Release 5.4.2 (#51)

Release 5.4.2

Author: danni-m

README.md

@@ -5,15 +5,16 @@
 * [Prerequisites](#prerequisites)
 * [Deployment](#deployment)
 * [Configuration Options](#configuration)
+* [IPV4 enforcement](#ipv4-enforcement)
 
 
 
 #### Prerequisites:
-* A minimum of 3 nodes which support the following [requirements][] 
+* A minimum of 3 nodes which support the following [requirements][]
 * A kubernetes version of 1.8 or higher
 * For service broker - a k8s distribution that supports service catalog (see also: [service-catalog][])
-> Note: For RHEL based images and/or deployments on OpenShift, please use redis-enterprise-cluster_rhel.yaml and operator_rhel.yaml.  
-For Service Broker, please see examples/with_service_broker_rhel.yaml. RedHat certified images are available on: https://access.redhat.com/containers/#/product/71f6d1bb3408bd0d  
+> Note: For RHEL based images and/or deployments on OpenShift, please use redis-enterprise-cluster_rhel.yaml and operator_rhel.yaml.
+For Service Broker, please see examples/with_service_broker_rhel.yaml. RedHat certified images are available on: https://access.redhat.com/containers/#/product/71f6d1bb3408bd0d
 
 
 #### Deployment:
@@ -27,7 +28,7 @@ git clone https://github.com/RedisLabs/redis-enterprise-k8s-docs.git
     ```
     oc new-project my-project
     ```
-    
+
     > For non-OpenShift deployment - create a new namespace:
     ```
     kubectl create namespace demo
@@ -56,52 +57,62 @@ git clone https://github.com/RedisLabs/redis-enterprise-k8s-docs.git
     ```
     clusterrole "redis-enterprise-operator-sb" configured
     ```
-    
+
     Bind the Cluster Service Broker role to the operator service account (in the current namespace):
      ```
     oc adm policy add-cluster-role-to-user redis-enterprise-operator-sb --serviceaccount redis-enterprise-operator --rolebinding-name=redis-enterprise-operator-sb
      ```
-    
+
      > You should receive the following response:
     ```
     cluster role "redis-enterprise-operator-sb" added: "redis-enterprise-operator"
     ```
 
-3) The next step applies rbac.yaml, creating a service account, role, and role-binding to allow resources access control (provides permissions to create and manage resources):
+3) You can optionally use pod security policy.
+    ```
+    kubectl apply -f psp.yaml
+    ```
+    If you use this option, you should add the policy name to REC configuration, in redis-enterprise-cluster.yaml.
+    ```
+    podSecurityPolicyName: "redis-enterprise-psp"
+    ```
+
+
+4) The next step applies rbac.yaml, creating a service account, role, and role-binding to allow resources access control (provides permissions to create and manage resources):
     ```
     kubectl apply -f rbac.yaml
     ```
-    
+
     > You should receive the following response:
     ```
     clusterrolebinding.rbac.authorization.k8s.io/redis-enterprise-operator configured
     ```
 
-4) The next step applies crd.yaml, creating a CustomResourceDefinition for redis enterprise cluster resource.
+5) The next step applies crd.yaml, creating a CustomResourceDefinition for redis enterprise cluster resource.
 This creates another API resource to be handled by the k8s API server and managed by the operator we will deploy next.
     ```
     kubectl apply -f crd.yaml
     ```
-    
+
     > You should receive the following response:
     ```
     customresourcedefinition.apiextensions.k8s.io/redisenterpriseclusters.app.redislabs.com configured
     ```
 
-5) Create the operator deployment: a deployment responsible for managing the k8s deployment and lifecycle of a redis-enterprise-cluster.
+6) Create the operator deployment: a deployment responsible for managing the k8s deployment and lifecycle of a redis-enterprise-cluster.
     Among many other responsibilities, it creates a stateful set that runs the redis enterprise nodes (as pods).
-    
+
     Before applying - edit the tag according to the relevant operator version: ```image: redislabs/operator:tag```
     ```
     kubectl apply -f operator.yaml
     ```
-    
+
     > You should receive the following response:
     ```
     deployment.apps/redis-enterprise-operator created
     ```
 
-6) Run ```kubectl get Deployment``` and verify redis-enterprise-operator deployment is running
+7) Run ```kubectl get Deployment``` and verify redis-enterprise-operator deployment is running
 
     A typical response may look like this:
     ```
@@ -110,12 +121,12 @@ This creates another API resource to be handled by the k8s API server and manage
     |redis-enterprise-operator|1	   | 1        |  1         | 1         | 2m |
     ```
 
-7)  Create A Redis Enterprise Cluster:
+8)  Create A Redis Enterprise Cluster:
     Choose the configuration relevant for you (see next section) - you may find additional examples in the examples folder. Note that you need to specify an image tag if you'd like to pull a RHEL image.
 
     ```kubectl apply -f redis-enterprise-cluster.yaml```
 
-8) Run ```kubectl get rec``` and verify creation was successful. rec is a shortcut for RedisEnterpriseClusters.
+9) Run ```kubectl get rec``` and verify creation was successful. rec is a shortcut for RedisEnterpriseClusters.
 
 
 #### Configuration:
@@ -126,7 +137,7 @@ Redis Image
   redisEnterpriseImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       redislabs/redis
-    versionTag:       5.2.2-14
+    versionTag:       5.4.2-27
 ```
 
 Persistence 
@@ -137,7 +148,7 @@ Persistence
     storageClassName: "standard" #on AWS common storage class is gp2
 ```
 
-Redis Enterprise Nodes (podes)
+Redis Enterprise Nodes (pods)
 ```yaml
   redisEnterpriseNodeResources:
     limits:
@@ -216,5 +227,13 @@ activeActive: # edit values according to your cluster
         fqdn: <cluster3_name>.<cluster3_namespace>.svc.cluster.local
 ```
 
+#### IPV4 enforcement
+You might not have IPV6 support in your K8S cluster.
+In this case, you could enforce the use of IPV4, by adding the following attribute to the REC spec:
+```yaml
+  enforceIPv4: true
+```
+Note: Setting 'enforceIPv4' to 'true' is a requirement for running REC on PKS.
+
 [requirements]: https://redislabs.com/redis-enterprise-documentation/administering/designing-production/hardware-requirements/
 [service-catalog]: https://kubernetes.io/docs/concepts/extend-kubernetes/service-catalog/

examples/with_service_broker_rhel.yaml

@@ -8,16 +8,8 @@ spec:
     enabled: true
     persistentSpec:
       storageClassName: "gp2"
-    imageSpec:
-     imagePullPolicy:  Always
-     repository:       redislabs/service-broker
-     versionTag:       78_4b9b17f.rhel7
   redisEnterpriseImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       redislabs/redis
-    versionTag:       5.4.0-19.rhel7-openshift
-  redisEnterpriseServicesRiggerImageSpec:
-    imagePullPolicy:  IfNotPresent
-    repository:       redislabs/k8s-controller
-    versionTag:       109_5c9af60.rhel7
+    versionTag:       5.4.2-27.rhel7-openshift
 

operator.yaml

@@ -15,7 +15,9 @@ spec:
       serviceAccount: redis-enterprise-operator
       containers:
         - name: redis-enterprise-operator
-          image: redislabs/operator:498_f987b08
+          image: redislabs/operator:804_c4987427
+          securityContext:
+            runAsUser: 1001
           command:
           - redis-enterprise-operator
           imagePullPolicy: Always

operator_rhel.yaml

@@ -15,7 +15,9 @@ spec:
       serviceAccount: redis-enterprise-operator
       containers:
         - name: redis-enterprise-operator
-          image: redislabs/operator:498_f987b08.rhel7
+          image: redislabs/operator:804_c4987427.rhel7
+          securityContext:
+            runAsUser: 1001
           command:
           - redis-enterprise-operator
           imagePullPolicy: Always

psp.yaml

@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: redis-enterprise-psp
+spec:
+  privileged: false
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+    - SYS_RESOURCE
+    - NET_RAW
+  runAsUser:
+    rule: MustRunAsNonRoot
+  fsGroup:
+    rule: MustRunAs
+    ranges:
+    - min: 1001
+      max: 1001
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+    - '*'

rbac.yaml

@@ -3,17 +3,57 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: redis-enterprise-operator
 rules:
-- apiGroups: ["", "extensions", "apps", "rbac.authorization.k8s.io", "policy"]
-  resources: ["*"]
+- apiGroups: ["rbac.authorization.k8s.io", ""]
+  resources: ["roles", "serviceaccounts", "rolebindings"]
   verbs: ["*"]
 - apiGroups:
   - app.redislabs.com
-  resources: ["*"]
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups: [""]
+  resources: ["secrets"]
   verbs: ["*"]
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["create"]
+- apiGroups: ["apps"]
+  resources: ["deployments", "statefulsets"]
+  verbs: ["*"]
+- apiGroups: ["policy"]
+  resources: ["poddisruptionbudgets"]
+  verbs: ["create", "delete", "get"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["create", "delete", "get" , "update"]
+- apiGroups: [""]
+  resources: ["persistentvolumeclaims"]
+  verbs: ["create", "delete", "get" , "update"]
+
+# needed rbac rules for services controller
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list", "update", "patch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
 - apiGroups:
   - route.openshift.io
   resources: ["routes", "routes/custom-host"]
   verbs: ["*"]
+- apiGroups: ["extensions"]
+  resources: ["podsecuritypolicies"]
+  resourceNames:
+  - redis-enterprise-psp
+  verbs:
+  - use
+- apiGroups: ["extensions"]
+  resources: ["ingresses"]
+  verbs: ["*"]
 ---
 kind: ServiceAccount
 apiVersion: v1
@@ -30,4 +70,4 @@ subjects:
 roleRef:
   kind: Role
   name: redis-enterprise-operator
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io

redis-enterprise-cluster.yaml

@@ -19,5 +19,5 @@ spec:
   redisEnterpriseImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       redislabs/redis
-    versionTag:       5.4.0-19
+    versionTag:       5.4.2-27
 

redis-enterprise-cluster_rhel.yaml

@@ -19,9 +19,5 @@ spec:
   redisEnterpriseImageSpec:
     imagePullPolicy:  IfNotPresent
     repository:       redislabs/redis
-    versionTag:       5.4.0-19.rhel7-openshift
-  redisEnterpriseServicesRiggerImageSpec:
-    imagePullPolicy:  IfNotPresent
-    repository:       redislabs/k8s-controller
-    versionTag:       109_5c9af60.rhel7
+    versionTag:       5.4.0-27.rhel7-openshift
 

scc.yaml

@@ -1,11 +1,15 @@
 kind: SecurityContextConstraints
-apiVersion: v1
+apiVersion: security.openshift.io/v1
 metadata:
   name: redis-enterprise-scc
 allowPrivilegedContainer: false
 allowedCapabilities:
   - SYS_RESOURCE
 runAsUser:
-  type: RunAsAny
+  type: MustRunAs
+  uid: 1001
+FSGroup:
+  type: MustRunAs
+  ranges: 1001,1001
 seLinuxContext:
   type: RunAsAny