Bookmark this page

P 1 2 3 4 5 6 7 8 9 10

Chapter 2. Deploy Packaged Applications

Section OpenShift Templates

SectionObjectives
SectionOpenShift Templates

Guided Exercise: OpenShift Templates

Helm Charts

Objectives
Helm
Helm Charts
Using Helm Charts
Releases
Helm Repositories

Guided Exercise: Helm Charts

Lab: Deploy Packaged Applications

Summary

Abstract

Goal	Deploy and update applications from resource manifests that are packaged for sharing and distribution.
Objectives	Deploy an application and its dependencies from resource manifests that are stored in an OpenShift template. Deploy and update applications from resource manifests that are packaged as Helm charts.
Sections	OpenShift Templates (and Guided Exercise) Helm Charts (and Guided Exercise)
Lab	Deploy Packaged Applications

OpenShift Templates

Objectives

Deploy and update applications from resource manifests that are packaged as OpenShift templates.

OpenShift Templates

A template is a Kubernetes custom resource that describes a set of Kubernetes resource configurations. Templates can have parameters. You can create a set of related Kubernetes resources from a template by processing the template, and providing values for the parameters. Templates have varied use cases, and can create any Kubernetes resource. You can create a list of resources from a template by using the CLI or, if a template is uploaded to your project or to the global template library, by using the web console.

The template resource is a Kubernetes extension that Red Hat for OpenShift provides. The Cluster Samples Operator populates templates (and image streams) in the openshift namespace. You can opt out of adding templates during installation, and you can restrict the list of templates that the operator populates.

You can also create templates from scratch, or copy and customize a template to suit the needs of your project.

Discovering Templates

The templates that the Cluster Samples Operator provides are in the openshift namespace. Use the following oc get command to view a list of these templates:

[user@host ~]$ oc get templates -n openshift
NAME                      DESCRIPTION            PARAMETERS        OBJECTS
cache-service             Red Hat Data Grid...    8 (1 blank)      4
cakephp-mysql-example     An example CakePHP...  21 (4 blank)      8
cakephp-mysql-persistent  An example CakePHP...  22 (4 blank)      9
...output omitted...

To evaluate any template, use the oc describe template template-name -n openshift command to view more details about the template, including the description, the labels that the template uses, the template parameters, and the resources that the template generates.

The following example shows the details of the cache-service template:

[user@host ~]$ oc describe template cache-service -n openshift
Name: cache-service
Namespace: openshift
Created: 2 months ago
Labels: samples.operator.openshift.io/managed=true
template=cache-service
Description: Red Hat Data Grid is an in-memory, distributed key/value store. 
Annotations: iconClass=icon-datagrid
...output omitted...

Parameters: 
    Name: APPLICATION_NAME
    Display Name: Application Name
    Description: Specifies a name for the application.
    Required: true
    Value: cache-service 

 ...output omitted...

    Name: APPLICATION_PASSWORD
    Display Name: Client Password
    Description: Sets a password to authenticate client applications.
    Required: false
    Generated: expression 
    From: [a-zA-Z0-9]{16}

Object Labels: template=cache-service 

Message: <none>

Objects: 
    Secret ${APPLICATION_NAME}
    Service ${APPLICATION_NAME}-ping
    Service ${APPLICATION_NAME}
    StatefulSet.apps ${APPLICATION_NAME}

	Use the description to determine the purpose of the template.
	The parameters provide deployment flexibility.
	The `value` field provides a default value that you can override.
	The `Generated` and `From` fields also generate default values.
	The object labels are applied to all resources that the template creates.
	The objects section lists the resources that the template creates.

In addition to using the oc describe command to view information about a template, the oc process command provides a --parameters option to view only the parameters that a template uses. For example, use the following command to view the parameters that the cache-service template uses:

[user@host ~]$ oc process --parameters cache-service -n openshift
NAME                   ...   GENERATOR    VALUE
APPLICATION_NAME       ...                cache-service
IMAGE                  ...                registry.redhat.io/jboss-datagrid-7/...
NUMBER_OF_INSTANCES    ...                1
REPLICATION_FACTOR     ...                1
EVICTION_POLICY        ...                evict
TOTAL_CONTAINER_MEM    ...                512
APPLICATION_USER       ...
APPLICATION_PASSWORD   ...   expression   [a-zA-Z0-9]{16}

Use the -f option to view the parameters of a template that are defined in a file:

[user@host ~]$ oc process --parameters -f  my-cache-service.yaml

Use the oc get template template-name -o yaml -n namespace command to view the manifest for the template. The following example retrieves the template manifest for the cache-service template:

[user@host ~]$ oc get template cache-service -o yaml -n openshift
apiVersion: template.openshift.io/v1
kind: Template
labels:
  template: cache-service
metadata:
 ...output omitted...
- apiVersion: v1
  kind: Secret
  metadata:
 ...output omitted...
- apiVersion: v1
  kind: Service
  metadata:
 ...output omitted...
- apiVersion: v1
  kind: Service
  metadata:
 ...output omitted...
- apiVersion: apps/v1
  kind: StatefulSet
  metadata:
 ...output omitted...
parameters:
- description: Specifies a name for the application.
  displayName: Application Name
  name: APPLICATION_NAME
  required: true
  value: cache-service
- description: Sets an image to bootstrap the service.
  name: IMAGE
 ...output omitted...

In the template manifest, examine how the template creates resources. The manifest is also a good resource for learning how to create your own templates.

Using Templates

The oc new-app command has a --template option that can deploy the template resources directly from the openshift project. The following example deploys the resources that are defined in the cache-service template from the openshift project:

[user@host ~]$ oc new-app --template=cache-service -p APPLICATION_USER=my-user

Using the oc new-app command to deploy the template resources is convenient for development and testing. However, for production usage, consume templates in a manner that helps resource and configuration tracking. For example, the oc new-app command can only create new resources, not update existing resources.

You can use the oc process command to apply parameters to a template, to produce manifests to deploy the templates with a set of parameters. The oc process command can process both templates that are stored in files locally, and templates that are stored in the cluster. However, to process templates in a namespace, you must have write permissions on the template namespace. For example, to run oc process on the templates in the openshift namespace, you must have write permissions on this namespace.

Note

Unprivileged users can read the templates in the openshift namespace by default. Those users can extract the template from the openshift namespace and create a copy in a project where they have wider permissions. By copying a template to a project, they can use the oc process command on the template.

Deploying Applications from Templates

The oc process command uses parameter values to transform a template into a set of related Kubernetes resource manifests. For example, the following command creates a set of resource manifests for the my-cache-service template. When you use the -o yaml option, the resulting manifests are in the YAML format. The example writes the manifests to a my-cache-service-manifest.yaml file:

[user@host ~]$ oc process my-cache-service \
  -p APPLICATION_USER=user1 -o yaml > my-cache-service-manifest.yaml

The previous example uses the -p option to provide a parameter value to the only required parameter without a default value.

Use the -f option with the oc process command to process a template that is defined in a file:

[user@host ~]$ oc process -f my-cache-service.yaml \
  -p APPLICATION_USER=user1 -o yaml > my-cache-service-manifest.yaml

Use the -p option with key=value pairs with the oc process command to use parameter values that override the default values. The following example passes three parameter values to the my-cache-service template, and overrides the default values of the specified parameters:

[user@host ~]$ oc process my-cache-service -o yaml \
  -p TOTAL_CONTAINER_MEM=1024 \
  -p APPLICATION_USER='cache-user' \
  -p APPLICATION_PASSWORD='my-secret-password' \
  > my-cache-service-manifest.yaml

Instead of specifying parameters on the command line, place the parameters in a file. This option cleans up the command line when many parameter values are required. Save the parameters file in a version control system to keep records of the parameters that are used in production deployments.

For example, instead of using the command-line options in the previous examples, place the key-value pairs in a my-cache-service-params.env file. Add the key-value pairs to the file, with each pair on a separate line:

TOTAL_CONTAINER_MEM=1024
APPLICATION_USER='cache-user'
APPLICATION_PASSWORD='my-secret-password'

The corresponding oc process command uses the --param-file option to pass the parameters as follows:

[user@host ~]$ oc process my-cache-service -o yaml \
  --param-file=my-cache-service-params.env > my-cache-service-manifest.yaml

Generating a manifest file is not required to use templates. Instead, pipe the output of the oc process command directly to the input for the oc apply -f - command. The oc apply command creates live resources on the Kubernetes cluster.

[user@host ~]$ oc process my-cache-service \
  --param-file=my-cache-service-params.env | oc apply -f -

Because templates are flexible, you can use the same template to create different resources by changing the input parameters.

Updating Apps from Templates

Because you use the oc apply command, after deploying a set of manifests from a template, you can process the template again and use oc apply for updates. This procedure can make simple changes to deployed templates, such as changing a parameter. However, many workload updates are not possible with this mechanism. To manage more complex applications, consider using other mechanisms such as Helm charts, which are described elsewhere in this course.

To compare the results of applying a different parameters file to a template against the live resources, pipe the manifest to the oc diff -f - command. For example, given a second parameter file named my-cache-service-params-2.env, use the following command:

[user@host ~]$ oc process my-cache-service -o yaml \
  --param-file=my-cache-service-params-2.env | oc diff -f -
 ...output omitted...
-  generation: 1
+  generation: 2
   labels:
     application: cache-service
     template: cache-service
@@ -86,10 +86,10 @@
           timeoutSeconds: 10
         resources:
           limits:
-            memory: 1Gi
+            memory: 2Gi
           requests:
             cpu: 500m
-            memory: 1Gi
+            memory: 2Gi
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:

In this case, the configuration change increases the memory usage of the application. The output shows that the second generation uses 2Gi of memory instead of 1Gi.

After verifying that the changes are what you intend, you can pipe the output of the oc process to the oc apply -f - command.

Managing Templates

For production usage, make a customized copy of the template, to change the default values of the template to suitable values for the target project. To copy a template into your project, use the oc get template command with the -o yaml option to copy the template YAML to a file.

The following example copies the cache-service template from the openshift project to a YAML file named my-cache-service.yaml:

[user@host ~]$ oc get template cache-service -o yaml \
  -n openshift > my-cache-service.yaml

After creating a YAML file for a template, consider making the following changes to the template:

Give the template a new name that is specific to the target use of the template resources.
Apply appropriate changes to the parameter default values at the end of the file.
Remove the namespace field of the template resource.

You can process templates in other namespaces, if you can create the processed template resource in those namespaces. Processing the template in a different project without changing the template namespace to match the target namespace gives an error. Optionally, you can also delete the namespace field from the metadata field of the template resource.

After you have a YAML file for a template, use the oc create -f command to upload the template to the current project. In this case, the oc create command is not creating the resources that the template defines. Instead, the command is creating a template resource in the project. Using a template that is uploaded to a project clarifies which template provides the resource definitions of a project. After uploading, the template is available to anyone with access to the project.

The following example uploads a customized template that is defined in the my-cache-service.yaml file to the current project:

[user@host ~]$ oc create -f my-cache-service.yaml

Use the -n namespace option to upload the template to a different project. The following example uploads the template that is defined in the my-cache-service.yaml file to the shared-templates project:

[user@host ~]$ oc create -f my-cache-service.yaml -n shared-templates

Use the oc get templates command to view a list of available templates in the project:

[user@host ~]$ oc get templates -n shared-templates
NAME                      DESCRIPTION            PARAMETERS        OBJECTS
my-cache-service          Red Hat Data Grid...    8 (1 blank)      4

References

For more information, refer to the Understanding Templates section in the Using Templates chapter in the Red Hat OpenShift Container Platform 4.14 Images documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/images/index#templates-overview_using-templates

For more information, refer to the OpenShift CLI Developer Command Reference section in the OpenShift CLI (oc) chapter in the Red Hat OpenShift Container Platform 4.14 CLI Tools documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/cli_tools/index#cli-developer-commands

Kubernetes Documentation - kubectl Commands

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1