Red Hat SummitChapter 3. Deploying OpenShift sandboxed containers on AWS
You can deploy OpenShift sandboxed containers on AWS Cloud Computing Services,
Red Hat OpenShift sandboxed containers on AWS Cloud Computing Services is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
You deploy OpenShift sandboxed containers by performing the following steps:
- Install the OpenShift sandboxed containers Operator on the OpenShift Container Platform cluster.
- Enable ports to allow internal communication with peer pods.
- Optional: If you select a custom pod VM image, you must configure a pull secret for the peer pod.
- Optional: Select a custom pod VM image.
- Create the peer pods config map.
- Optional: Customize the Kata agent policy.
-
Create the
KataConfigcustom resource. - Optional: Modify the number of virtual machines running on each worker node.
- Configure your workload for OpenShift sandboxed containers.
3.1. Prerequisites
- You have installed the latest version of Red Hat OpenShift Container Platform.
- Your OpenShift Container Platform cluster has at least one worker node.
- You have enabled ports 15150 and 9000 for communication in the subnet used for worker nodes and the pod virtual machine (VM). The ports enable communication between the Kata shim running on the worker node and the Kata agent running on the pod VM.
3.2. Installing the OpenShift sandboxed containers Operator
You install the OpenShift sandboxed containers Operator by using the command line interface (CLI).
Prerequisites
-
You have access to the cluster as a user with the
cluster-adminrole.
Procedure
Create an
osc-namespace.yamlmanifest file:apiVersion: v1 kind: Namespace metadata: name: openshift-sandboxed-containers-operatorCreate the namespace by running the following command:
$ oc create -f osc-namespace.yamlCreate an
osc-operatorgroup.yamlmanifest file:apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: sandboxed-containers-operator-group namespace: openshift-sandboxed-containers-operator spec: targetNamespaces: - openshift-sandboxed-containers-operatorCreate the operator group by running the following command:
$ oc create -f osc-operatorgroup.yamlCreate an
osc-subscription.yamlmanifest file:apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: name: sandboxed-containers-operator namespace: openshift-sandboxed-containers-operator spec: channel: stable installPlanApproval: Automatic name: sandboxed-containers-operator source: redhat-operators sourceNamespace: openshift-marketplace startingCSV: sandboxed-containers-operator.v1.10.3Create the subscription by running the following command:
$ oc create -f osc-subscription.yamlVerify that the Operator is correctly installed by running the following command:
$ oc get csv -n openshift-sandboxed-containers-operatorThis command can take several minutes to complete.
Watch the process by running the following command:
$ watch oc get csv -n openshift-sandboxed-containers-operatorExample output
NAME DISPLAY VERSION REPLACES PHASE openshift-sandboxed-containers openshift-sandboxed-containers-operator 1.10.3 1.9.0 Succeeded
3.3. Enabling ports for AWS
You must enable ports 15150 and 9000 to allow internal communication with peer pods running on AWS.
Prerequisites
- You have installed the OpenShift sandboxed containers Operator.
- You have installed the AWS command line tool.
-
You have access to the cluster as a user with the
cluster-adminrole.
Procedure
Log in to your OpenShift Container Platform cluster and retrieve the instance ID:
$ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' \ -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')Retrieve the AWS region:
$ AWS_REGION=$(oc get infrastructure/cluster -o jsonpath='{.status.platformStatus.aws.region}')Retrieve the security group IDs and store them in an array:
$ AWS_SG_IDS=($(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \ --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' \ --output text --region $AWS_REGION))For each security group ID, authorize the peer pods shim to access kata-agent communication, and set up the peer pods tunnel:
$ for AWS_SG_ID in "${AWS_SG_IDS[@]}"; do \ aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 15150 --source-group $AWS_SG_ID --region $AWS_REGION; \ aws ec2 authorize-security-group-ingress --group-id $AWS_SG_ID --protocol tcp --port 9000 --source-group $AWS_SG_ID --region $AWS_REGION; \ done
The ports are now enabled.
3.4. Creating the peer pods config map
You must create the peer pods config map.
Prerequisites
- You have an Amazon Machine Image (AMI) ID if you are not using the default AMI ID based on your cluster credentials.
Procedure
Obtain the following values from your AWS instance:
Retrieve and record the instance ID:
$ INSTANCE_ID=$(oc get nodes -l 'node-role.kubernetes.io/worker' \ -o jsonpath='{.items[0].spec.providerID}' | sed 's#[^ ]*/##g')This is used to retrieve other values for the secret object.
Retrieve and record the AWS region:
$ AWS_REGION=$(oc get infrastructure/cluster \ -o jsonpath='{.status.platformStatus.aws.region}') \ && echo "AWS_REGION: \"$AWS_REGION\""Retrieve and record the AWS subnet ID:
$ AWS_SUBNET_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \ --query 'Reservations[*].Instances[*].SubnetId' --region ${AWS_REGION} \ --output text) && echo "AWS_SUBNET_ID: \"$AWS_SUBNET_ID\""Retrieve and record the AWS VPC ID:
$ AWS_VPC_ID=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \ --query 'Reservations[*].Instances[*].VpcId' --region ${AWS_REGION} \ --output text) && echo "AWS_VPC_ID: \"$AWS_VPC_ID\""Retrieve and record the AWS security group IDs:
$ AWS_SG_IDS=$(aws ec2 describe-instances --instance-ids ${INSTANCE_ID} \ --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId' \ --region $AWS_REGION --output json | jq -r '.[][][]' | paste -sd ",") \ && echo "AWS_SG_IDS: \"$AWS_SG_IDS\""
Create a
peer-pods-cm.yamlmanifest file according to the following example:apiVersion: v1 kind: ConfigMap metadata: name: peer-pods-cm namespace: openshift-sandboxed-containers-operator data: CLOUD_PROVIDER: "aws" VXLAN_PORT: "9000" PROXY_TIMEOUT: "5m" PODVM_INSTANCE_TYPE: "t3.medium" PODVM_INSTANCE_TYPES: "t2.small,t2.medium,t3.large" PODVM_AMI_ID: "<podvm_ami_id>" AWS_REGION: "<aws_region>" AWS_SUBNET_ID: "<aws_subnet_id>" AWS_VPC_ID: "<aws_vpc_id>" AWS_SG_IDS: "<aws_sg_ids>" TAGS: "key1=value1,key2=value2" PEERPODS_LIMIT_PER_NODE: "10" ROOT_VOLUME_SIZE: "6" DISABLECVM: "true"PODVM_INSTANCE_TYPE- Defines the default instance type that is used if the instance type is not defined in the workload object.
PODVM_INSTANCE_TYPES- Specify the allowed instance types, without spaces, for creating the pod. You can define smaller instance types for workloads that need less memory and fewer CPUs or larger instance types for larger workloads.
PODVM_AMI_ID-
This value is populated when you run the
KataConfigCR, using an AMI ID based on your cluster credentials. If you create your own AMI, specify the correct AMI ID. TAGS-
You can configure custom tags as
key:valuepairs for pod VM instances to track peer pod costs or to identify peer pods in different clusters. PEERPODS_LIMIT_PER_NODE-
You can increase this value to run more peer pods on a node. The default value is
10. ROOT_VOLUME_SIZE- You can increase this value for pods with larger container images. Specify the root volume size in gigabytes for the pod VM. The default and minimum size is 6 GB.
Create the config map by running the following command:
$ oc create -f peer-pods-cm.yaml
3.5. Configuring the pull secret for peer pods
To pull pod VM images from a private registry, you must configure the pull secret for peer pods.
Then, you can link the pull secret to the default service account or you can specify the pull secret in the peer pod manifest.
Procedure
Set the
NSvariable to the namespace where you deploy your peer pods:$ NS=<namespace>Copy the pull secret to the peer pod namespace:
$ oc get secret pull-secret -n openshift-config -o yaml \ | sed "s/namespace: openshift-config/namespace: ${NS}/" \ | oc apply -n "${NS}" -f -You can use the cluster pull secret, as in this example, or a custom pull secret.
Optional: Link the pull secret to the default service account:
$ oc secrets link default pull-secret --for=pull -n ${NS}Alternatively, add the pull secret to the peer pod manifest:
apiVersion: v1 kind: <Pod> spec: containers: - name: <container_name> image: <image_name> imagePullSecrets: - name: pull-secret # ...
3.6. Selecting a custom peer pod VM image
You can select a custom peer pod virtual machine (VM) image, tailored to your workload requirements by adding an annotation to the pod manifest. The custom image overrides the default image specified in the peer pods config map.
Prerequisites
- You have the ID of a custom pod VM image, which is compatible with your cloud provider or hypervisor.
Procedure
Create a
my-pod-manifest.yamlfile according to the following example:apiVersion: v1 kind: Pod metadata: name: my-pod-manifest annotations: io.katacontainers.config.hypervisor.image: "<custom_image_id>" spec: runtimeClassName: kata-remote containers: - name: <example_container> image: registry.access.redhat.com/ubi9/ubi:9.3 command: ["sleep", "36000"]Create the pod by running the following command:
$ oc create -f my-pod-manifest.yaml
3.7. Customizing the Kata Agent policy
You can customize the Kata Agent policy to override the default policy, which is permissive, for a peer pod. The Kata Agent policy is a security mechanism that controls API requests for peer pods.
You must override the default policy in a production environment.
As a minimum requirement, you must disable ExecProcessRequest to prevent a cluster administrator from accessing sensitive data by running the oc exec command on a peer pod.
You can use the default policy in development and test environments where security is not a concern, for example, in an environment where the control plane can be trusted.
A custom policy replaces the default policy entirely. To modify specific APIs, include the full policy and adjust the relevant rules.
Procedure
Create a custom
policy.regofile by modifying the default policy:package agent_policy default AddARPNeighborsRequest := true default AddSwapRequest := true default CloseStdinRequest := true default CopyFileRequest := true default CreateContainerRequest := true default CreateSandboxRequest := true default DestroySandboxRequest := true default ExecProcessRequest := true default GetMetricsRequest := true default GetOOMEventRequest := true default GuestDetailsRequest := true default ListInterfacesRequest := true default ListRoutesRequest := true default MemHotplugByProbeRequest := true default OnlineCPUMemRequest := true default PauseContainerRequest := true default PullImageRequest := true default ReadStreamRequest := false default RemoveContainerRequest := true default RemoveStaleVirtiofsShareMountsRequest := true default ReseedRandomDevRequest := true default ResumeContainerRequest := true default SetGuestDateTimeRequest := true default SetPolicyRequest := true default SignalProcessRequest := true default StartContainerRequest := true default StartTracingRequest := true default StatsContainerRequest := true default StopTracingRequest := true default TtyWinResizeRequest := true default UpdateContainerRequest := true default UpdateEphemeralMountsRequest := true default UpdateInterfaceRequest := true default UpdateRoutesRequest := true default WaitProcessRequest := true default WriteStreamRequest := trueThe default policy allows all API calls. Adjust the
trueorfalsevalues to customize the policy further based on your needs.Convert the
policy.regofile to a Base64-encoded string by running the following command:$ base64 -w0 policy.regoRecord the output.
Add the Base64-encoded policy string to the
my-pod.yamlmanifest:apiVersion: v1 kind: Pod metadata: name: my-pod annotations: io.katacontainers.config.agent.policy: <base64_encoded_policy> spec: runtimeClassName: kata-remote containers: - name: <container_name> image: registry.access.redhat.com/ubi9/ubi:latest command: - sleep - "36000" securityContext: privileged: false seccompProfile: type: RuntimeDefaultCreate the pod by running the following command:
$ oc create -f my-pod.yaml
3.8. Creating the KataConfig custom resource
You must create the KataConfig custom resource (CR) to install kata-remote as a runtime class on your worker nodes.
OpenShift sandboxed containers installs kata-remote as a secondary, optional runtime on the cluster and not as the primary runtime.
Creating the KataConfig CR automatically reboots the worker nodes. The reboot can take from 10 to more than 60 minutes. The following factors can increase the reboot time:
- A large OpenShift Container Platform deployment with a greater number of worker nodes.
- Activation of the BIOS and Diagnostics utility.
- Deployment on a hard disk drive rather than an SSD.
- Deployment on physical nodes such as bare metal, rather than on virtual nodes.
- A slow CPU and network.
Procedure
Create an
example-kataconfig.yamlmanifest file according to the following example:apiVersion: kataconfiguration.openshift.io/v1 kind: KataConfig metadata: name: example-kataconfig spec: enablePeerPods: true logLevel: info # kataConfigPoolSelector: # matchLabels: # <label_key>: '<label_value>'1 - 1
- Optional: If you have applied node labels to install
kata-remoteon specific nodes, specify the key and value, for example,osc: 'true'.
Create the
KataConfigCR by running the following command:$ oc create -f example-kataconfig.yamlThe new
KataConfigCR is created and installskata-remoteas a runtime class on the worker nodes.Wait for the
kata-remoteinstallation to complete and the worker nodes to reboot before verifying the installation.Monitor the installation progress by running the following command:
$ watch "oc describe kataconfig | sed -n /^Status:/,/^Events/p"When the status of all workers under
kataNodesisinstalledand the conditionInProgressisFalsewithout specifying a reason, thekata-remoteis installed on the cluster.Verify the daemon set by running the following command:
$ oc get -n openshift-sandboxed-containers-operator ds/osc-caa-dsVerify the runtime classes by running the following command:
$ oc get runtimeclassExample output
NAME HANDLER AGE kata-remote kata-remote 152m
3.9. Modifying the number of peer pod VMs per node
You can modify the limit of peer pod virtual machines (VMs) per node by editing the peerpodConfig custom resource (CR).
Procedure
Check the current limit by running the following command:
$ oc get peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \ -o jsonpath='{.spec.limit}{"\n"}'Specify a new value for the
limitkey by running the following command:$ oc patch peerpodconfig peerpodconfig-openshift -n openshift-sandboxed-containers-operator \ --type merge --patch '{"spec":{"limit":"<value>"}}'
3.10. Verifying the pod VM image
After kata-remote is installed on your cluster, the OpenShift sandboxed containers Operator creates a pod VM image, which is used to create peer pods. This process can take a long time because the image is created on the cloud instance. You can verify that the pod VM image was created successfully by checking the config map that you created for the cloud provider.
Procedure
Obtain the config map you created for the peer pods:
$ oc get configmap peer-pods-cm -n openshift-sandboxed-containers-operator -o yamlCheck the
statusstanza of the YAML file.If the
PODVM_AMI_IDparameter is populated, the pod VM image was created successfully.
Troubleshooting
Retrieve the events log by running the following command:
$ oc get events -n openshift-sandboxed-containers-operator --field-selector involvedObject.name=osc-podvm-image-creationRetrieve the job log by running the following command:
$ oc logs -n openshift-sandboxed-containers-operator jobs/osc-podvm-image-creation
If you cannot resolve the issue, submit a Red Hat Support case and attach the output of both logs.
3.11. Configuring your workload for OpenShift sandboxed containers
You configure your workload for OpenShift sandboxed containers by setting kata-remote as the runtime class for the following pod-templated objects:
-
Podobjects -
ReplicaSetobjects -
ReplicationControllerobjects -
StatefulSetobjects -
Deploymentobjects -
DeploymentConfigobjects
Do not deploy workloads in an Operator namespace. Create a dedicated namespace for these resources.
You can define whether the workload should be deployed using the default instance type, which you defined in the config map, by adding an annotation to the YAML file.
If you do not want to define the instance type manually, you can add an annotation to use an automatic instance type, based on the memory available.
Prerequisites
-
You have created the
KataConfigcustom resource (CR).
Procedure
Add
spec.runtimeClassName: kata-remoteto the manifest of each pod-templated workload object as in the following example:apiVersion: v1 kind: <object> # ... spec: runtimeClassName: kata-remote # ...Optional: To use a manually defined instance type, add the following annotation with the instance type that you defined in the config map:
apiVersion: v1 kind: <object> metadata: annotations: io.katacontainers.config.hypervisor.machine_type: <machine_type> # ...Optional: To use an automatic instance type, add the following annotations:
apiVersion: v1 kind: <Pod> metadata: annotations: io.katacontainers.config.hypervisor.default_vcpus: <vcpus> io.katacontainers.config.hypervisor.default_memory: <memory> # ...The workload will run on an automatic instance type based on the amount of memory available.
Apply the changes to the workload object by running the following command:
$ oc apply -f <object.yaml>OpenShift Container Platform creates the workload object and begins scheduling it.
Verification
-
Inspect the
spec.runtimeClassNamefield of a pod-templated object. If the value iskata-remote, then the workload is running on OpenShift sandboxed containers.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}