Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: started adding k8s requirements [WIP] #619

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

docs: started adding k8s requirements [WIP] #619

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fc3c3e6
docs: started adding k8s requirements
fhennig Jun 6, 2024
3535ec9
added some more info
fhennig Jun 6, 2024
c57fa16
~
fhennig Jul 1, 2024
a5463f7
Merge remote-tracking branch 'origin/main' into document-k8s-requirem…
fhennig Jul 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions modules/ROOT/pages/kubernetes/index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,3 +76,59 @@ Kubernetes control plane is running at https://127.0.0.1:6443
CoreDNS is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
Metrics-server is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/https:metrics-server:https/proxy
----

== Requirements

To install and use Stackable operators, you Kubernetes cluster needs to meet a few requirements.
Also, _you_ as the person installing the operators need some permissions to be able to install them.

=== RBAC

The operators need a lot of very "heavy" permissions.
They need to be able to create ClusterRoles and also the bindings for them, which means that they are very powerful.

What exactly is need?

As a user installing the operators, you will need `get`, `list` and `create` permissions for CustomResourceDefinitions, ClusterRoles, ClusterRoleBindings, StorageClasses and CSIDrivers.
Also for the Stackable custom resource SecretClass.

Why exactly?

Every operator comes with a custom resource that it manages, and the custom resource definition needs to be applied.
Then, every operator gets its own ClusterRole that then needs to be bound to the operator Pods.
A StorageClass is created by the secret and listener operator. Both use StorageClasses as a way to bind Pods and mount information.

Then, the operators themselves need extensive permissions.




=== Network policies

=== securityContext requirements

What does that mean?
Why?

https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[some info]

==== runAsuser, runAsGroup

TODO

==== root paths must be rw

`readOnlyRootFilesystem`

* we might be able to fix this in some instances
* sometimes the software is shitty and its hard to fix

=== storageclass and CSI driver reqs.

The secret operator is basically a fake CSI driver that you can request drives from, with certain labels.
It has its own storageclass.

This mechanism is used to mount secrets into Pods, across namespaces.
The secret operator can also dynamically update secrets, which is useful for example to renew certificates.

The secret operator is a core part of the Stackable Data Platform, and the Platform does not function without it.