Chapter 3. Recommended resource requirements for Red Hat Advanced Cluster Security for Kubernetes
The recommended resource guidelines were developed by performing a focused test that created the following objects across a given number of namespaces:
- 10 deployments, with 3 pod replicas in a sleep state, mounting 4 secrets, 4 config maps
- 10 services, each one pointing to the TCP/8080 and TCP/8443 ports of one of the previous deployments
- 1 route pointing to the first of the previous services
- 10 secrets containing 2048 random string characters
- 10 config maps containing 2048 random string characters
During the analysis of results, the number of deployments is identified as a primary factor for increasing of used resources. And we are using the number of deployments for the estimation of required resources.
Additional resources
3.1. Central services (self-managed)
If you are using Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service), you do not need to review the requirements for Central services, because they are managed by Red Hat. You only need to look at the requirements for secured cluster services.
Central services contain the following components:
- Central
Scanner
NoteFor default resource requirements for the scanner, see the default resource requirements page.
3.1.1. Central
Memory and CPU requirements
The following table lists the minimum memory and CPU values required to run Central for one secured cluster. The table includes the number of concurrent web portal users.
Deployments | Concurrent web portal users | CPU | Memory |
---|---|---|---|
< 25,000 | 1 user | 2 cores | 8 GiB |
< 25,000 | < 5 users | 6 cores | 12 GiB |
< 50,000 | 1 user | 2 cores | 12 GiB |
< 50,000 | < 5 users | 6 cores | 16 GiB |
3.1.2. Scanner
StackRox Scanner Memory and CPU requirements
The following table lists the minimum memory and CPU values required for the StackRox Scanner deployment in the Central cluster. The table includes the number of unique images deployed in all secured clusters.
Unique Images | Replicas | CPU | Memory |
---|---|---|---|
< 100 | 1 replica | 1 core | 1.5 GiB |
< 500 | 1 replica | 2 cores | 2.5 GiB |
< 2000 | 2 replicas | 2 cores | 2.5 GiB |
< 5000 | 3 replicas | 2 cores | 2.5 GiB |
Additional resources
3.2. Secured cluster services
Secured cluster services contain the following components:
- Sensor
- Admission controller
Collector
NoteCollector component is not included on this page. Required resource requirements are listed on the default resource requirements page.
3.2.1. Sensor
Sensor monitors your Kubernetes and OpenShift Container Platform clusters. These services currently deploy in a single deployment, which handles interactions with the Kubernetes API and coordinates with Collector.
Memory and CPU requirements
The following table lists the minimum memory and CPU values required to run Sensor on a secured cluster.
Deployments | Pods per deployment | CPU | Memory |
---|---|---|---|
< 25,000 | 3 | 2 cores | 8 GiB |
< 50,000 | 3 | 2 cores | 16 GiB |
3.2.2. Admission controller
The admission controller prevents users from creating workloads that violate policies that you configure.
Memory and CPU requirements
The following table lists the minimum memory and CPU values required to run the admission controller on a secured cluster.
Deployments | Pods per deployment | CPU | Memory |
---|---|---|---|
< 25,000 | 3 | 0.5 cores | 600 MiB |
< 50,000 | 3 | 0.5 cores | 1200 MiB |