From de1ee861ba51b13fb3b693c3f74e3b95645853b4 Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Tue, 6 May 2025 11:43:14 -0500 Subject: [PATCH 1/5] sys_resource revision --- content/operate/kubernetes/deployment/helm.md | 11 +- .../deployment/openshift/openshift-cli.md | 11 ++ .../openshift/openshift-operatorhub.md | 11 +- .../kubernetes/deployment/quick-start.md | 14 +- .../security/allow-resource-adjustment.md | 128 ++++++++++++++++++ .../security/enable-privileged-mode.md | 123 ----------------- 6 files changed, 168 insertions(+), 130 deletions(-) create mode 100644 content/operate/kubernetes/security/allow-resource-adjustment.md delete mode 100644 content/operate/kubernetes/security/enable-privileged-mode.md diff --git a/content/operate/kubernetes/deployment/helm.md b/content/operate/kubernetes/deployment/helm.md index 5c6665dd7f..9b9e9f4ad6 100644 --- a/content/operate/kubernetes/deployment/helm.md +++ b/content/operate/kubernetes/deployment/helm.md @@ -9,7 +9,6 @@ description: Install Redis Enterprise for Kubernetes version 7.8.6 using Helm ch linkTitle: Helm weight: 11 --- - Helm charts provide a simple way to install the Redis Enterprise for Kubernetes operator in just a few steps. For more information about Helm, go to [https://helm.sh/docs/](https://helm.sh/docs/). {{}} This feature is currently in public preview and is not supported on production workloads. Only new installations of the Redis operator are supported at this time. The steps for [creating the RedisEnterpriseCluster (REC)]({{}}) and other custom resources remain the same.{{}} @@ -21,6 +20,8 @@ Helm charts provide a simple way to install the Redis Enterprise for Kubernetes - [Kubernetes client (kubectl)](https://kubernetes.io/docs/tasks/tools/). - [Helm 3.10 or later](https://helm.sh/docs/intro/install/). +If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. + ### Example values The steps below use the following placeholders to indicate command line parameters you must provide: @@ -52,6 +53,10 @@ To install with Openshift, add `--set openshift.mode=true`. To monitor the installation add the `--debug` flag. The installation runs several jobs synchronously and may take a few minutes to complete. +{{}} +If you want the operator to automatically manage file descriptor limits, make sure to set `allowAutoAdjustment=true` when installing the chart. This requires enabling privilege escalation for the Redis Enterprise container. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for more information. +{{}} + ### Install from local directory 1. Find the latest release on the [redis-enterprise-k8s-docs](https://github.com/RedisLabs/redis-enterprise-k8s-docs/releases) repo and download the `tar.gz` source code into a local directory. @@ -74,6 +79,10 @@ To monitor the installation add the `--debug` flag. The installation runs severa 2. Install the Helm chart, overriding specific value defaults using `--set`. +{{}} +To enable automatic resource adjustment during installation, include `--set allowAutoAdjustment=true`. This requires elevated container capabilities. For more information, see [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). +{{}} + ```sh helm install redis/redis-enterprise-operator \ --version \ diff --git a/content/operate/kubernetes/deployment/openshift/openshift-cli.md b/content/operate/kubernetes/deployment/openshift/openshift-cli.md index 16b8f03859..8d0aa786b7 100644 --- a/content/operate/kubernetes/deployment/openshift/openshift-cli.md +++ b/content/operate/kubernetes/deployment/openshift/openshift-cli.md @@ -10,6 +10,7 @@ description: Redis Enterprise for Kubernetes and cluster can be installed via CL linkTitle: OpenShift CLI weight: 60 --- + Use these steps to set up a Redis Enterprise Software cluster with OpenShift. ## Prerequisites @@ -17,6 +18,8 @@ Use these steps to set up a Redis Enterprise Software cluster with OpenShift. - [OpenShift cluster](https://docs.openshift.com/container-platform/4.8/installing/index.html) with at least 3 nodes (each meeting the [minimum requirements for a development installation]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}})) - [OpenShift CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html) +If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. + To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). ## Deploy the operator @@ -80,6 +83,10 @@ To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{< You can rename the file to `.yaml`, but it is not required. Examples below use `.yaml`. [Options for Redis Enterprise clusters]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API]({{}}) for a full list of options. + {{}} + Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. + {{}} + The REC name cannot be changed after cluster creation. {{}} @@ -88,6 +95,10 @@ Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are no 2. Apply the custom resource file to create your Redis Enterprise cluster. + {{}} + If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. + {{}} + ```sh oc apply -f .yaml ``` diff --git a/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md b/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md index 57763b9f39..23192f26d0 100644 --- a/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md +++ b/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md @@ -10,9 +10,10 @@ description: OpenShift provides the OperatorHub where you can install the Redis linkTitle: OpenShift OperatorHub weight: 70 --- - You can deploy Redis Enterprise for Kubernetes from the Red Hat OpenShift CLI. You can also use a UI, [OperatorHub](https://docs.openshift.com/container-platform/4.11/operators/index.html) (Red Hat) to install operators and create custom resources. +If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. + To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). ## Install the Redis Enterprise operator @@ -53,11 +54,13 @@ To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{< The **Installed Operators**->**Operator details** page shows the provided APIs: **RedisEnterpriseCluster** and **RedisEnterpriseDatabase**. You can select **Create instance** to create custom resources using the OperatorHub interface. -Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view. - The REC name cannot be changed after cluster creation. +Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view. -{{}} In versions 6.4.2-4 and 6.4.2-5, REC creation might fail when using the form view due to an error related to the cluster level LDAP. To avoid this, use the YAML view. +{{}} +Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. {{}} + The REC name cannot be changed after cluster creation. + For more information on creating and maintaining Redis Enterprise custom resources, see [Redis Enterprise clusters (REC)]({{< relref "/operate/kubernetes/re-clusters/" >}}) and [Redis Enterprise databases (REDB)]({{< relref "/operate/kubernetes/re-databases/" >}}). diff --git a/content/operate/kubernetes/deployment/quick-start.md b/content/operate/kubernetes/deployment/quick-start.md index fb37c4b766..b498200dd7 100644 --- a/content/operate/kubernetes/deployment/quick-start.md +++ b/content/operate/kubernetes/deployment/quick-start.md @@ -9,7 +9,6 @@ description: How to install Redis Enterprise Software for Kubernetes. linkTitle: Kubernetes weight: 10 --- - To deploy Redis Enterprise Software for Kubernetes and start your Redis Enterprise cluster (REC), you need to do the following: - Create a new namespace in your Kubernetes cluster. @@ -27,7 +26,10 @@ To deploy Redis Enterprise for Kubernetes, you'll need: - minimum of three worker nodes - Kubernetes client (kubectl) - access to DockerHub, RedHat Container Catalog, or a private repository that can hold the required images. -NOTE: If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported. + +If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. + +{{}}If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.{{}} ### Create a new namespace @@ -114,6 +116,10 @@ that contains cluster specifications. The following example creates a minimal Redis Enterprise cluster. See the [RedisEnterpriseCluster API reference]({{}}) for more information on the various options available. +{{}} +Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. +{{}} + 1. Create a file that defines a Redis Enterprise cluster with three nodes. {{}} @@ -151,6 +157,10 @@ Each cluster must have at least 3 nodes. Single-node RECs are not supported. See the [Redis Enterprise hardware requirements]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}}) for more information on sizing Redis Enterprise node resource requests. + {{}} + If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. + {{}} + 1. Apply your custom resource file in the same namespace as `my-rec.yaml`. ```sh diff --git a/content/operate/kubernetes/security/allow-resource-adjustment.md b/content/operate/kubernetes/security/allow-resource-adjustment.md new file mode 100644 index 0000000000..b3be0f7800 --- /dev/null +++ b/content/operate/kubernetes/security/allow-resource-adjustment.md @@ -0,0 +1,128 @@ +--- +categories: +- docs +- operate +- kubernetes +description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits. +linkTitle: Auto resource adjustment +title: Allow automatic resource adjustment +weight: 98 +--- + +Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. + +## Default behavior + +Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed. + +If automatic resource adjustment is disabled, the REC security context looks like this: + +```yaml +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false +``` + +## Enable automatic resource adjustment + +To allow the Redis Enterprise container to adjust system resource limits automatically, set `allowAutoAdjustment` to `true`. This will grant the container elevated capabilities such as `SYS_RESOURCE`. Note that changing this value on a running cluster will trigger a rolling update. + +```yaml +spec: + securityContext: + resourceLimits: + allowAutoAdjustment: true +``` + +Enabling automatic resource adjustment results in the following security context: + +**Note:** Enabling `allowAutoAdjustment` grants the container the `SYS_RESOURCE` capability and permits privilege escalation. + +```yaml +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - SYS_RESOURCE + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false +``` + +## OpenShift upgrades + +If you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint). + +If running with automatic resource adjustment disabled, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after you complete the upgrade. + +```sh +oc delete scc/redis-enterprise-scc-v2 +``` + +```sh +oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z +``` + +If running with automatic resource adjustment enabled, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})). + +```sh +oc apply -f openshift/scc.yaml +``` + +```sh +oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ + system:serviceaccount:: +``` + +## New OpenShift installations + +New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in `nonroot-v2` which is more secure and less permissive. + +To enable automatic resource adjustment after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC. + +1. Apply the `scc.yaml` file. + + {{}} +Do not edit this file. + {{}} + + ```sh + oc apply -f openshift/scc.yaml + ``` + + You should see the following output: + + ```sh + securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured + ``` + +1. Provide the operator permissions for the pods. + + ```sh + oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ + system:serviceaccount:: + ``` + +## SYS_RESOURCE + +Some Redis Enterprise processes may require the `SYS_RESOURCE` capability to raise resource limits, such as the maximum number of open file descriptors. + +Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and `SYS_RESOURCE` is not enabled, these processes may fail. + +## Choose whether to enable automatic resource adjustment + +Use the following guidance to decide whether to enable automatic resource adjustment: + +- If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient. +- If you're running on-prem or using Kubespray, verify your file descriptor limits. You can: + - Configure limits manually and use automatic resource adjustment disabled. + - Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation. + +If you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled. + +Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with [Kubespray](https://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled. diff --git a/content/operate/kubernetes/security/enable-privileged-mode.md b/content/operate/kubernetes/security/enable-privileged-mode.md deleted file mode 100644 index 31ecba4f74..0000000000 --- a/content/operate/kubernetes/security/enable-privileged-mode.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -categories: -- docs -- operate -- kubernetes -description: Enable adding additional capabilities to the security context for the Redis Enterprise container by enabling `allowAutoAdjustment`. -linkTitle: Enable privileged mode -title: Enable privileged mode -weight: 98 ---- - -[Security settings for Kubernetes pods](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) are configured in the [`SecurityContext`](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#securitycontext-v1-core). The `allowPrivilegeEscalation` field controls if a container can gain more privileges than its parent process. - -If `allowPrivilegeEscalation` is set to `true` the container can have additional [Linux capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) (such as `SYS_RESOURCE`) and is considered to be running in **privileged mode**. - -Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run in **unprivileged mode**, where all capabilities are dropped from the Redis Enterprise container and `allowPrivilegeEscalation` is set to `false`. All other security-related settings remain the same as in privileged mode. Unprivileged mode is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. - -## Default behavior - -**Unprivileged mode** is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed. - -The REC security context will look like this in unprivileged mode: - -```yaml -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false -``` - -## Enable privileged mode - -To allow the Redis Enterprise container additional capabilities, you can enable **privileged mode**. Note that changing the following value on a running cluster will trigger a rolling update. - -To enable **privileged mode**, set `allowAutoAdjustment` to `true`. - -```yaml -spec: - securityContext: - resourceLimits: - allowAutoAdjustment: true -``` - -Allowing automatic resource limit adjustment will result in the security context looking like this: - -```yaml -securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_RESOURCE - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false -``` - -OpenShift users upgrading to 7.22.0-6 need to make changes to your existing SCC (security context constraint). - -## OpenShift upgrades - -If running in **unprivileged mode**, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after completing your upgrade. - -```sh -oc delete scc/redis-enterprise-scc-v2 -``` - -```sh -oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z -``` - -If running in **privileged mode**, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})). - -```sh -oc apply -f openshift/scc.yaml -``` - -```sh -oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ - system:serviceaccount:: -``` - -## New OpenShift installations - -New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run in **unprivileged mode**, using a built-in `nonroot-v2` which is less permissive and more secure. - -To enable **privileged mode** after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC. - -1. Apply the `scc.yaml` file. - - {{}} -Do not edit this file. - {{}} - - ```sh - oc apply -f openshift/scc.yaml - ``` - - You should receive the following response: - - ```sh - securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured - ``` - -1. Provide the operator permissions for the pods. - - ```sh - oc adm policy add-scc-to-user redis-enterprise-scc-v2 \ - system:serviceaccount:: - ``` - -## SYS_RESOURCE - -The `SYS_RESOURCE` capability may be required if processes in the container need to raise resource limits, such as the maximum number of open file descriptors. - -Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default limit is lower and the container lacks the `SYS_RESOURCE` capability, the process may fail repeatedly, rendering the cluster unusable. To use unprivileged mode, configure your Kubernetes worker nodes to ensure a default file descriptor limit of at least 100,000. - -If you are already running a Redis Enterprise Cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use unprivileged mode. - -Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These setups are compatible with unprivileged mode. The only known exception is clusters created with [Kubespray](hhttps://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator in privileged mode. From 0654b24d701d02cb809b2d7ae53a36dc20be4fe4 Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael <76962844+kaitlynmichael@users.noreply.github.com> Date: Wed, 7 May 2025 14:02:19 -0500 Subject: [PATCH 2/5] Update content/operate/kubernetes/deployment/helm.md Co-authored-by: David Dougherty --- content/operate/kubernetes/deployment/helm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/kubernetes/deployment/helm.md b/content/operate/kubernetes/deployment/helm.md index 9b9e9f4ad6..5d54bea3fb 100644 --- a/content/operate/kubernetes/deployment/helm.md +++ b/content/operate/kubernetes/deployment/helm.md @@ -20,7 +20,7 @@ Helm charts provide a simple way to install the Redis Enterprise for Kubernetes - [Kubernetes client (kubectl)](https://kubernetes.io/docs/tasks/tools/). - [Helm 3.10 or later](https://helm.sh/docs/intro/install/). -If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. ### Example values From b069af5c8f1387c29e31219851416c69e7c350dd Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael <76962844+kaitlynmichael@users.noreply.github.com> Date: Wed, 7 May 2025 14:02:32 -0500 Subject: [PATCH 3/5] Update content/operate/kubernetes/deployment/helm.md Co-authored-by: David Dougherty --- content/operate/kubernetes/deployment/helm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/operate/kubernetes/deployment/helm.md b/content/operate/kubernetes/deployment/helm.md index 5d54bea3fb..4a24469770 100644 --- a/content/operate/kubernetes/deployment/helm.md +++ b/content/operate/kubernetes/deployment/helm.md @@ -80,7 +80,7 @@ To monitor the installation add the `--debug` flag. The installation runs severa 2. Install the Helm chart, overriding specific value defaults using `--set`. {{}} -To enable automatic resource adjustment during installation, include `--set allowAutoAdjustment=true`. This requires elevated container capabilities. For more information, see [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). +To enable automatic resource adjustment during installation, include `--set allowAutoAdjustment=true`. This requires elevated container capabilities. For more information, see [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). {{}} ```sh From d40a4ccd25110e9eadc720055fe957db1cac9c83 Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Thu, 8 May 2025 15:37:58 -0500 Subject: [PATCH 4/5] review suggestions --- content/operate/kubernetes/deployment/helm.md | 10 +--------- .../kubernetes/deployment/openshift/openshift-cli.md | 10 ++++------ .../deployment/openshift/openshift-operatorhub.md | 8 +++----- content/operate/kubernetes/deployment/quick-start.md | 4 ++-- 4 files changed, 10 insertions(+), 22 deletions(-) diff --git a/content/operate/kubernetes/deployment/helm.md b/content/operate/kubernetes/deployment/helm.md index 4a24469770..3595998800 100644 --- a/content/operate/kubernetes/deployment/helm.md +++ b/content/operate/kubernetes/deployment/helm.md @@ -20,7 +20,7 @@ Helm charts provide a simple way to install the Redis Enterprise for Kubernetes - [Kubernetes client (kubectl)](https://kubernetes.io/docs/tasks/tools/). - [Helm 3.10 or later](https://helm.sh/docs/intro/install/). -If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. ### Example values @@ -53,10 +53,6 @@ To install with Openshift, add `--set openshift.mode=true`. To monitor the installation add the `--debug` flag. The installation runs several jobs synchronously and may take a few minutes to complete. -{{}} -If you want the operator to automatically manage file descriptor limits, make sure to set `allowAutoAdjustment=true` when installing the chart. This requires enabling privilege escalation for the Redis Enterprise container. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for more information. -{{}} - ### Install from local directory 1. Find the latest release on the [redis-enterprise-k8s-docs](https://github.com/RedisLabs/redis-enterprise-k8s-docs/releases) repo and download the `tar.gz` source code into a local directory. @@ -79,10 +75,6 @@ To monitor the installation add the `--debug` flag. The installation runs severa 2. Install the Helm chart, overriding specific value defaults using `--set`. -{{}} -To enable automatic resource adjustment during installation, include `--set allowAutoAdjustment=true`. This requires elevated container capabilities. For more information, see [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). -{{}} - ```sh helm install redis/redis-enterprise-operator \ --version \ diff --git a/content/operate/kubernetes/deployment/openshift/openshift-cli.md b/content/operate/kubernetes/deployment/openshift/openshift-cli.md index 8d0aa786b7..e55007d67e 100644 --- a/content/operate/kubernetes/deployment/openshift/openshift-cli.md +++ b/content/operate/kubernetes/deployment/openshift/openshift-cli.md @@ -18,10 +18,10 @@ Use these steps to set up a Redis Enterprise Software cluster with OpenShift. - [OpenShift cluster](https://docs.openshift.com/container-platform/4.8/installing/index.html) with at least 3 nodes (each meeting the [minimum requirements for a development installation]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}})) - [OpenShift CLI](https://docs.openshift.com/container-platform/latest/cli_reference/openshift_cli/getting-started-cli.html) -If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. - To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). +{{}}If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.{{}} + ## Deploy the operator 1. Create a new project. @@ -73,9 +73,7 @@ DO NOT modify or delete the StatefulSet created during the deployment process. D ## Security context constraints -Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. - -To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{}}). +Versions 7.22.0-6 and later run in without permissions to [allow automatic resource adjustment]({{}}). If you use the recommended default security constraints, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after upgrading. ## Create a Redis Enterprise cluster custom resource @@ -84,7 +82,7 @@ To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{< You can rename the file to `.yaml`, but it is not required. Examples below use `.yaml`. [Options for Redis Enterprise clusters]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API]({{}}) for a full list of options. {{}} - Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. + If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. {{}} The REC name cannot be changed after cluster creation. diff --git a/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md b/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md index 23192f26d0..37853e856c 100644 --- a/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md +++ b/content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md @@ -12,7 +12,7 @@ weight: 70 --- You can deploy Redis Enterprise for Kubernetes from the Red Hat OpenShift CLI. You can also use a UI, [OperatorHub](https://docs.openshift.com/container-platform/4.11/operators/index.html) (Red Hat) to install operators and create custom resources. -If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +{{}}If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.{{}} To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). @@ -46,9 +46,7 @@ To see which version of Redis Enterprise for Kubernetes supports your OpenShift ## Security context constraints -Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account. - -To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{}}). +Versions 7.22.0-6 and later run in without permissions to [allow automatic resource adjustment]({{}}). If you use the recommended default security constraints, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after upgrading. ## Create Redis Enterprise custom resources @@ -58,7 +56,7 @@ The **Installed Operators**->**Operator details** page shows the provided APIs: Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view. {{}} -Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. {{}} The REC name cannot be changed after cluster creation. diff --git a/content/operate/kubernetes/deployment/quick-start.md b/content/operate/kubernetes/deployment/quick-start.md index b498200dd7..6ff78ae80a 100644 --- a/content/operate/kubernetes/deployment/quick-start.md +++ b/content/operate/kubernetes/deployment/quick-start.md @@ -27,7 +27,7 @@ To deploy Redis Enterprise for Kubernetes, you'll need: - Kubernetes client (kubectl) - access to DockerHub, RedHat Container Catalog, or a private repository that can hold the required images. -If you suspect your file descriptor limits are below 100k, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. {{}}If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.{{}} @@ -117,7 +117,7 @@ that contains cluster specifications. The following example creates a minimal Redis Enterprise cluster. See the [RedisEnterpriseCluster API reference]({{}}) for more information on the various options available. {{}} -Redis Enterprise may require the ability to adjust system resource limits, such as file descriptors. If you're unsure whether your container runtime provides high enough defaults (at least 100,000), you can allow the operator to adjust them automatically. See [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode.md" >}}) for details. +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. {{}} 1. Create a file that defines a Redis Enterprise cluster with three nodes. From 861d099b18242373d9b56623b43f52c0d3bfaafb Mon Sep 17 00:00:00 2001 From: Kaitlyn Michael Date: Wed, 4 Jun 2025 15:15:24 -0500 Subject: [PATCH 5/5] fix note formatting --- .../kubernetes/deployment/openshift/openshift-cli.md | 8 +++++--- content/operate/kubernetes/deployment/quick-start.md | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/content/operate/kubernetes/deployment/openshift/openshift-cli.md b/content/operate/kubernetes/deployment/openshift/openshift-cli.md index e55007d67e..522909b51b 100644 --- a/content/operate/kubernetes/deployment/openshift/openshift-cli.md +++ b/content/operate/kubernetes/deployment/openshift/openshift-cli.md @@ -20,7 +20,9 @@ Use these steps to set up a Redis Enterprise Software cluster with OpenShift. To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}). -{{}}If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.{{}} +{{}} +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +{{}} ## Deploy the operator @@ -82,7 +84,7 @@ Versions 7.22.0-6 and later run in without permissions to [allow automatic resou You can rename the file to `.yaml`, but it is not required. Examples below use `.yaml`. [Options for Redis Enterprise clusters]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API]({{}}) for a full list of options. {{}} - If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. +If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment. {{}} The REC name cannot be changed after cluster creation. @@ -94,7 +96,7 @@ Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are no 2. Apply the custom resource file to create your Redis Enterprise cluster. {{}} - If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. +If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. {{}} ```sh diff --git a/content/operate/kubernetes/deployment/quick-start.md b/content/operate/kubernetes/deployment/quick-start.md index 6ff78ae80a..23bc34bb50 100644 --- a/content/operate/kubernetes/deployment/quick-start.md +++ b/content/operate/kubernetes/deployment/quick-start.md @@ -158,7 +158,7 @@ Each cluster must have at least 3 nodes. Single-node RECs are not supported. See the [Redis Enterprise hardware requirements]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}}) for more information on sizing Redis Enterprise node resource requests. {{}} - If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. +If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it. {{}} 1. Apply your custom resource file in the same namespace as `my-rec.yaml`.