Posts Tags Categories About
../../images/logo.svg

Cluster versions

 published on  included in Openshift

Current

$ oc get clusterversion -o json|jq ".items[0].spec"

{
  "channel": "candidate-4.12",
  "clusterID": "1ad501e2-5e60-45a5-9890-35d56bc06a4d",
  "desiredUpdate": {
    "force": false,
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1",
    "version": "4.12.2"
  }
}

History

$ oc get clusterversion -o json|jq ".items[0].status.history"


[
  {
    "completionTime": "2023-02-09T10:32:35Z",
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:31c7741fc7bb73ff752ba43f5acf014b8fadd69196fc522241302de918066cb1",
    "startedTime": "2023-02-09T09:05:12Z",
    "state": "Completed",
    "verified": true,
    "version": "4.12.2"
  },
  {
    "completionTime": "2023-01-18T19:23:07Z",
    "image": "quay.io/openshift-release-dev/ocp-release@sha256:4c5a7e26d707780be6466ddc9591865beb2e3baa5556432d23e8d57966a2dd18",
    "startedTime": "2023-01-18T18:42:01Z",
    "state": "Completed",
    "verified": false,
    "version": "4.12.0"
  }
]
Read More
 Openshift

Load balancer config

 published on

Default haproxy config

  • Inter 1s (The “inter” parameter sets the interval between two consecutive health checks to milliseconds.)

  • Fall 2 (The “fall” parameter states that a server will be considered as dead after consecutive unsuccessful health checks.)

  • Rise 3 (The “rise” parameter states that a server will be considered as operational after consecutive successful health checks.)

  • HttpCheck GET /readyz HTTP/1.0

global
  stats socket /var/lib/haproxy/run/haproxy.sock  mode 600 level admin expose-fd listeners
defaults
  maxconn 20000
  mode    tcp
  log     /var/run/haproxy/haproxy-log.sock local0
  option  dontlognull
  retries 3
  timeout http-request 30s
  timeout queue        1m
  timeout connect      10s
  timeout client       86400s
  timeout server       86400s
  timeout tunnel       86400s
frontend  main
  bind :::9445 v4v6
  default_backend masters
listen health_check_http_url
  bind :::9444 v4v6
  mode http
  monitor-uri /haproxy_ready
  option dontlognull
listen stats
  bind localhost:29445
  mode http
  stats enable
  stats hide-version
  stats uri /haproxy_stats
  stats refresh 30s
  stats auth Username:Password
backend masters
   option  httpchk GET /readyz HTTP/1.0
   option  log-health-checks
   balance roundrobin
   server master-0 10.10.0.209:6443 weight 1 verify none check check-ssl inter 1s fall 2 rise 3
   server master-2 10.10.0.228:6443 weight 1 verify none check check-ssl inter 1s fall 2 rise 3
   server master-1 10.10.0.250:6443 weight 1 verify none check check-ssl inter 1s fall 2 rise 3
Read More

NFS defaults

 published on  included in Openshift

Default versions

Kernel versions 4.18 and above default to nfs 4.2. The client will try in order 4.2 then 4.1 then 4.0.
https://access.redhat.com/articles/6907891
https://access.redhat.com/articles/3626571

Default mount options

rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,local_lock=none,addr=<nfs_server>

Customize mount options

https://access.redhat.com/solutions/6065961

apiVersion: v1
kind: PersistentVolume
spec:
[...]
  mountOptions:
    - nfsvers=4.1
[...]

You can make a RPC call to the NFS server to get supported versions :

Read More
 Openshift

Pod Security Admission

 published on  included in Openshift

Pod Security Policies are deprecated in K8S 1.21

https://kubernetes.io/docs/concepts/security/pod-security-standards/

https://cloud.redhat.com/blog/pod-security-admission-in-openshift-4.11

New labels added in each namespace

pod-security.kubernetes.io/enforce=privileged
pod-security.kubernetes.io/audit=restricted
pod-security.kubernetes.io/warn=restricted

security.openshift.io/scc.podSecurityLabelSync=true #Default

Specs needed for restricted profile

securityContext:
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
containers:
- name: my-cronjob-container
  securityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop: ['ALL']

Dry run apply enforce

$ oc label --dry-run=server --overwrite ns --all pod-security.kubernetes.io/enforce=restricted

Read More