynmichael abaaee8
Allow tag with v prefix (#1522)
paoloredis 07c4acc
RC BYOC: Fix IAM credential steps and relref
cmilesb 990fc00
Create hugo shortcode for embedding external json files (#1521)
paoloredis ad37a33
DEV: (MOD-9575) memory reporting updates (#1508)
dwdougherty b81e005
Update index.md (#1526)
nickbouldien 351e628
DOC-5216 RS: Added bigstore_enabled to node REST API reference (#1527)
rrelledge 790c761
add alias for link used in redis.io blog (#1518)
kaitlynmichael c12ffc5
x86 vs ARM note (#1501)
kaitlynmichael 2a1c7c0
Fix formatting issue
cmilesb 233670f
review suggestions
kaitlynmichael File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
128 changes: 128 additions & 0 deletions
128
content/operate/kubernetes/security/allow-resource-adjustment.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
--- | ||
categories: | ||
- docs | ||
- operate | ||
- kubernetes | ||
description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits. | ||
linkTitle: Auto resource adjustment | ||
title: Allow automatic resource adjustment | ||
weight: 98 | ||
--- | ||
|
||
Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. | ||
|
||
## Default behavior | ||
|
||
Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed. | ||
|
||
If automatic resource adjustment is disabled, the REC security context looks like this: | ||
|
||
```yaml | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
capabilities: | ||
drop: | ||
- ALL | ||
privileged: false | ||
readOnlyRootFilesystem: false | ||
``` | ||
|
||
## Enable automatic resource adjustment | ||
|
||
To allow the Redis Enterprise container to adjust system resource limits automatically, set `allowAutoAdjustment` to `true`. This will grant the container elevated capabilities such as `SYS_RESOURCE`. Note that changing this value on a running cluster will trigger a rolling update. | ||
|
||
```yaml | ||
spec: | ||
securityContext: | ||
resourceLimits: | ||
allowAutoAdjustment: true | ||
``` | ||
|
||
Enabling automatic resource adjustment results in the following security context: | ||
|
||
**Note:** Enabling `allowAutoAdjustment` grants the container the `SYS_RESOURCE` capability and permits privilege escalation. | ||
|
||
```yaml | ||
securityContext: | ||
allowPrivilegeEscalation: true | ||
capabilities: | ||
add: | ||
- SYS_RESOURCE | ||
drop: | ||
- ALL | ||
privileged: false | ||
readOnlyRootFilesystem: false | ||
``` | ||
|
||
## OpenShift upgrades | ||
|
||
If you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint). | ||
|
||
If running with automatic resource adjustment disabled, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after you complete the upgrade. | ||
|
||
```sh | ||
oc delete scc/redis-enterprise-scc-v2 | ||
``` | ||
|
||
```sh | ||
oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z <service-account-name> | ||
``` | ||
|
||
If running with automatic resource adjustment enabled, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})). | ||
|
||
```sh | ||
oc apply -f openshift/scc.yaml | ||
``` | ||
|
||
```sh | ||
oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ | ||
system:serviceaccount:<my-project>:<rec-name> | ||
``` | ||
|
||
## New OpenShift installations | ||
|
||
New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in `nonroot-v2` which is more secure and less permissive. | ||
|
||
To enable automatic resource adjustment after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC. | ||
|
||
1. Apply the `scc.yaml` file. | ||
|
||
{{<warning>}} | ||
Do not edit this file. | ||
{{</warning>}} | ||
|
||
```sh | ||
oc apply -f openshift/scc.yaml | ||
``` | ||
|
||
You should see the following output: | ||
|
||
```sh | ||
securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured | ||
``` | ||
|
||
1. Provide the operator permissions for the pods. | ||
|
||
```sh | ||
oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ | ||
system:serviceaccount:<my-project>:<rec> | ||
``` | ||
|
||
## SYS_RESOURCE | ||
|
||
Some Redis Enterprise processes may require the `SYS_RESOURCE` capability to raise resource limits, such as the maximum number of open file descriptors. | ||
|
||
Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and `SYS_RESOURCE` is not enabled, these processes may fail. | ||
|
||
## Choose whether to enable automatic resource adjustment | ||
|
||
Use the following guidance to decide whether to enable automatic resource adjustment: | ||
|
||
- If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient. | ||
- If you're running on-prem or using Kubespray, verify your file descriptor limits. You can: | ||
- Configure limits manually and use automatic resource adjustment disabled. | ||
- Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation. | ||
|
||
If you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled. | ||
|
||
Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with [Kubespray](https://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled. |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.