Bookmark this page

Chapter 6. Enable Developer Self-Service

Abstract

Goal	Configure clusters for safe self-service by developers from multiple teams, and disallow self-service if operations staff must provision projects.
Objectives	Configure compute resource quotas and Kubernetes resource count quotas per project and cluster-wide. Configure default and maximum compute resource requirements for pods per project. Configure default quotas, limit ranges, role bindings, and other restrictions for new projects, and the allowed users to self-provision new projects.
Sections	Project and Cluster Quotas (and Guided Exercise) Per-Project Resource Constraints: Limit Ranges (and Guided Exercise) The Project Template and the Self-Provisioner Role (and Guided Exercise)
Lab	Enable Developer Self-Service

Project and Cluster Quotas

Objectives

Configure compute resource quotas and Kubernetes resource count quotas per project and cluster-wide.

Limiting Workloads

Kubernetes clusters can run heterogeneous workloads across many compute nodes. By using Kubernetes role-based access control (RBAC), cluster administrators can allow users to create workloads on their own. Although RBAC can limit the kinds of resources that users can create, administrators might want further measures to ensure correct operation of the cluster.

Clusters have limited resources, such as CPU, RAM, and storage. If workloads on a cluster exceed the available resources, then workloads might not work correctly. A cluster that is configured to autoscale might also incur unwanted economic costs if the cluster scales to accommodate unexpected workloads.

To help with this issue, Kubernetes workloads can reserve resources and declare resource limits. Workloads can specify the following properties:

Resource limits: Kubernetes can limit the resources that a workload consumes. Workloads can specify an upper bound of the resources that they expect to use under normal operation. If a workload malfunctions or has unexpected load, then resource limits prevent the workload from consuming an excessive amount of resources and impacting other workloads.
Resource requests: Workloads can declare their minimum required resources. Kubernetes tracks requested resources by workloads, and prevents deployments of new workloads if the cluster has insufficient resources. Resource requests ensure that workloads get their needed resources.

These measures prevent workloads from affecting other workloads. However, cluster administrators might need to prevent other risks.

For example, users might mistakenly create unwanted workloads. The resource requests of those unwanted workloads can prevent legitimate workloads from executing.

By dividing workloads into namespaces, Kubernetes can offer enhanced protection features. The namespace structure often mirrors the organization that runs the cluster. Kubernetes introduces resource quotas to limit resource usage by the combined workloads in a namespace.

Resource Quotas

Kubernetes administrators can create resources of the ResourceQuota type in a namespace for this purpose. When a resource quota exists in a namespace, Kubernetes prevents the creation of workloads that exceed the quota.

Whereas quota features in other systems often act on users or groups of users, Kubernetes resource quotas act on namespaces.

apiVersion: v1
kind: ResourceQuota
metadata:
  name: memory
  namespace: example
spec:
  hard: 
    limits.memory: 4Gi
    requests.memory: 2Gi
  scopes: {} 
  scopeSelector: {}

	The `hard` key lists restrictions.
	The `scopes` and `scopeSelector` keys define which namespace resources the quota applies to. This course does not cover those keys.

The following sections describe the compute and object count quotas that you can include in the hard key. Other components can define other quotas and enforce them.

Compute Resource Quotas

You can set the following compute quotas:

limits.cpu
limits.memory
requests.cpu
requests.memory

Limit quotas interact with resource limits, and request quotas interact with resource requests.

Limit quotas control the maximum compute resources that the workloads in a namespace can consume. Consider a namespace where all workloads have a memory limit. No individual workload can consume enough memory to cause a problem. However, because users can create any number of workloads, the workloads of a namespace can consume enough memory to cause a problem for workloads in other namespaces. If you set a namespace memory usage limit, then the workloads in the namespace cannot consume more memory than this limit.

Request quotas control the maximum resources that workloads in a namespace can reserve. If you do not set namespace request quotas, then a single workload can request any quantity of resources, such as RAM or CPU. This request can cause further requests in other namespaces to fail. By setting namespace request quotas, the total requested resources by workloads in a namespace cannot exceed the quota.

Excessive quotas can cause resource underutilization and can limit workload performance unnecessarily.

After setting any compute quota, all workloads must define the corresponding request or resource limit. For example, if you create a limits.cpu quota, then the workloads that you create require the resources.limits.cpu key.

Object Count Quotas

A quota can also limit the number of resources of a given type in a namespace. For example, you can create a quota that prevents the creation of more than 10 deployments in a namespace.

Clusters store resource definitions in a backing store. Kubernetes backing stores are databases, and like any other database, the more data that they store, the more resources are needed for adequate performance. Namespaces with many resources can impact Kubernetes performance. Additionally, any process that creates cluster resources might malfunction and create unwanted resources.

Setting object count quotas can limit the damage from accidents, and maintain adequate cluster performance.

Note

Red Hat validates the performance of OpenShift up to a specific number of objects in a set of configurations. If you are planning a large cluster, then these results can help you to size the cluster and to establish object count quotas.

See the references section for more information.

Some Kubernetes resources might affect external systems. For example, creating a persistent volume might create an entity in the storage provider. Many persistent volumes might cause issues in the storage provider. Examine the systems that your cluster interacts with to learn about possible resource constraints, and establish object count quotas to prevent issues.

Use the count/resource_type syntax to set a quota for resources of the core group. Use the oc api-resources command with an empty api-group parameter to list resources of the core group.

[user@host ~]$ oc api-resources --api-group=""  --namespaced=true
NAME                     SHORTNAMES   APIVERSION   NAMESPACED   KIND
bindings                              v1           true         Binding
...output omitted...

For resources in other groups, use the count/resource_type.group syntax.

Kubernetes initially supported quotas for a limited set of resource types. These quotas do not use the count/resource_type syntax. You might find a services quota instead of a count/services quota. The Resource Quotas reference further describes these quotas.

Applying Project Quotas

Navigate to Administration → ResourceQuotas to create a resource quota from the web console. The YAML editor loads an example resource quota that you can edit for your needs.

You can also use the oc command to create a resource quota. The oc command can create resource quotas without requiring a complete resource definition. Execute the oc create resourcequota --help command to display examples and help for creating resource quotas without a complete resource definition.

For example, execute the following command to create a resource quota that limits the number of pods in a namespace:

[user@host ~]$ oc create resourcequota example --hard=count/pods=1
resourcequota/example created

The previous command is equivalent to creating a resource quota with the following definition:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: example
spec:
  hard:
    count/pods: "1"

After creating a resource quota, the status key in the resource describes the current values and limits in the quota.

[user@host ~]$ oc get quota example -o yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  creationTimestamp: "2024-01-30T17:59:52Z"
  name: example
  namespace: default
  resourceVersion: "193658"
  uid: df12b484-4e78-4920-acb4-e04ab286a4a1
spec:
  hard:
    count/pods: "1"
status:
  hard:
    count/pods: "1"
  used:
    count/pods: "0"

The oc get and oc describe commands show resource quota information in a custom format. The oc get command displays the status of the quota in resource lists:

[user@host ~]$ oc get quota
NAME      AGE     REQUEST           LIMIT
example   9m54s   count/pods: 1/1

Resource quotas generate the kube_resourcequota metric. You can examine this metric for planning and trend analysis.

Figure 6.1:

The kube_resourcequota metric

Troubleshooting Resource Quotas

Because resource quotas are extensible, Kubernetes cannot verify that a resource quota is correct. For example, the following command creates a resource quota that has no effect:

[user@host ~]$ oc create resourcequota example --hard=count/deployment=1
resourcequota/example created

The correct syntax for limiting the number of deployments is count/deployments.apps.

To ensure that a resource quota is correct, you can use the following procedures:

Create a quota with an artificially low value in a testing environment, and ensure that the resource quota has an effect.

Review the quota status.

For example, if a namespace contains a deployment, then an incorrectly defined resource quota shows 0 deployments:

[user@host ~]$ oc get resourcequota
NAME      AGE     REQUEST                 LIMIT
example   2m47s   count/deployment: 0/1

However, a correctly defined resource quota shows the deployment:

[user@host ~]$ oc get resourcequota
NAME      AGE   REQUEST                       LIMIT
example   4s    count/deployments.apps: 1/1

Exceeding a quota often produces an error immediately. For example, if you create a deployment that exceeds the deployment quota, then the deployment creation fails.

[user@host ~]$ oc create deployment --image=nginx hello
error: failed to create deployment: deployments.apps "hello" is forbidden: exceeded quota: example, requested: count/deployments.apps=1, used: count/deployments.apps=1, limited: count/deployments.apps=1

However, some quotas do not cause operations to fail immediately. For example, if you set a resource quota for pods, then creating a deployment appears to succeed, but the deployment never becomes available. When a resource quota is acting indirectly, namespace events might provide further information.

[user@host ~]$ oc get event --sort-by .metadata.creationTimestamp
LAST SEEN   TYPE      REASON              OBJECT                        MESSAGE
...output omitted...
10s         Normal    ScalingReplicaSet   deployment/hello              Scaled up replica set hello-5cdfd9c858 to 1
9s          Warning   FailedCreate        replicaset/hello-5cdfd9c858   Error creating: pods "hello-5cdfd9c858-zsgn9" is forbidden: exceeded quota: example, requested: count/pods=1, used: count/pods=1, limited: count/pods=1
5s          Warning   FailedCreate        replicaset/hello-5cdfd9c858   (combined from similar events): Error creating: pods "hello-5cdfd9c858-h2dv4" is forbidden: exceeded quota: example, requested: count/pods=1, used: count/pods=1, limited: count/pods=1

The web console also shows quota information. Navigate to Administration → ResourceQuotas to view resource quotas and their status. The project pages on both the developer and administrator perspectives also show the quotas that apply to a specific project.

Creating Quotas Across Multiple Projects

Cluster administrators can use resource quotas to apply restrictions to namespaces.

Resource restrictions often follow organization structure. Although namespaces often reflect organization structure, cluster administrators might apply restrictions to resources without being limited to a single namespace.

For example, a group of developers manages many namespaces. Namespace quotas can limit RAM usage per namespace. However, a cluster administrator cannot limit total RAM usage by all workloads that the group of developers manages.

OpenShift introduces cluster resource quotas for those scenarios.

Cluster resource quotas follow a similar structure to namespace resource quotas. However, cluster resource quotas use selectors to choose which namespaces the quota applies to.

Cluster resource quotas selectors use set-based requirements.

The following example shows a cluster resource quota:

apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
  name: example
spec:
  quota: 
    hard:
      limits.cpu: 4
  selector: 
    annotations: {}
    labels:
      matchLabels:
        kubernetes.io/metadata.name: example

	The `quota` key contains the quota definition. This key follows the structure of the `ResourceQuota` specification. The `hard` key is nested inside the `quota` key, instead of being directly nested inside the `spec` key as in resource quotas.
	The `selector` key defines which namespaces the cluster resource quota applies to. Other Kubernetes features, such as services and network policies, use the same selectors.

Navigate to Administration → CustomResourceDefinitions to create a cluster resource quota with the web console.

You can also use the oc command to create a cluster quota. The oc command can create quotas without requiring a complete resource definition. Execute the oc create clusterresourcequota --help command to display examples and help about creating cluster resource quotas without a complete resource definition.

For example, execute the following command to create a resource quota that limits total CPU requests. The quota limits the total CPU requests on namespaces that have the group label with the dev value.

[user@host ~]$ oc create clusterresourcequota example --project-label-selector=group=dev --hard=requests.cpu=10
clusterresourcequota/example created

Cluster resource quotas collect total resource usage across namespaces and enforce the limits. The following example shows the status of the previous cluster resource quota:

apiVersion: quota.openshift.io/v1
kind: ClusterResourceQuota
metadata:
  name: example
spec:
  quota:
    hard:
      requests.cpu: "10"
  selector:
    annotations: null
    labels:
      matchLabels:
        group: dev
status:
  namespaces: 
  - namespace: example-3
    status:
      hard:
        requests.cpu: "10"
      used:
        requests.cpu: 500m
  - namespace: example-2
    status:
      hard:
        requests.cpu: "10"
      used:
        requests.cpu: 250m
_...output omitted..._
  total: 
    hard:
      requests.cpu: "10"
    used:
      requests.cpu: 2250m

	The `namespaces` key lists the namespaces that the quota applies to. For each namespace, the `used` key shows the current utilization.
	The `total` key aggregates the data in the `namespaces` key.

Users might not have read access to cluster resource quotas. OpenShift creates resources of the AppliedClusterResourceQuota type in namespaces that are affected by cluster resource quotas. Project administrators can review quota usage by reviewing the AppliedClusterResourceQuota resources. For example, use the oc describe command to view the cluster resource quotas that apply to a specific namespace:

[user@host ~]$ oc describe AppliedClusterResourceQuota -n example-2
Name:		example
Created:	9 minutes ago
Labels:		<none>
Annotations:	<none>
Namespace Selector: ["example-3" "example-2" "example-4" "example-1"]
Label Selector: group=dev
AnnotationSelector: map[]
Resource	Used	Hard
--------	----	----
requests.cpu	2250m	10

Note

The --all-namespaces argument to oc commands such as the get and describe commands does not work with AppliedClusterResourceQuota resources. These resources are listed only when you select a namespace.

Navigate to Administration → ResourceQuotas to view quotas and their status. This page displays cluster quotas along with namespace quotas. Although you can view resources of the ClusterResourceQuota type and create resources of the ResourceQuota type in the ResourceQuotas page, you cannot create objects of the ClusterResourceQuota in this page.

The project pages on both the developer and administrator perspectives also show the cluster quotas that apply to a specific project.

References

For more information, refer to the Quotas chapter in the Red Hat OpenShift Container Platform 4.14 Building Applications documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/building_applications/index#quotas

For more information about object counts, refer to the Planning Your Environment According to Object Maximums chapter in the Red Hat OpenShift Container Platform 4.14 Scalability and Performance documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/scalability_and_performance/index#planning-your-environment-according-to-object-maximums

Requests and Limits

Resource Quotas

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1