From fc3c3e69668f62fc2518d7c1fcac986e00c4eb25 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 6 Jun 2024 15:57:33 +0200 Subject: [PATCH 1/3] docs: started adding k8s requirements --- modules/ROOT/pages/kubernetes.adoc | 49 ++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/modules/ROOT/pages/kubernetes.adoc b/modules/ROOT/pages/kubernetes.adoc index 4c35d605b..b1758fed9 100644 --- a/modules/ROOT/pages/kubernetes.adoc +++ b/modules/ROOT/pages/kubernetes.adoc @@ -121,3 +121,52 @@ Kubernetes control plane is running at https://127.0.0.1:6443 CoreDNS is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy Metrics-server is running at https://127.0.0.1:6443/api/v1/namespaces/kube-system/services/https:metrics-server:https/proxy ---- + +== Requirements + +To install and use Stackable operators, you Kubernetes cluster needs to meet a few requirements. +Also, _you_ as the person installing the operators need some permissions to be able to install them. + +=== RBAC + +The operators need a lot of very "heavy" permissions. +They need to be able to create ClusterRoles and also the bindings for them, which means that they are very powerful. + +What exactly is need? + +As a user installing the operators, you will need `get`, `list` and `create` permissions for CustomResourceDefinitions, ClusterRoles, ClusterRoleBindings, StorageClasses and CSIDrivers. +Also for the Stackable custom resource SecretClass. + +Why exactly? + +Every operator comes with a custom resource that it manages, and the custom resource definition needs to be applied. +Then, every operator gets its own ClusterRole that then needs to be bound to the operator Pods. +A StorageClass is created by the secret and listener operator. Both use StorageClasses as a way to bind Pods and mount information. + +Then, the operators themselves need extensive permissions. + + + + +=== Network policies + +=== securityContext requirements + +What does that mean? +Why? + +https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[some info] + +==== root paths must be rw + +`readOnlyRootFilesystem` + +=== storageclass and CSI driver reqs. + +The secret operator is basically a fake CSI driver that you can request drives from, with certain labels. +It has its own storageclass. + +This mechanism is used to mount secrets into Pods, across namespaces. +The secret operator can also dynamically update secrets, which is useful for example to renew certificates. + +The secret operator is a core part of the Stackable Data Platform, and the Platform does not function without it. From 3535ec989005179ed504f0e0b16d243ce7477f0f Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Thu, 6 Jun 2024 16:06:37 +0200 Subject: [PATCH 2/3] added some more info --- modules/ROOT/pages/kubernetes.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/ROOT/pages/kubernetes.adoc b/modules/ROOT/pages/kubernetes.adoc index b1758fed9..661cb24a4 100644 --- a/modules/ROOT/pages/kubernetes.adoc +++ b/modules/ROOT/pages/kubernetes.adoc @@ -161,6 +161,9 @@ https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[some `readOnlyRootFilesystem` +* we might be able to fix this in some instances +* sometimes the software is shitty and its hard to fix + === storageclass and CSI driver reqs. The secret operator is basically a fake CSI driver that you can request drives from, with certain labels. From c57fa167c279ecb2f8f3ca7786b08b70a6ff8bd6 Mon Sep 17 00:00:00 2001 From: Felix Hennig Date: Mon, 1 Jul 2024 15:58:20 +0200 Subject: [PATCH 3/3] ~ --- modules/ROOT/pages/kubernetes.adoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/ROOT/pages/kubernetes.adoc b/modules/ROOT/pages/kubernetes.adoc index 661cb24a4..c487f52d2 100644 --- a/modules/ROOT/pages/kubernetes.adoc +++ b/modules/ROOT/pages/kubernetes.adoc @@ -157,6 +157,10 @@ Why? https://kubernetes.io/docs/tasks/configure-pod-container/security-context/[some info] +==== runAsuser, runAsGroup + +TODO + ==== root paths must be rw `readOnlyRootFilesystem`