Chapter 8. How to use dedicated worker nodes for Red Hat OpenShift Data Foundation
Any Red Hat OpenShift Container Platform subscription requires an OpenShift Data Foundation subscription. However, you can save on the OpenShift Container Platform subscription costs if you are using infrastructure nodes to schedule OpenShift Data Foundation resources.
It is important to maintain consistency across environments with or without Machine API support. Because of this, it is highly recommended in all cases to have a special category of nodes labeled as either worker or infra or have both roles. See the Section 8.3, “Manual creation of infrastructure nodes” section for more information.
8.1. Anatomy of an Infrastructure node
Infrastructure nodes for use with OpenShift Data Foundation have a few attributes. The infra
node-role label is required to ensure the node does not consume RHOCP entitlements. The infra
node-role label is responsible for ensuring only OpenShift Data Foundation entitlements are necessary for the nodes running OpenShift Data Foundation.
-
Labeled with
node-role.kubernetes.io/infra
Adding an OpenShift Data Foundation taint with a NoSchedule
effect is also required so that the infra
node will only schedule OpenShift Data Foundation resources.
-
Tainted with
node.ocs.openshift.io/storage="true"
The label identifies the RHOCP node as an infra
node so that RHOCP subscription cost is not applied. The taint prevents non OpenShift Data Foundation resources to be scheduled on the tainted nodes.
Adding storage taint on nodes might require toleration handling for the other daemonset
pods such as openshift-dns daemonset
. For information about how to manage the tolerations, see Knowledgebase article: https://access.redhat.com/solutions/6592171.
Example of the taint and labels required on infrastructure node that will be used to run OpenShift Data Foundation services:
spec: taints: - effect: NoSchedule key: node.ocs.openshift.io/storage value: "true" metadata: creationTimestamp: null labels: node-role.kubernetes.io/worker: "" node-role.kubernetes.io/infra: "" cluster.ocs.openshift.io/openshift-storage: ""
8.2. Machine sets for creating Infrastructure nodes
If the Machine API is supported in the environment, then labels should be added to the templates for the Machine Sets that will be provisioning the infrastructure nodes. Avoid the anti-pattern of adding labels manually to nodes created by the machine API. Doing so is analogous to adding labels to pods created by a deployment. In both cases, when the pod/node fails, the replacement pod/node will not have the appropriate labels.
In EC2 environments, you will need three machine sets, each configured to provision infrastructure nodes in a distinct availability zone (such as us-east-2a, us-east-2b, us-east-2c). Currently, OpenShift Data Foundation does not support deploying in more than three availability zones.
The following Machine Set template example creates nodes with the appropriate taint and labels required for infrastructure nodes. This will be used to run OpenShift Data Foundation services.
template: metadata: creationTimestamp: null labels: machine.openshift.io/cluster-api-cluster: kb-s25vf machine.openshift.io/cluster-api-machine-role: worker machine.openshift.io/cluster-api-machine-type: worker machine.openshift.io/cluster-api-machineset: kb-s25vf-infra-us-west-2a spec: taints: - effect: NoSchedule key: node.ocs.openshift.io/storage value: "true" metadata: creationTimestamp: null labels: node-role.kubernetes.io/infra: "" cluster.ocs.openshift.io/openshift-storage: ""
If you add a taint to the infrastructure nodes, you also need to add tolerations to the taint for other workloads, for example, the fluentd pods. For more information, see the Red Hat Knowledgebase solution Infrastructure Nodes in OpenShift 4.
8.3. Manual creation of infrastructure nodes
Only when the Machine API is not supported in the environment should labels be directly applied to nodes. Manual creation requires that at least 3 RHOCP worker nodes are available to schedule OpenShift Data Foundation services, and that these nodes have sufficient CPU and memory resources. To avoid the RHOCP subscription cost, the following is required:
oc label node <node> node-role.kubernetes.io/infra="" oc label node <node> cluster.ocs.openshift.io/openshift-storage=""
Adding a NoSchedule
OpenShift Data Foundation taint is also required so that the infra
node will only schedule OpenShift Data Foundation resources and repel any other non-OpenShift Data Foundation workloads.
oc adm taint node <node> node.ocs.openshift.io/storage="true":NoSchedule
Do not remove the node-role node-role.kubernetes.io/worker=""
The removal of the node-role.kubernetes.io/worker=""
can cause issues unless changes are made both to the OpenShift scheduler and to MachineConfig resources.
If already removed, it should be added again to each infra
node. Adding node-role node-role.kubernetes.io/infra=""
and OpenShift Data Foundation taint is sufficient to conform to entitlement exemption requirements.
8.4. Taint a node from the user interface
This section explains the procedure to taint nodes after the OpenShift Data Foundation deployment.
Procedure
-
In the OpenShift Web Console, click Compute
Nodes, and then select the node which has to be tainted. - In the Details page click on Edit taints.
- Enter the values in the Key <node.ocs.openshift.io/storage>, Value <true> and in the Effect<Noschedule> field.
- Click Save.
Verification steps
Follow the steps to verify that the node has tainted successfully:
-
Navigate to Compute
Nodes. - Select the node to verify its status, and then click on the YAML tab.
In the specs section check the values of the following parameters:
Taints: Key: node.ocs.openshift.io/storage Value: true Effect: Noschedule
-
Navigate to Compute
Additional resources
For more information, refer to Creating the OpenShift Data Foundation cluster on VMware vSphere.