Chapter 1. Components and Considerations

1.1. AWS Infrastructure Components

The successful installation of an Red Hat OpenShift Container Platform environment requires the following components to create a highly-available and full featured environment.

1.1.1. Virtual Private Cloud (VPC)

The VPC provides a hosted and virtually isolated network, compute and storage environment. A customer provides a CIDR range at creation time. All components are then built within the global CIDR range.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed in a single VPC with 172.16.0.0/16 as a CIDR range to provide substantial IPv4 space.

A VPC includes the following subcomponents:

1.1.1.1. Regions and Availability Zones (AZs)

AWS manages many physical data centers within a region of a country. A VPC is an isolated namespace within the many physical datacenters. The decision to use a particular region depends upon customer requirements, regulations, and cost.

This reference environment uses region US-East-1.

Availability zones provide physically separated virtual environments for network, compute, storage environments. AZs exist within a VPC. AWS randomizes the AZs that are presented to an accounts region.

This reference environment uses the first three AZs available to the accounts region.

Deploying Red Hat OpenShift Container Platform in AWS using different zones can be beneficial to avoid single-point-of-failures but there are caveats regarding storage. AWS disks are created within a zone therefore if a Red Hat OpenShift Container Platform node goes down in zone "A" and the pods should be moved to zone "B", the persistent storage cannot be attached to those pods as the disks are in a different availability zone.

It is advised to deploy 1+ application nodes in the same AZ if running an application that requires high availbility. Archtecting applications that can cluster or run on different availabilty zones is also an option to get around this limitation.

1.1.1.2. DHCP

A DHCP server is provided with each VPC to track IP assignment.

1.1.1.3. Internet Gateways (IGW)

An IGW enables internal network traffic to be routed to the Internet.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with a single IGW and attached to the VPC.

1.1.1.4. NAT Gateways (NatGWs)

NatGW’s provide an AZ-specific highly available network router service to enable VPC internal components in a private subnet to connect to the Internet but prevent the Internet from initiating a connection with those instances.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with three NatGW’s in each AZ providing access to the Internet for infrastructure within the AZ. No cross-AZ traffic is allowed.

1.1.1.5. Subnets

VPC subnets are a logical subdivision of the global VPC CIDR range. They exist in a single AZ only. A virtual default gateway is provided for each subnet.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with six subnets spread equally across the three AZs. The first set of three are directly Internet routable. The second set of three allows VPC internal components to route to the Internet via the NatGW. All subnets are deployed as CIDR /20 ranges. This gives each subnet plenty of IPv4 capacity.

1.1.1.6. Network Access Control Lists (ACLs)

ACL’s are IP and CIDR range lists that can be applied to each subnet to provide inbound and outbound network security.

For simplicity, this reference architecture uses a single network ACL allowing all IP’s and all ports applied to all subnets within the VPC.

1.1.1.7. Route Tables

Each subnet can have a route table applied. This enables cross subnet, Internet, and VPN network traffic routing.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with four RouteTables.

  • 1 providing direct Internet access and assigned to the Internet routable subnets
  • 3 providing a route to the Internet via the NatGW for each AZ and assigned to the private subnet of that AZ

1.1.1.8. Security Groups (SGs)

SG’s are stateful firewalls that can be applied to any network interface within the VPC. IP’s, CIDR ranges and other SGs can be added to a list to provide inbound and outbound network security.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with four SG’s.

Table 1.1. Security Group association

Instance type

Security groups associated

Bastion

bastion

Masters

mastersg, nodesg

Infra nodes

infrasg, nodesg

App nodes

nodesg

CNS nodes(Optional)

cnssg, nodesg

1.1.1.8.1. Bastion Security Group ports

The bastion SG only needs to allow inbound ssh and ping for network connectivity testing.

Table 1.2. Bastion Security Group Ports

Port/Protocol

Service

Remote source

Purpose

ICMP

echo-request

Any

Network connectivity testing

22/TCP

SSH

Any

Secure shell login

1.1.1.8.2. Master Security Group

The master SG requires the most complex network access controls. In addition to the ports used by the API and master console, these nodes contain the etcd servers that form the cluster.

Table 1.3. Master Security Group Ports

Port/Protocol

Service

Remote source

Purpose

53/TCP

DNS

Masters and nodes

Internal name services (3.2+)

53/UDP

DNS

Masters and nodes

Internal name services (3.2+)

2379/TCP

etcd

Masters

Client → Server connections

2380/TCP

etcd

Masters

Server → Server cluster communications

8053/TCP

DNS

Masters and nodes

Internal name services (3.2+)

8053/UDP

DNS

Masters and nodes

Internal name services (3.2+)

443/TCP

HTTPS

Any

Master WebUI and API

1.1.1.8.3. Infrastructure Node SG

The infrastructure nodes run the Red Hat OpenShift Container Platform router and the registry. The infra security group must accept inbound connections on the web ports to be forwarded to their destinations.

Table 1.4. Infrastructure Security Group Ports

Port/ProtocolServicesRemote sourcePurpose

80/TCP

HTTP

Any

Cleartext application web traffic

443/TCP

HTTPS

Any

Encrypted application web traffic

1.1.1.8.4. Node Security Group

The node SG is assigned to all instances of Red Hat OpenShift Container Platform. The rules defined only allow for ssh traffic from the bastion host or other nodes, pod to pod communication via SDN traffic, and kubelet communication via Kubernetes.

Table 1.5. Node Security Group Ports

Port/Protocol

Services

Remote source

Purpose

ICMP

echo-request

Any

Network connectivity testing

22/TCP

SSH

SSH SG

Secure shell login

4789/UDP

SDN

Nodes

Pod to pod communications

10250/TCP

kubernetes

Nodes

Kubelet communications

1.1.1.8.5. CNS Node Security Group (Optional)

The CNS nodes require the same ports as the nodes but also require specific ports of the glusterfs pods. The rules defined only allow for ssh traffic from the bastion host or other nodes, glusterfs communication, pod to pod communication via SDN traffic, and kubelet communication via Kubernetes.

Table 1.6. CNS Security Group Ports

Port/Protocol

Services

Remote source

Purpose

2222/TCP

Gluster

Gluser Nodes

CNS communication

24007/TCP

Gluster

Gluster Nodes

Gluster Daemon

24008/TCP

Gluster

Gluster Nodes

Gluster Management

49152-49664/TCP

Gluster

Gluster Nodes

Gluster Client Ports

1.1.1.9. Elastic IP (EIP)

EIP’s are static IPv4 IP’s that are Internet addressable. An EIP can be assigned to AWS infrastructure components as needed.

Using the installation methods described in this document, the Red Hat OpenShift Container Platform environment is deployed with a single EIP.

1.1.1.10. Elastic Network Interfaces (ENI)

ENI’s are virtual network interfaces that are assigned to network and compute components within the VPC. ENI’s are highly dynamic and scalable.

1.1.1.11. Elastic Network Adapters (ENA)

ENA’s are high performance virtual nic’s that give a virtual machine direct access to underlaying hardware via SR-IOV and 10 or 25 Gigabit Ethernet physical networks.

1.1.2. Elastic Loadbalancer (ELB)

ELB’s are network loadbalancers that distribute network traffic to EC2’s. ELB ENI’s scale out based on load. It is essential that adequate IP space is available within the subnet to allow this behavior.

This reference environment consists of the following ELB instances:

  • One for the master API that is Internet addressable
  • One for the master API that is VPC internal only
  • One for infrastructure router service that is used to route a Red Hat OpenShift Container Platform service to it’s pods

1.1.3. Elastic Compute Cloud (EC2)

EC2’s are simply virtual machines within the AWS Cloud. They can run with various cpu, memory sizes as well as disk images containing RHEL, Windows and, other operating systems.

This reference environment consists of the following EC2 instances:

  • A single t2.medium EC2 to be used as a bastion and ssh proxy
  • A set of three m5.2xlarge EC’s for master API service spread across three AZs
  • A set of three m5.2xlarge EC’s the infrastructure router service
  • A set of three m5.2xlarge EC’s to be for node service and pod hosting
  • Optionally a set of three m5.2xlarge EC’s can be created to provide CNS storage

This reference environment uses m5 type EC2’s which make available 8 vCPU’s, 32 Gb Mem, and high performance ENA’s. Price and general performance are well balanced with this EC2 type.

1.1.4. Elastic Block Storage (EBS)

EBS’s are storage volumes that are accessed from EC2’s using block protocol. They are AZ-specific and can be dynamically resized and relocated to another EC2s. Snapshots may be taken of an EBS at any time to be used as data archiving and restoration.

This reference environment consists of the following EBS instances:

  • Master EC2s each consume 4 100Gb EBS volumes each for root volume, etcd, EmptyDir, and Container storage
  • Infra EC2s each consume 2 100Gb EBS volumes each for root volume and Container storage
  • Node EC2s each consume 3 100Gb EBS volumes each for root volume, EmptyDir, and Container storage
  • Optionally CNS EC2s consume 4 EBS volumes each for root volume, EmptyDir, Container storage, and CNS storage

This reference environment uses gp2 type EBS’s. Price and general performance are well balanced with this EBS type.

1.1.5. Simple Storage Service (S3)

S3 is a highly available object store target that is accessed using https protocol.

This reference environment consists of a single S3 bucket to be used for backend storage for the Red Hat OpenShift Container Platform managed registry.

1.1.6. Identity and Access Management (IAM)

IAM is a service that provides user and policy management to secure access to AWS API’s.

This reference environment consists of the following IAM users:

  • IAM user clusterid-admin with a policy to allow Red Hat OpenShift Container Platform to interact with the AWS API
  • IAM user clusterid-registry with a policy to allow the Red Hat OpenShift Container Platform managed registry service to interact with the S3 bucket
Note

It is possible to use IAM roles and policies to secure Red Hat OpenShift Container Platform master service and node kubelet access to AWS API. The roles are attached directly to the master and nodes EC2 instances. This adds complexity to the infrastructure deployment. There are also security concerns as all users on the instances would have equal access to the AWS API. This refence architecture will use IAM user access keys to avoid complexity and security topic.

1.2. AWS Infrastructure charge model

Operating within the AWS environment is not free of charge. AWS billing is complicated and changes often. This table contains links to AWS component charging pages so that customers can plan their operating expenditures.

AWS ServiceQuantityCharge Model

Route53

1 hosted zone (public) + 1 hosted zone (private) + Many RR records

Charge model

VPC

1

Charge model

VPC AZ

3

Charge model

VPC Subnet

6

None

VPC Route Table

4

None

VPC DHCP Option Set

1

None

VPC NACL

1

None

VPC SG

4

None

VPC NatGW

3

Charge model

EIP

1

Charge model

ELB

2 (RHOCP master internal & internet-facing) + 1 (RHOCP infra internet-facing)

Charge model

EC2

3 x m5.xlarge (RHOCP master instances) + 3 x m5.xlarge (RHOCP infra instances) + 3 x m5.xlarge (RHOCP app instances) + 3 x m5.xlarge (RHOCP CNS instances, optional)

Charge model

EBS

1 x 25Gb gp2 (Bastion root vol) + 9 x 100Gb gp2 (root vols) + 3 x 100Gb (master instance etcd vol) + 15 x 100Gb (container storage vol) + 3 x 100Gb (RHOCP instances cns vol, optional)

Charge model

S3

1 bucket for RHOCP

Charge model

IAM

1 user & policy (cloudprovider_kind) + 1 user & policy (registry s3 storage)

None

Tip

AWS Cost Calculator provides fine tune estimates on AWS infrastructure billing.

1.2.1. Route53

Route53 is a managed DNS service that provides internal and Internet accessible hostname resolution.

This reference environment consists of the following Route53 DNS zones:

  • refarch.example.com - Internet addressable
  • refarch.example.com - VPC internal only

Customers must assign domain delegation to these zones within their DNS infrastructure.

This reference environment consists of the following Rout53 DNS records within each external and internal zone:

  • API access - master.refarch.example.com
  • app access - *.refarch.example.com
  • ELK logging - logging.refarch.example.com
  • registry - registry.refarch.example.com

1.3. Bastion Instance

Best practices recommend minimizing attack vectors into a system by exposing only those services required by consumers of the system. In the event of failure or a need for manual configuration, systems administrators require further access to internal components in the form of secure administrative back-doors.

In the case of Red Hat OpenShift Container Platform running in a cloud provider context, the entry points to the Red Hat OpenShift Container Platform infrastructure such as the API, Web Console and routers are the only services exposed to the outside. The systems administrators' access from the public network space to the private network is possible with the use of a bastion instance.

A bastion instance is a non-OpenShift instance accessible from outside of the Red Hat OpenShift Container Platform environment, configured to allow remote access via secure shell (ssh). To remotely access an instance, the systems administrator first accesses the bastion instance, then "jumps" via another ssh connection to the intended OpenShift instance. The bastion instance may be referred to as a "jump host".

Note

As the bastion instance can access all internal instances, it is recommended to take extra measures to harden this instance’s security. For more information on hardening the bastion instance, see the official Guide to Securing Red Hat Enterprise Linux 7

Depending on the environment, the bastion instance may be an ideal candidate for running administrative tasks such as the Red Hat OpenShift Container Platform installation playbooks. This reference environment uses the bastion instance for the installation of the Red Hat OpenShift Container Platform.

1.4. Red Hat OpenShift Container Platform Components

Red Hat OpenShift Container Platform comprises of multiple instances running on Amazon Web Services that allow for scheduled and configured OpenShift services and supplementary containers. These containers can have persistent storage, if required, by the application and integrate with optional OpenShift services such as logging and metrics.

1.4.1. OpenShift Instances

Instances running the Red Hat OpenShift Container Platform environment run the atomic-openshift-node service that allows for the container orchestration of scheduling pods. The following sections describe the different instance and their roles to develop a Red Hat OpenShift Container Platform solution.

1.4.1.1. Master Instances

Master instances run the OpenShift master components, including the API server, controller manager server, and optionally etcd. The master manages nodes in its Kubernetes cluster and schedules pods to run on nodes.

Note

The master instances are considered nodes as well and run the atomic-openshift-node service.

For optimal performance, the etcd service should run on the masters instances. When collocating etcd with master nodes, at least three instances are required. In order to have a single entry-point for the API, the master nodes should be deployed behind a load balancer.

In order to create master instances with labels, set the following in the inventory file as:

... [OUTPUT ABBREVIATED] ...
[etcd]
master1.example.com
master2.example.com
master3.example.com

[masters]
master1.example.com
master2.example.com
master3.example.com

[nodes]
master1.example.com openshift_node_labels="{'region': 'master', 'masterlabel2': 'value2'}"
master2.example.com openshift_node_labels="{'region': 'master', 'masterlabel2': 'value2'}"
master3.example.com openshift_node_labels="{'region': 'master', 'masterlabel2': 'value2'}"

Ensure the openshift_web_console_nodeselector ansible variable value matches with a master node label in the inventory file. By default, the web_console is deployed to the masters.

Note

See the official OpenShift documentation for a detailed explanation on master nodes.

1.4.1.2. Infrastructure Instances

The infrastructure instances run the atomic-openshift-node service and host the Red Hat OpenShift Container Platform components such as Registry, Prometheus and Hawkular metrics. The infrastructure instances also run the Elastic Search, Fluentd, and Kibana(EFK) containers for aggregate logging. Persistent storage should be available to the services running on these nodes.

Depending on environment requirements at least three infrastructure nodes are required to provide a sharded/highly available aggregated logging service and to ensure that service interruptions do not occur during a reboot.

Note

For more infrastructure considerations, visit the official OpenShift documentation.

When creating infrastructure instances with labels, set the following in the inventory file as:

... [OUTPUT ABBREVIATED] ...
[nodes]
infra1.example.com openshift_node_labels="{'region': 'infra', 'infralabel1': 'value1'}"
infra2.example.com openshift_node_labels="{'region': 'infra', 'infralabel1': 'value1'}"
infra3.example.com openshift_node_labels="{'region': 'infra', 'infralabel1': 'value1'}"
Note

The router and registry pods automatically are scheduled on nodes with the label of 'region': 'infra'.

1.4.1.3. Application Instances

The Application (app) instances run the atomic-openshift-node service. These nodes should be used to run containers created by the end users of the OpenShift service.

When creating node instances with labels, set the following in the inventory file as:

... [OUTPUT ABBREVIATED] ...

[nodes]
node1.example.com openshift_node_labels="{'region': 'primary', 'nodelabel2': 'value2'}"
node2.example.com openshift_node_labels="{'region': 'primary', 'nodelabel2': 'value2'}"
node3.example.com openshift_node_labels="{'region': 'primary', 'nodelabel2': 'value2'}"

1.4.2. etcd

etcd is a consistent and highly-available key value store used as Red Hat OpenShift Container Platform’s backing store for all cluster data. etcd stores the persistent master state while other components watch etcd for changes to bring themselves into the desired state.

Since values stored in etcd are critical to the function of Red Hat OpenShift Container Platform, firewalls should be implemented to limit the communication with etcd nodes. Inter-cluster and client-cluster communication is secured by utilizing x509 Public Key Infrastructure (PKI) key and certificate pairs.

etcd uses the RAFT algorithm to gracefully handle leader elections during network partitions and the loss of the current leader. For a highly available Red Hat OpenShift Container Platform deployment, an odd number (starting with three) of etcd instances are required.

1.4.3. Labels

Labels are key/value pairs attached to objects such as pods. They are intended to be used to specify identifying attributes of objects that are meaningful and relevant to users but do not directly imply semantics to the core system. Labels can also be used to organize and select subsets of objects. Each object can have a set of labels defined at creation time or subsequently added and modified at any time.

Note

Each key must be unique for a given object.

"labels": {
  "key1" : "value1",
  "key2" : "value2"
}

Index and reverse-index labels are used for efficient queries, watches, sorting and grouping in UIs and CLIs, etc. Labels should not be polluted with non-identifying, large and/or structured data. Non-identifying information should instead be recorded using annotations.

1.4.3.1. Labels as Alternative Hierarchy

Service deployments and batch processing pipelines are often multi-dimensional entities (e.g., multiple partitions or deployments, multiple release tracks, multiple tiers, multiple micro-services per tier). Management of these deployments often requires cutting across the encapsulation of strictly hierarchical representations—​especially those rigid hierarchies determined by the infrastructure rather than by users. Labels enable users to map their own organizational structures onto system objects in a loosely coupled fashion, without requiring clients to store these mappings.

Example labels:

{"release" : "stable", "release" : "canary"}
{"environment" : "dev", "environment" : "qa", "environment" : "production"}
{"tier" : "frontend", "tier" : "backend", "tier" : "cache"}
{"partition" : "customerA", "partition" : "customerB"}
{"track" : "daily", "track" : "weekly"}

These are just examples of commonly used labels; the ability exists to develop specific conventions that best suit the deployed environment.

1.4.3.2. Labels as Node Selector

Node labels can be used as node selector where different nodes can be labeled to different use cases. The typical use case is to have nodes running Red Hat OpenShift Container Platform infrastructure components like the Red Hat OpenShift Container Platform registry, routers, metrics or logging components named "infrastructure nodes" to differentiate them from nodes dedicated to run user applications. Following this use case, the admin can label the "infrastructure nodes" with the label "region=infra" and the application nodes as "region=app". Other uses can be having different hardware in the nodes and have classifications like "type=gold", "type=silver" or "type=bronze".

The scheduler can be configured to use node labels to assign pods to nodes depending on the node-selector. At times it makes sense to have different types of nodes to run certain pods, the node-selector can be set to select which labels are used to assign pods to nodes.

1.5. Software Defined Networking

Red Hat OpenShift Container Platform offers the ability to specify how pods communicate with each other. This could be through the use of Red Hat provided Software-defined networks (SDN) or a third-party SDN.

Deciding on the appropriate internal network for an Red Hat OpenShift Container Platform step is a crucial step. Unfortunately, there is no right answer regarding the appropriate pod network to chose, as this varies based upon the specific scenario requirements on how a Red Hat OpenShift Container Platform environment is to be used.

For the purposes of this reference environment, the Red Hat OpenShift Container Platform ovs-networkpolicy SDN plug-in is chosen due to its ability to provide pod isolation using Kubernetes NetworkPolicy. The following section, “OpenShift SDN Plugins”, discusses important details when deciding between the three popular options for the internal networks - ovs-multitenant, ovs-networkpolicy and ovs-subnet.

1.5.1. OpenShift SDN Plugins

This section focuses on multiple plugins for pod communication within Red Hat OpenShift Container Platform using OpenShift SDN. The three plugin options are listed below.

  • ovs-subnet - the original plugin that provides an overlay network created to allow pod-to-pod communication and services. This pod network is created using Open vSwitch (OVS).
  • ovs-multitenant - a plugin that provides an overlay network that is configured using OVS, similar to the ovs-subnet plugin, however, unlike the ovs-subnet it provides Red Hat OpenShift Container Platform project level isolation for pods and services.
  • ovs-networkpolicy - a plugin that provides an overlay network that is configured using OVS that provides the ability for Red Hat OpenShift Container Platform administrators to configure specific isolation policies using NetworkPolicy objects1.

1: https://docs.openshift.com/container-platform/3.9/admin_guide/managing_networking.html#admin-guide-networking-networkpolicy

Network isolation is important, which OpenShift SDN to choose?

With the above, this leaves two OpenShift SDN options: ovs-multitenant and ovs-networkpolicy. The reason ovs-subnet is ruled out is due to it not having network isolation.

While both ovs-multitenant and ovs-networkpolicy provide network isolation, the optimal choice comes down to what type of isolation is required. The ovs-multitenant plugin provides project-level isolation for pods and services. This means that pods and services from different projects cannot communicate with each other.

On the other hand, ovs-networkpolicy solves network isolation by providing project administrators the flexibility to create their own network policies using Kubernetes NetworkPolicy objects. This means that by default all pods in a project are accessible from other pods and network endpoints until NetworkPolicy objects are created. This in turn may allow pods from separate projects to communicate with each other assuming the appropriate NetworkPolicy is in place.

Depending on the level of isolation required, should determine the appropriate choice when deciding between ovs-multitenant and ovs-networkpolicy.

1.6. Container Storage

Container images are stored locally on the nodes running Red Hat OpenShift Container Platform pods. The container-storage-setup script uses the /etc/sysconfig/docker-storage-setup file to specify the storage configuration.

The /etc/sysconfig/docker-storage-setup file should be created before starting the docker service, otherwise the storage would be configured using a loopback device. The container storage setup is performed on all hosts running containers, therefore masters, infrastructure, and application nodes.

1.7. Persistent Storage

Containers by default offer ephemeral storage but some applications require the storage to persist between different container deployments or upon container migration. Persistent Volume Claims (PVC) are used to store the application data. These claims can either be added into the environment by hand or provisioned dynamically using a StorageClass object.

1.7.1. Storage Classes

The StorageClass resource object describes and classifies different types of storage that can be requested, as well as provides a means for passing parameters to the backend for dynamically provisioned storage on demand. StorageClass objects can also serve as a management mechanism for controlling different levels of storage and access to the storage. Cluster Administrators (cluster-admin) or Storage Administrators (storage-admin) define and create the StorageClass objects that users can use without needing any intimate knowledge about the underlying storage volume sources. Because of this the naming of the storage class defined in the StorageClass object should be useful in understanding the type of storage it maps whether that is storage from Amazon Web Services or from glusterfs if deployed.

1.7.1.1. Persistent Volumes

Persistent volumes (PV) provide pods with non-ephemeral storage by configuring and encapsulating underlying storage sources. A persistent volume claim (PVC) abstracts an underlying PV to provide provider agnostic storage to OpenShift resources. A PVC, when successfully fulfilled by the system, mounts the persistent storage to a specific directory (mountPath) within one or more pods. From the container point of view, the mountPath is connected to the underlying storage mount points by a bind-mount.

1.8. Registry

OpenShift can build containerimages from source code, deploy them, and manage their lifecycle. To enable this, OpenShift provides an internal, integrated registry that can be deployed in the OpenShift environment to manage images.

The registry stores images and metadata. For production environment, persistent storage should be used for the registry, otherwise any images that were built or pushed into the registry would disappear if the pod were to restart.

1.9. Aggregated Logging

One of the Red Hat OpenShift Container Platform optional components named Red Hat OpenShift Container Platform aggregated logging collects and aggregates logs from the pods running in the Red Hat OpenShift Container Platform cluster as well as /var/log/messages on nodes enabling Red Hat OpenShift Container Platform users to view the logs of projects which they have view access using a web interface.

Red Hat OpenShift Container Platform aggregated logging component it is a modified version of the ELK stack composed by a few pods running on the Red Hat OpenShift Container Platform environment:

  • Elasticsearch: An object store where all logs are stored.
  • Kibana: A web UI for Elasticsearch.
  • Curator: Elasticsearch maintenance operations performed automatically on a per-project basis.
  • Fluentd: Gathers logs from nodes and containers and feeds them to Elasticsearch.
Note

Fluentd can be configured to send a copy of the logs to a different log aggregator and/or to a different Elasticsearch cluster, see OpenShift documentation for more information.

Once deployed in the cluster, Fluentd (deployed as a DaemonSet on any node with the right labels) gathers logs from all nodes and containers, enriches the log document with useful metadata (e.g. namespace, container_name, node) and forwards them into Elasticsearch, where Kibana provides a web interface to users to be able to view any logs. Cluster administrators can view all logs, but application developers can only view logs for projects they have permission to view. To avoid users to see logs from pods in other projects, the Search Guard plugin for Elasticsearch is used.

A separate Elasticsearch cluster, a separate Kibana, and a separate Curator components can be deployed to form the OPS cluster where Fluentd send logs from the default, openshift, and openshift-infra projects as well as /var/log/messages on nodes into this different cluster. If the OPS cluster is not deployed those logs are hosted in the regular aggregated logging cluster.

Red Hat OpenShift Container Platform aggregated logging components can be customized for longer data persistence, pods limits, replicas of individual components, custom certificates, etc. The customization is provided by the Ansible variables as part of the deployment process.

The OPS cluster can be customized as well using the same variables using the suffix ops as in openshift_logging_es_ops_pvc_size.

Note

For more information about different customization parameters, see Aggregating Container Logs documentation.

Basic concepts for aggregated logging

  • Cluster: Set of Elasticsearch nodes distributing the workload
  • Node: Container running an instance of Elasticsearch, part of the cluster.
  • Index: Collection of documents (container logs)
  • Shards and Replicas: Indices can be split into sets of data containing the primary copy of the documents stored (primary shards) or backups of that primary copies (replica shards). Sharding allows the application to horizontally scaled the information and distributed/paralellized operations. Replication instead provides high availability and also better search throughput as searches are also executed on replicas.
Warning

Using NFS storage as a volume or a persistent volume (or via NAS such as Gluster) is not supported for Elasticsearch storage, as Lucene relies on file system behavior that NFS does not supply. Data corruption and other problems can occur.

By default every Elasticsearch pod of the Red Hat OpenShift Container Platform aggregated logging components has the role of Elasticsearch master and Elasticsearch data node. If only 2 Elasticsearch pods are deployed and one of the pods fails, all logging stops until the second master returns, so there is no availability advantage to deploy 2 Elasticsearch pods.

Note

Elasticsearch shards require their own storage, but Red Hat OpenShift Container Platform deploymentconfig shares storage volumes between all its pods, therefore every Elasticsearch pod is deployed using a different deploymentconfig so it cannot be scaled using oc scale. In order to scale the aggregated logging Elasticsearch replicas after the first deployment, it is required to modify the openshift_logging_es_cluser_size in the inventory file and re-run the openshift-logging.yml playbook.

Below is an example of some of the best practices when deploying Red Hat OpenShift Container Platform aggregated logging. Elasticsearch, Kibana, and Curator are deployed on nodes with the label of "region=infra". Specifying the node label ensures that the Elasticsearch and Kibana components are not competing with applications for resources. A highly-available environment for Elasticsearch is deployed to avoid data loss, therefore, at least 3 Elasticsearch replicas are deployed and openshift_logging_es_number_of_replicas parameter is configured to be 1 at least. The settings below would be defined in a variable file or static inventory.

openshift_logging_install_logging=true
openshift_logging_es_pvc_dynamic=true
openshift_logging_es_pvc_size=100Gi
openshift_logging_es_cluster_size=3
openshift_logging_es_nodeselector={"region":"infra"}
openshift_logging_kibana_nodeselector={"region":"infra"}
openshift_logging_curator_nodeselector={"region":"infra"}
openshift_logging_es_number_of_replicas=1

1.10. Aggregated Metrics

Red Hat OpenShift Container Platform has the ability to gather metrics from kubelet and store the values in Heapster. Red Hat OpenShift Container Platform Metrics provide the ability to view CPU, memory, and network-based metrics and display the values in the user interface. These metrics can allow for the horizontal autoscaling of pods based on parameters provided by an Red Hat OpenShift Container Platform user. It is important to understand capacity planning when deploying metrics into an Red Hat OpenShift Container Platform environment.

Red Hat OpenShift Container Platform metrics is composed by a few pods running on the Red Hat OpenShift Container Platform environment:

  • Heapster: Heapster scrapes the metrics for CPU, memory and network usage on every pod, then exports them into Hawkular Metrics.
  • Hawkular Metrics: A metrics engine that stores the data persistently in a Cassandra database.
  • Cassandra: Database where the metrics data is stored.

Red Hat OpenShift Container Platform metrics components can be customized for longer data persistence, pods limits, replicas of individual components, custom certificates, etc. The customization is provided by the Ansible variables as part of the deployment process.

As best practices when metrics are deployed, persistent storage should be used to allow for metrics to be preserved. Node selectors should be used to specify where the Metrics components should run. In the reference architecture environment, the components are deployed on nodes with the label of "region=infra".

openshift_metrics_install_metrics=True
openshift_metrics_storage_volume_size=20Gi
openshift_metrics_cassandra_storage_type=dynamic
openshift_metrics_hawkular_nodeselector={"region":"infra"}
openshift_metrics_cassandra_nodeselector={"region":"infra"}
openshift_metrics_heapster_nodeselector={"region":"infra"}

1.11. Integration with Amazon Web Services

When cloudprovider_kind = aws is set Red Hat OpenShift Container Platform integration with AWS API’s will be enabled. This integration will provide the following functions:

  • Create EBS volumes
  • Attach/Reattach EBS volumes to EC2s (AZ dependent!)
  • Create persistent volumes from EC2 attached EBS
  • Create persistent volume claims from EBS backed persistent volumes
  • Create persistent volumes from EFS
  • Create ELB
  • Register app EC2s to ELB

When cloudprovider_kind = aws is set and Service Catalog and Service Broker are installed deeper integration with AWS will be enabled. This integration will provide the following functions:

  • Create Simple Queue Service instances (SQS)
  • Create Relational Database Service instances (RDS)
  • Create Route 53 resources
  • Create Simple Storage Services buckets (S3)
  • Create Simple Notification Service instances (SNS)
  • Create ElastiCache instances
  • Create Redshift instances
  • Create DynamoDB instances
  • Create Elastic MapReduce instances (EMR)

1.12. Container-Native Storage (Optional)

Container-Native Storage (CNS) provides dynamically provisioned storage for containers on Red Hat OpenShift Container Platform across cloud providers, virtual and bare-metal deployments. CNS relies on block devices available on the OpenShift nodes and uses software-defined storage provided by Red Hat Gluster Storage. CNS runs Red Hat Gluster Storage containerized, allowing OpenShift storage pods to spread across the cluster and across different data centers if latency is low between them. CNS enables the requesting and mounting of Gluster storage across one or many containers with access modes of either ReadWriteMany(RWX), ReadOnlyMany(ROX) or ReadWriteOnce(RWO). CNS can also be used to host the OpenShift registry.

1.12.1. Prerequisites for Container-Native Storage

Deployment of Container-Native Storage (CNS) on OpenShift Container Platform (OCP) requires at least three OpenShift nodes with at least one 100GB unused block storage device attached on each of the nodes. Dedicating three OpenShift nodes to CNS allows for the configuration of one StorageClass object to be used for applications.

If the CNS instances serve dual roles such as hosting application pods and glusterfs pods, ensure the instances have enough resources to support both operations. CNS hardware requirements state that there must be 32GB of RAM per instance.

1.12.2. Firewall and Security Group Prerequisites

The following ports must be open to properly install and maintain CNS.

Note

The nodes used for CNS also need all of the standard ports an OpenShift node would need.

Table 1.7. CNS - Inbound

Port/ProtocolServicesRemote sourcePurpose

111/TCP

Gluster

Gluser Nodes

Portmap

111/UDP

Gluster

Gluser Nodes

Portmap

2222/TCP

Gluster

Gluser Nodes

CNS communication

3260/TCP

Gluster

Gluser Nodes

Gluster Block

24007/TCP

Gluster

Gluster Nodes

Gluster Daemon

24008/TCP

Gluster

Gluster Nodes

Gluster Management

24010/TCP

Gluster

Gluster Nodes

Gluster Block

49152-49664/TCP

Gluster

Gluster Nodes

Gluster Client Ports