What will I need in terms of security constraints, resources, and ingress?
Security Context Constraints:
-
There are a number of Astronomer components that need to be added to the anyuid security context constraint. This is necessary for components that need to run as root.
-
There are a few Astronomer components (elasticsearch, fluentd) that need to be added to the privileged security context constraint. This is necessary for gathering airflow container logs at the node level.
-
More information on Security Context constraints can be found here: https://blog.openshift.com/understanding-service-accounts-sccs/
Resource Requirements:
- You can find a breakdown of each component’s resources here: https://www.astronomer.io/docs/ee-configuring-resources/. We typically recommend 3 x 8CPU, 32GB Mem machines as a starting point, but this will vary depending on your use cases (and will ideally auto-scale if using a cloud provider).
Ingress:
-
Astronomer uses its own NGINX load balancer bundled with the platform. This NGINX load balancer is configured to handle auth. For this reason, ingress traffic must somehow be routed to the NGINX load balancer.
-
Earlier versions of OpenShift (up to v3.10) allow for us to route traffic from the OpenShift router directly to our NGINX load balancer. This is no longer possible as of v3.10 because ingress objects are directly translated to routes and are not editable. More information can be found here: https://docs.openshift.com/container-platform/3.10/architecture/networking/routes.html#architecture-routes-support-for-ingress
-
Option 1: Bypass OpenShift Router by configuring the cluster to use external IPs (external to the cluster, internal to CS). This method is preferred and allows us to tie an IP to our NGINX as we do when we install on a major cloud provider. You can find detailed information on this approach here: https://docs.openshift.com/container-platform/3.11/admin_guide/tcp_ingress_external_ports.html#unique-external-ips-ingress-traffic-configure-cluster
-
Option 2 (still in testing): Use OpenShift’s NGINX Router. OpenShift offers the ability to use NGINX in place of the default HA Proxy router. We are still testing this method. More information here: https://blog.openshift.com/introducing-nginx-and-nginx-plus-routers-for-openshift/