DO280 - ch08s05

Bookmark this page

Cluster and Node Maintenance with Kubernetes Cron Jobs

Objectives

Automate regular cluster and application management tasks with Kubernetes cron jobs.

Maintenance Tasks

Cluster administrators can use scheduled tasks to automate maintenance tasks in the cluster. Other users can create scheduled tasks for regular application maintenance.

Maintenance tasks vary in the privileges that they require. Cluster maintenance tasks require privileged pods, whereas most applications might not require elevated privileges.

Kubernetes Batch API Resources

You can automate tasks in OpenShift by using standard Kubernetes jobs and cron jobs. The automated tasks can be configured to run once or on a regular schedule.

Job: Kubernetes jobs specify a task that is executed once.
Cron Job: Kubernetes cron jobs have a schedule to execute a task regularly.

When a cron job is due for execution, Kubernetes creates a job resource. Kubernetes creates these jobs from a template in the cron job definition. Other than this relationship, Kubernetes jobs and cron jobs are workload resource types, such as deployments or daemon sets.

Kubernetes Jobs

The job resource includes a pod template that describes the task to execute. You can use the oc create job --dry-run=client command to get the YAML representation of the Kubernetes job resource:

[user@host ~]$ oc create job --dry-run=client -o yaml test \
  --image=registry.access.redhat.com/ubi8/ubi:8.6 \
  -- curl https://example.com

A job contains a pod template, and this pod template must specify at least one container. You can add metadata such as labels or annotations to the job definition and pod template.

apiVersion: batch/v1
kind: Job
metadata:
  creationTimestamp: null
  name: test
spec: 
  template: 
    metadata:
      creationTimestamp: null
    spec: 
      containers: 
      - command: 
        - curl
        - https://example.com
        image: registry.access.redhat.com/ubi8/ubi:8.6 
        name: test
        resources: {}
      restartPolicy: Never
status: {}

	Job specification
	Pod template
	Pod specification
	Pod containers
	Command
	Container image

Kubernetes Cron Jobs

The cron job resource includes a job template that describes the task and a schedule. You can use the oc create cronjob --dry-run=client command to get the YAML representation of the Kubernetes cron job resource:

[user@host ~]$ oc create cronjob --dry-run=client -o yaml test \
  --image=registry.access.redhat.com/ubi8/ubi:8.6 \
  --schedule='0 0 * * *' \
  -- curl https://example.com

In Kubernetes, cron job resources are similar to job resources. The jobTemplate key follows the same structure as a job. The schedule key describes when the task runs.

apiVersion: batch/v1
kind: CronJob
metadata:
  creationTimestamp: null
  name: test
spec: 
  jobTemplate: 
    metadata:
      creationTimestamp: null
      name: test
    spec: 
      template: 
        metadata:
          creationTimestamp: null
        spec: 
          containers:
          - command: 
            - curl
            - https://example.com
            image: registry.access.redhat.com/ubi8/ubi:8.6 
            name: test
            resources: {}
          restartPolicy: OnFailure
  schedule: 0 0 * * * 
status: {}

	Cron job specification
	Job template
	Job specification
	Pod template
	Pod specification
	Command
	Container image
	Cron job schedule specification

Linux Cron Jobs

The schedule specification for Kubernetes cron jobs is derived from the specification in Linux cron jobs. The crontab file specifies the scheduled tasks for the current user. The schedule specification has five fields to define the date and time when the job is executed. The /etc/crontab file comments include a syntax diagram:

# Example cron job definition:
# ┌───────────────── minute (0 - 59)
# │  ┌────────────── hour (0 - 23)
# │  │   ┌────────── day of month (1 - 31)
# │  │   │   ┌────── month (1 - 12) or jan,feb,mar,apr ...
# │  │   │   │   ┌── day of week (0 - 7) or sun,mon,tue,wed,thu,fri,sat
# │  │   │   │   │     (Sunday is 0 or 7)
# m  h  dom mon dow  command
  0 */2  *   *   *   /path/to/task_executable arguments

Some examples of cron job specifications are as follows:

Schedule specification	Description
0 0 * * *	Run the specified task every day at midnight
*0 0 * 7**	Run the specified task every Sunday at midnight
0 * * * *	Run the specified task every hour
0 /4 * *	Run the specified task every four hours

Note

Refer to the crontab(5) manual page for more information about the cron job schedule specification.

Automate Maintenance Tasks with Cron Jobs

You can automate the maintenance tasks for applications that run inside the cluster, and also execute low-level commands inside privileged debug pods to apply cluster maintenance tasks.

Automating Application Maintenance Tasks

Regular maintenance tasks might need to run for applications that run in the cluster.

For example, consider creating periodic backups for an application. This application requires the following steps to create the backup:

Activate maintenance mode.
Create a compressed database backup.
Deactivate maintenance mode.
Copy the database backup to an external location.

The following cron job definition shows a possible implementation of these steps:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: wordpress-backup
spec:
  schedule: 0 2 * * 7  
  jobTemplate:  
    spec:
      template:  
        spec:  
          dnsPolicy: ClusterFirst
          restartPolicy: Never
          containers:  
          - name: wp-cli
            image: registry.io/wp-maintenance/wp-cli:2.7  
            resources: {}
            command:  
            - bash
            - -xc
            args:  
            - >
              wp maintenance-mode activate ;
              wp db export | gzip > database.sql.gz ;
              wp maintenance-mode deactivate ;
              rclone copy database.sql.gz s3://bucket/backups/ ;
              rm -v database.sql.gz ;

	Schedule for every Sunday at 2 AM
	The Kubernetes job template
	The Kubernetes pod template
	The Kubernetes pod specification
	The pod container configuration
	The container image that runs the maintenance task
	The command to execute inside the pod
	Maintenance commands to execute

Note

The > symbol uses the YAML folded style, which converts all newlines to spaces when parsing. Each command is separated with a semicolon (;), because the string in the args key is passed as a single argument to the bash -xc command.

This combination of the command and args keys has the same effect as executing the commands in a single line inside the container:

[user@host ~]$ bash -xc 'wp maintenance-mode activate ; wp db export | gzip > database.sql.gz ; wp maintenance-mode deactivate ; rclone copy database.sql.gz s3://bucket/backups/ ; rm -v database.sql.gz ;'

For more information about the YAML folded style, refer to https://yaml.org/spec/1.2.2/#folded-style

Automating Cluster Maintenance Tasks

Cluster maintenance might require executing complex scripts in privileged pods. You can create a shell script with the commands to execute the maintenance task, and mount the script in the pod by using a configuration map.

For example, when images are updated, clusters might accumulate unused images. These images might occupy much space. Executing the crictl rmi --prune command on all nodes of the cluster frees this space.

The following configuration map contains a shell script that cleans images in all cluster nodes by executing a debug pod and running the crictl command with the chroot command to access the root file system of the node:

apiVersion: v1
kind: ConfigMap
metadata:
  name: maintenance
  app: crictl
data:
  maintenance.sh: |
    #!/bin/bash
    NODES=$(oc get nodes -o=name) 
    for NODE in ${NODES} 
    do
      echo ${NODE}
      oc debug ${NODE} -- \ 
        chroot /host \
          /bin/bash -xc 'crictl images ; crictl rmi --prune' 
      echo $?
    done

	List the nodes in the cluster.
	Iterate over the nodes.
	Run a debug pod on the node.
	Prune the images.

This task can be scheduled regularly by using a cron job. The quay.io/openshift/origin-cli:4.14 container provides the oc command that runs the debug pod. The pod mounts the configuration map and executes the maintenance script.

apiVersion: batch/v1
kind: CronJob
metadata:
  name: image-pruner
spec:
  schedule: 0 * * * *
  jobTemplate:
    spec:
      template:
        spec:
          dnsPolicy: ClusterFirst
          restartPolicy: Never
          containers:
          - name: image-pruner
            image: quay.io/openshift/origin-cli:4.14
            resources: {}
            command:
            - /opt/scripts/maintenance.sh 
            volumeMounts: 
            - name: scripts
              mountPath: /opt
          volumes: 
          - name: scripts
            configMap:
              name: maintenance
              defaultMode: 0555

	Path to the script
	Mounting the configuration map as a volume

Cluster maintenance tasks might require elevated privileges. Administrators can assign service accounts to any workload, including Kubernetes jobs and cron jobs.

You can create a service account with the required privileges, and specify the service account with the serviceAccountName key in the pod definition. You can also use the oc set serviceaccount command to change the service account of an existing workload.

References

Kubernetes Job

Kubernetes Cron Job

How to Delete Exited Containers and Dangling Images with crictl?

Discuss Red Hat OpenShift Administration II: Configuring a Production Cluster

Go to community

Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280)

Haley_Ruccio

26 lip 2023

Configure, manage, and troubleshoot OpenShift clusters and containerized applicationsRed Hat OpenShift Administration II: Operating a Production Kubernetes Cluster (DO280) prepares OpenShift Cluster Administrators to perform daily administration tasks on clusters that host applications provided by internal teams and external vendors, enable self-service for cluster users with different roles, and deploy applications that require special permissions such as such as CI/CD tooling, performance monitoring, and security scanners. This course focuses on configuring multi-tenancy and security features of OpenShift as well as managing OpenShift add-ons based on operators.The skills you learn in this course can be applied using all versions of OpenShift, including Red Hat OpenShift on AWS (ROSA), Azure Red Hat OpenShift, and OpenShift Container Platform.This course is based on OpenShift Container Platform 4.12.5-10 Course TopicsDeploying packaged applications using manifests, templates, kustomize, and helm.Configuring authentication and authorization for users and applications.Protecting network traffic with network policies and exposing applications with proper network access.Deploying and managing applications using resources manifests.Enabling developer self-service of application projects.Managing OpenShift cluster updates and Kubernetes operator updates.Target AudienceSystem Administrators and Platform Operators interested in the ongoing management of OpenShift clusters, applications, users, and add-ons.Site Reliability Engineers interested in the ongoing maintenance and troubleshooting of Kubernetes clusters.System and Software Architects interested in understanding the security of an OpenShift cluster.Recommended TrainingTake our free assessment to gauge whether this offering is the best fit for your skills.Prerequisite: Red Hat OpenShift I: Containers & Kubernetes (DO180 v4.12), or equivalent skills deploying and managing Kubernetes applications using the OpenShift web console and command-line interfaces.Technology considerationsThis course requires internet access to access the cloud-based classroom environment that provides an OpenShift cluster and a remote administrator’s workstation.

476

About pod security standards and warnings

alexcorcoles

17 kwi 2023

(This material has been created with the inputs of instructors and other people. We are trying to get this material published as soon as possible to address some concerns with DO180 and DO280.)With the default configuration, any namespace that you create on OpenShift 4.12 has the following labels: pod-security.kubernetes.io/audit: restrictedpod-security.kubernetes.io/audit-version: v1.24pod-security.kubernetes.io/warn: restrictedpod-security.kubernetes.io/warn-version: v1.24 These labels activate auditing and warning of the restricted pod security standard. The Kubernetes documentation describes the restricted pod security standard. Pod security standards such as restricted are not directly related to security context constraints such as the restricted SCC.Kubernetes uses an admission controller to reject pods that do not comply with pod security standards. An admission controller is a Kubernetes component that inspects every Kubernetes resource before its creation, and acts before Kubernetes creates the resource. This action can include rejecting the creation of the resource, or modifying the resource.The pod security standards are policies that include properties that workloads must follow. For example, the restricted standard requires that containers set the securityContext.allowPrivilegeEscalation field to false.Pod security standards apply both to workloads, such as deployments and jobs, and to pods.When a pod is created, the admission controller inspects the container specifications and enumerates the fields that violate the pod security standard of the namespace. The admission controller inspects the pod-security labels in the namespace to decide which pod security standard to apply (restricted, baseline, or privileged), and which action to take on violations. Namespaces can audit, warn, or enforce pod security standard violations. When the pod-security.kubernetes.io/audit annotation is set to restricted, the admission controller prevents the creation of pods that violate the security standard. When the pod-security.kubernetes.io/audit and pod-security.kubernetes.io/warn annotations are defined in the project, the admission controller does not block the creation of pods, but registers audit events or warnings.The admission controller does not enforce pod security standards for workloads. If the namespace is configured to enforce a pod security standard, then you can create a violating workload. The admission controller enforces only pod security policies on pods.Cluster administrators can use pod security standards to ensure that pods and workloads in namespaces limit their privileges. By limiting privileges, cluster administrators can mitigate what malicious pods can do.The default configuration of user namespaces in OpenShift does not restrict any workload; it only notifies users when they create workloads that do not follow pod security standards that might be enforced in future OpenShift versions.Security Context ConstraintsOpenShift introduced security context constraints (SCC) before the introduction of pod security standards in Kubernetes. SCCs automatically make security modifications to pods when they are created. By default, the system:openshift:scc:restricted-v2 cluster role binding applies to all authenticated users, so regular user workloads use the restricted-v2 SCC. For example, when you execute the following command to create a workload without any security configuration, the SCC adds security configuration to the pods: [user@host ~]$ oc create deployment test --image registry.ocp4.example.com:8443/redhattraining/hello-world-nginx (You can add the --dry-run=client -o yaml options to view the deployment manifest. The deployment manifest does not contain the security properties, which are described later.)If you inspect the pods that the deployment created, the SCC makes the following changes: [user@host ~]$ oc get pod test-b8d5658b6-7bxfs -o yamlapiVersion: v1kind: Podmetadata: annotations:... output omitted... openshift.io/scc: restricted-v2 seccomp.security.alpha.kubernetes.io/pod: runtime/default...output omitted...spec: containers: - image: registry.ocp4.example.com:8443/redhattraining/hello-world-nginx imagePullPolicy: Always name: hello-world-nginx resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL runAsNonRoot: true runAsUser: 1000690000... output omitted... securityContext: fsGroup: 1000690000 seLinuxOptions: level: s0:c26,c20 seccompProfile: type: RuntimeDefault... output omitted... These restrictions satisfy the restricted pod security policy.The result of these defaults means that when creating a workload (such as a deployment) in a namespace without any customization, the restricted pod security standard applies, but the admission controller only warns and audits. If the workload does not satisfy the pod security standard, then the admission controller allows the workload to be created, but prints a message such as the following warning: Warning: would violate PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "example" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "example" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "database" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "example" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost") However, by default Kubernetes creates the deployment pods with the restricted-v2 SCC, with the restrictions that the previous warning included. Due to the following factors, workloads generate only a warning, and the pod security standard admission controller allows their pods:The pod security standard admission controller never enforces pod security standards on workloads (only on pods).By default, namespaces do not enforce pod security standards on pods.By default, regular workloads create pods by using the restricted-v2 SCC, which satisfies the restricted pod security standard.Even if future versions of OpenShift change the default namespace configuration to enforce the restricted pod security standard, users will continue to be able to create workloads without explicitly declaring the restrictions that the pod security standard requires, because the restricted-v2 SCC will apply such restrictions automatically.You can take the following approaches to handling pod security:For most workloads, the restricted-v2 SCC limits pod privileges adequately. When creating a workload, you receive the warning, but the workload creates pods and works correctly.You can also create your workloads by providing a full specification of the security constraints to apply, without relying on the SCC to provide the configuration. By following this approach, privileges are more explicit, and you have greater control, so you can adjust more precisely the specific privileges that are granted to workloads.When the restricted-v2 SCC and the default restricted pod security standard are not adequate for your workload, because either you require further privileges, or you need further restrictions, you must use an existing SCC, or create a custom SCC, and provide explicit security specifications. You can also adjust the namespace labels to choose a different pod security standard, and decide to audit, log, or enforce the standard.

1473

Welcome to the Red Hat OpenShift Administration II (DO280) group in the Red Hat Learning Community!

Deanna

17 kwi 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster!To gain the most value from this group - click the "Join Group" button in the upper right hand corner.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO280.Read more about Red Hat OpenShift Administration II here.Thanks!

1334

Revision: do280-4.14-08d11e1