Cluster administration
Configuring OpenShift Dedicated clusters
Abstract
Chapter 1. Cluster notifications
Cluster notifications are messages about the status, health, or performance of your cluster. Red Hat Site Reliability Engineering (SRE) uses cluster notifications to communicate with you about your managed cluster and to prompt you to perform actions to resolve or prevent issues.
Cluster notifications are the primary way that Red Hat Site Reliability Engineering (SRE) communicates with you about the health of your managed cluster. Red Hat SRE may also use cluster notifications to prompt you to perform an action in order to resolve or prevent an issue with your cluster.
Cluster owners and administrators must regularly review and action cluster notifications to ensure clusters remain healthy and supported.
You can view cluster notifications in the Red Hat Hybrid Cloud Console, in the Cluster history tab for your cluster. By default, only the cluster owner receives cluster notifications as emails. If other users need to receive cluster notification emails, add each user as a notification contact for your cluster.
1.1. Cluster notification policy
Cluster notifications are designed to keep you informed about the health of your cluster and high impact events that affect it.
Most cluster notifications are generated and sent automatically to ensure that you are immediately informed of problems or important changes to the state of your cluster.
In certain situations, Red Hat Site Reliability Engineering (SRE) creates and sends cluster notifications to provide additional context and guidance for a complex issue.
Cluster notifications are not sent for low-impact events, low-risk security updates, routine operations and maintenance, or minor, transient issues that are quickly resolved by Red Hat SRE.
Red Hat services automatically send notifications when:
- Remote health monitoring or environment verification checks detect an issue in your cluster, for example, when a worker node has low disk space.
- Significant cluster life cycle events occur, for example, when scheduled maintenance or upgrades begin, or cluster operations are impacted by an event, but do not require customer intervention.
- Significant cluster management changes occur, for example, when cluster ownership or administrative control is transferred from one user to another.
- Your cluster subscription is changed or updated, for example, when Red Hat makes updates to subscription terms or features available to your cluster.
SRE creates and sends notifications when:
- An incident results in a degradation or outage that impacts your cluster’s availability or performance, for example, your cloud provider has a regional outage. SRE sends subsequent notifications to inform you of incident resolution progress, and when the incident is resolved.
- A security vulnerability, security breach, or unusual activity is detected on your cluster.
- Red Hat detects that changes you have made are creating or may result in cluster instability.
- Red Hat detects that your workloads are causing performance degradation or instability in your cluster.
1.2. Cluster notification severity levels
Each cluster notification has an associated severity level to help you identify notifications with the greatest impact to your business.
Red Hat uses the following severity levels for cluster notifications, from most to least severe:
- Critical
- Immediate action is required. One or more key functions of a service or cluster is not working, or will stop working soon. A critical alert is important enough to page on-call staff and interrupt regular workflows.
- Major
- Immediate action is strongly recommended. One or more key functions of the cluster will soon stop working. A major issue may lead to a critical issue if it is not addressed in a timely manner.
- Warning
- Action is required as soon as possible. One or more key functions of the cluster are not working optimally and may degrade further, but do not pose an immediate danger to the functioning of the cluster.
- Info
- No action necessary. This severity does not describe problems that need to be addressed, only important information about meaningful or important life cycle, service, or cluster events.
- Debug
- No action necessary. Debug notifications provide low-level information about less important lifecycle, service, or cluster events to aid in debugging unexpected behavior.
1.3. Cluster notification types
Each cluster notification has an associated notification type to help you identify notifications that are relevant to your role and responsibilities.
Red Hat uses the following notification types to indicate notification relevance:
- Capacity management
- Notifications for events related to updating, creating, or deleting node pools, machine pools, compute replicas or quotas (load balancer, storage, etc.).
- Cluster access
- Notifications for events related to adding or deleting groups, roles or identity providers, for example, when SRE cannot access your cluster because STS credentials have expired, when there is a configuration problem with your AWS roles, or when you add or remove identity providers.
- Cluster add-ons
- Notifications for events related to add-on management or upgrade maintenance for add-ons, for example, when an add-on is installed, upgraded, or removed, or cannot be installed due to unmet requirements.
- Cluster configuration
- Notifications for cluster tuning events, workload monitoring, and inflight checks.
- Cluster lifecycle
- Notifications for cluster or cluster resource creation, deletion, and registration, or change in cluster or resource status (for example, ready or hibernating).
- Cluster networking
- Notifications related to cluster networking, including HTTP/S proxy, router, and ingress state.
- Cluster ownership
- Notifications related to cluster ownership transfer from one user to another.
- Cluster scaling
- Notifications related to updating, creating, or deleting node pools, machine pools, compute replicas or quota.
- Cluster security
- Events related to cluster security, for example, an increased number of failed access attempts, updates to trust bundles, or software updates with security impact.
- Cluster subscription
- Cluster expiration, trial cluster notifications, or switching from free to paid.
- Cluster updates
- Anything relating to upgrades, such as upgrade maintenance or enablement.
- Customer support
- Updates on support case status.
- General notification
- The default notification type. This is only used for notifications that do not have a more specific category.
1.4. View cluster notifications using the Red Hat Hybrid Cloud Console
Cluster notifications give important information about the health of your cluster. You can view notifications sent to your cluster in the Cluster history tab on the Red Hat Hybrid Cloud Console.
Prerequisites
- You have logged in to the Hybrid Cloud Console.
Procedure
- Navigate to the This content is not included.Clusters page of the Hybrid Cloud Console.
- Click the name of your cluster to go to the cluster details page.
Click the Cluster history tab.
Cluster notifications appear under the Cluster history heading.
Optional: Filter for relevant cluster notifications.
Use the filter controls to hide cluster notifications that are not relevant to you, so that you can focus on your area of expertise or on resolving a critical issue. You can filter notifications based on text in the notification description, severity level, notification type, when you received the notification, and the system or person that triggered the notification.
1.5. Add notification contacts to your cluster
Configure additional users as notification contacts to ensure that all appropriate users receive cluster notification emails.
Prerequisites
- Your cluster is deployed and registered to the Red Hat Hybrid Cloud Console.
- You are logged in to the Hybrid Cloud Console as the cluster owner or as a user with the cluster editor role.
- The intended notification recipient has a Red Hat Customer Portal account associated with the same organization as the cluster owner.
Procedure
- Navigate to the Clusters page of the Hybrid Cloud Console.
- Click the name of your cluster to go to the cluster details page.
- Click the Support tab.
- On the Support tab, find the Notification contacts section.
- Click Add notification contact.
- In the Red Hat username or email field, enter the email address or the user name of the new recipient.
- Click Add contact.
Verification
- The "Notification contact added successfully" message is displayed.
1.6. Remove notification contacts from your cluster
Remove notification contacts from your cluster support settings to prevent them from receiving notification emails.
Prerequisites
- Your cluster is deployed and registered to the Red Hat Hybrid Cloud Console.
- You are logged in to the Hybrid Cloud Console as the cluster owner or as a user with the cluster editor role.
Procedure
- Navigate to the Clusters page of the Hybrid Cloud Console.
- Click the name of your cluster to go to the cluster details page.
- Click the Support tab.
- On the Support tab, find the Notification contacts section.
- Click the options menu (⚙) beside the recipient you want to remove.
- Click Delete.
Verification
- The "Notification contact deleted successfully" message is displayed.
1.7. Additional resources
Chapter 2. Configuring private connections
2.1. Configure private connections for AWS
Configure AWS infrastructure access and establish private connections to your OpenShift Dedicated cluster using Virtual Private Cloud (VPC) peering, Virtual Private Network (VPN), or AWS Direct Connect. This enables secure, dedicated network communication between your on-premises infrastructure and AWS resources.
2.1.1. AWS cloud infrastructure access
Amazon Web Services (AWS) infrastructure access enables AWS Identity and Access Management (IAM) users to have federated access to the AWS Management Console for your OpenShift Dedicated cluster. This allows you to configure VPC peering, VPN, and Direct Connect from the AWS console.
AWS cloud infrastructure access does not apply to the Customer Cloud Subscription (CCS) infrastructure type that is chosen when you create a cluster because CCS clusters are deployed onto your account.
AWS access can be granted for customer AWS users, and private cluster access can be implemented to suit the needs of your OpenShift Dedicated environment.
To get started with configuring AWS infrastructure access for your OpenShift Dedicated cluster, create an AWS user and account and provide that user with access to the OpenShift Dedicated AWS account.
After you have access to the OpenShift Dedicated AWS account, use one or more of the following methods to establish a private connection to your cluster:
- Configure AWS Virtual Private Cloud (VPC) peering: Enable VPC peering to route network traffic between two private IP addresses.
- Configure AWS Virtual Private Network (VPN): Establish a VPN to securely connect your private network to your Amazon VPC.
- Configure AWS Direct Connect: Establish a dedicated network connection between your private network and an AWS Direct Connect location.
2.1.2. Configure AWS infrastructure access
Configure AWS infrastructure access to enable AWS Identity and Access Management (IAM) users to have federated access to the AWS Management Console for your OpenShift Dedicated cluster.
Prerequisites
- An AWS account with IAM permissions.
Procedure
- Log in to your AWS account. If necessary, you can create a new AWS account by following the Content from aws.amazon.com is not included.AWS documentation.
Create an IAM user with
STS:AllowAssumeRolepermissions within the AWS account.- Open the Content from console.aws.amazon.com is not included.IAM dashboard of the AWS Management Console.
- In the Policies section, click Create Policy.
Select the JSON tab and replace the existing text with the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "*" } ] }- Click Next:Tags.
- Optional: Add tags. Click Next:Review
- Provide an appropriate name and description, then click Create Policy.
- In the Users section, click Add user.
- Provide an appropriate user name.
- Select AWS Management Console access as the AWS access type.
- Adjust the password requirements as necessary for your organization, then click Next:Permissions.
Click the Attach existing policies directly option. Search for and check the policy created in previous steps.
NoteIt is not recommended to set a permissions boundary.
- Click Next: Tags, then click Next: Review. Confirm the configuration is correct.
- Click Create user, a success page appears.
-
Gather the IAM user’s Amazon Resource Name (ARN). The ARN has the following format:
arn:aws:iam::000111222333:user/username. Click Close.
- Open This content is not included.OpenShift Cluster Manager in your browser and select the cluster you want to allow AWS infrastructure access.
- Select the Access control tab, and scroll to the AWS Infrastructure Access section.
- Paste the AWS IAM ARN and select Network Management or Read-only permissions, then click Grant role.
- Copy the AWS OSD console URL to your clipboard.
- Sign in to your AWS account with your Account ID or alias, IAM user name, and password.
- In a new browser tab, paste the AWS OSD Console URL that routes to the AWS Switch Role page.
- Your account number and role are filled in already. Choose a display name if necessary, then click Switch Role.
2.1.3. Configure AWS Virtual Private Cloud peering
Configure an Amazon Web Services (AWS) Virtual Private Cloud (VPC) peering connection to route traffic between two VPCs using private IPv4 or IPv6 addresses.
Before you attempt to uninstall a cluster, you must remove any VPC peering connections from the cluster’s VPC. Failure to do so might result in a cluster not completing the uninstall process.
AWS supports inter-region VPC peering between all commercial regions excluding China. For more information, see Content from aws.amazon.com is not included.AWS VPC FAQs.
Prerequisites
Gather the following information about the Customer VPC that is required to initiate the peering request:
- Customer AWS account number
- Customer VPC ID
- Customer VPC Region
- Customer VPC Classless Inter-Domain Routing (CIDR)
- The CIDR block of the OpenShift Dedicated Cluster VPC does not overlap or match the Customer VPC CIDR block. See the Amazon VPC Content from docs.aws.amazon.com is not included.Unsupported VPC peering configurations documentation for details on invalid configurations.
Procedure
Additional resources
2.1.4. Configure an AWS Virtual Private Network
Configure an AWS Site-to-Site Virtual Private Network (VPN) connection to enable secure communication between your OpenShift Dedicated cluster Virtual Private Cloud (VPC) and your remote on-site network.
AWS VPN does not currently provide a managed option to apply Network Address Translation (NAT) to VPN traffic. See the Content from aws.amazon.com is not included.AWS Knowledge Center for more details.
Routing all traffic, for example 0.0.0.0/0, through a private connection is not supported. This requires deleting the internet gateway, which disables SRE management traffic.
Prerequisites
- Hardware VPN gateway device model and software version, for example Cisco Adaptive Security Appliance (ASA) running version 8.3. See the Content from docs.aws.amazon.com is not included.AWS documentation to confirm whether your gateway device is supported by AWS.
- Public, static IP address for the VPN gateway device.
- Border Gateway Protocol (BGP) or static routing: if BGP, the Autonomous System Number (ASN) is available. If static routing, at least one static route is configured.
- Optional: Internet Protocol (IP) address and port/protocol of a reachable service to test the VPN connection.
Procedure
- Content from docs.aws.amazon.com is not included.Create a customer gateway to configure the VPN connection.
- If you do not already have a Virtual Private Gateway attached to the intended VPC, Content from docs.aws.amazon.com is not included.create and attach a Virtual Private Gateway.
- Content from docs.aws.amazon.com is not included.Configure routing and enable VPN route propagation.
- Content from docs.aws.amazon.com is not included.Update your security group.
Content from docs.aws.amazon.com is not included.Establish the Site-to-Site VPN connection.
NoteNote the VPC subnet information, which you must add to your configuration as the remote network.
Additional resources
2.1.5. Configure AWS Direct Connect
Configure AWS Direct Connect to establish a dedicated network connection between your remote network and your OpenShift Dedicated cluster Virtual Private Cloud (VPC).
Amazon Web Services (AWS) Direct Connect requires a hosted Virtual Interface (VIF) connected to a Direct Connect Gateway (DXGateway), which is in turn associated to a Virtual Gateway (VGW) or a Transit Gateway. This allows you to access a remote VPC in the same or another account.
Prerequisites
- The Classless Inter-Domain Routing (CIDR) range of the OpenShift Dedicated VPC does not conflict with any other associated VGWs.
Gather the following information:
- The Direct Connect Gateway ID.
- The AWS Account ID associated with the virtual interface.
- The Border Gateway Protocol (BGP) Autonomous System Number (ASN) assigned for the DXGateway. Optional: the Amazon default ASN may also be used.
Procedure
- Content from docs.aws.amazon.com is not included.Create a VIF or Content from docs.aws.amazon.com is not included.view your existing VIFs to determine the type of direct connection you need to create.
Create your gateway.
- If the Direct Connect VIF type is Private, Content from docs.aws.amazon.com is not included.create a virtual private gateway.
- If the Direct Connect VIF is Public, Content from docs.aws.amazon.com is not included.create a Direct Connect gateway.
If you have an existing gateway you want to use, Content from docs.aws.amazon.com is not included.create an association proposal and send the proposal to the DXGateway owner for approval.
WarningWhen connecting to an existing DXGateway, you are responsible for the Content from aws.amazon.com is not included.costs.
2.1.6. Additional resources
2.2. Configuring a private cluster
Configure OpenShift Dedicated clusters as private to host internal applications inside your corporate network and restrict API endpoint access to private connections only. This enhances security by preventing public internet access to the cluster control plane.
2.2.1. Enable a private cluster during cluster creation
Enable private cluster settings when creating a new cluster to restrict Application Programming Interface (API) endpoint access to private connections only. This enhances security by preventing public internet access to your cluster’s control plane.
Prerequisites
The following private connections are configured to allow private access:
- Virtual Private Cloud (VPC) Peering
- Cloud VPN
- DirectConnect (AWS only)
- TransitGateway (AWS only)
- Cloud Interconnect (Google Cloud only)
Procedure
- Log in to This content is not included.OpenShift Cluster Manager.
- Click Create cluster → OpenShift Dedicated → Create cluster.
- Configure your cluster details.
- When selecting your preferred network configuration, select Advanced.
Select Private.
WarningWhen set to Private, you cannot access your cluster unless you have configured the private connections in your cloud provider as outlined in the prerequisites.
- Click Create cluster. The cluster creation process begins and takes about 30-40 minutes to complete.
Verification
- The Installing cluster heading, under the Overview tab, indicates that the cluster is installing and you can view the installation logs from this heading. The Status indicator under the Details heading indicates when your cluster is Ready for use.
2.2.2. Enable an existing cluster to be private
Configure an existing public cluster to be private by restricting Application Programming Interface (API) endpoint access to private connections only. This enhances security by preventing public internet access to your cluster’s control plane.
Prerequisites
The following private connections are configured to allow private access:
- Virtual Private Cloud (VPC) Peering
- Cloud VPN
- DirectConnect (AWS only)
- TransitGateway (AWS only)
- Cloud Interconnect (Google Cloud only)
Procedure
- Log in to This content is not included.OpenShift Cluster Manager.
- Select the public cluster you want to make private.
On the Networking tab, select Make API private under Control Plane API endpoint.
WarningWhen set to Private, you cannot access your cluster unless you have configured the private connections in your cloud provider as outlined in the prerequisites.
Click Change settings.
NoteTransitioning your cluster between private and public can take several minutes to complete.
2.2.3. Configure an existing private cluster to be public
Configure an existing private cluster to be public by allowing Application Programming Interface (API) endpoint access from the internet. This enables access to your cluster without requiring private connection configuration.
Procedure
- Log in to This content is not included.OpenShift Cluster Manager.
- Select the private cluster you want to make public.
- On the Networking tab, deselect Make API private under Control Plane API endpoint.
Click Change settings.
NoteTransitioning your cluster between private and public can take several minutes to complete.
2.2.4. Additional resources
Chapter 3. Cluster autoscaling for OpenShift Dedicated
Apply autoscaling to OpenShift Dedicated clusters to automatically adjust the number of worker nodes based on workload demands. This optimizes resource utilization and reduces costs by scaling up when demand increases and scaling down when resources are underutilized.
You can configure the cluster autoscaler only in clusters where the machine API is operational.
Only one cluster autoscaler can be created per cluster.
3.1. The cluster autoscaler
The cluster autoscaler adjusts the size of an OpenShift Dedicated cluster to meet its current deployment needs. It uses declarative, Kubernetes-style arguments to provide infrastructure management that does not rely on objects of a specific cloud provider.
The cluster autoscaler increases the size of the cluster when there are pods that fail to schedule on any of the current worker nodes due to insufficient resources or when another node is necessary to meet deployment needs. The cluster autoscaler does not increase the cluster resources beyond the limits that you specify.
The cluster autoscaler computes the total memory and CPU on all nodes the cluster, even though it does not manage the control plane nodes. These values are not single-machine oriented. They are an aggregation of all the resources in the entire cluster. For example, if you set the maximum memory resource limit, the cluster autoscaler includes all the nodes in the cluster when calculating the current memory usage. That calculation is then used to determine if the cluster autoscaler has the capacity to add more worker resources.
Ensure that the maxNodesTotal value in the ClusterAutoscaler custom resource (CR) that you create is large enough to account for the total possible number of machines in your cluster. This value must encompass the number of control plane machines and the possible number of compute machines that you might scale to.
3.1.1. Automatic node removal
Every 10 seconds, the cluster autoscaler checks which nodes are unnecessary in the cluster and removes them. The cluster autoscaler considers a node for removal if the following conditions apply:
-
The node utilization is less than the node utilization level threshold for the cluster. The node utilization level is the sum of the requested resources divided by the allocated resources for the node. If you do not specify a value in the
ClusterAutoscalercustom resource, the cluster autoscaler uses a default value of0.5, which corresponds to 50% utilization. - The cluster autoscaler can move all pods running on the node to the other nodes. The Kubernetes scheduler is responsible for scheduling pods on the nodes.
- The cluster autoscaler does not have scale down disabled annotation.
If the following types of pods are present on a node, the cluster autoscaler will not remove the node:
- Pods with restrictive pod disruption budgets (PDBs).
- Kube-system pods that do not run on the node by default.
- Kube-system pods that do not have a PDB or have a PDB that is too restrictive.
- Pods that are not backed by a controller object such as a deployment, replica set, or stateful set.
- Pods with local storage.
- Pods that cannot be moved elsewhere because of a lack of resources, incompatible node selectors or affinity, matching anti-affinity, and so on.
-
Unless they also have a
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation, pods that have a"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"annotation.
For example, you set the maximum CPU limit to 64 cores and configure the cluster autoscaler to only create machines that have 8 cores each. If your cluster starts with 30 cores, the cluster autoscaler can add up to 4 more nodes with 32 cores, for a total of 62.
By default, when the cluster autoscaler removes a node, it does not cordon the node when draining the pods from the node. You can configure the cluster autoscaler to cordon the node before draining and moving the pods by setting the spec.scaleDown.cordonNodeBeforeTerminating parameter to enabled in the ClusterAutoscaler CR. This parameter is disabled by default. It is recommended to enable this parameter in production clusters because of the risk of data loss, application errors, pods getting stuck in the terminating state, or other issues if the cluster autoscaler removes a node when the parameter is disabled. Leaving this parameter disabled, which can result in faster node removal, might be appropriate in clusters that run only stateless workloads.
3.1.2. Limitations
If you configure the cluster autoscaler, additional usage restrictions apply:
- Do not modify the nodes that are in autoscaled node groups directly. All nodes within the same node group have the same capacity and labels and run the same system pods.
- Specify requests for your pods.
- If you have to prevent pods from being deleted too quickly, configure appropriate PDBs.
- Confirm that your cloud provider quota is large enough to support the maximum node pools that you configure.
- Do not run additional node group autoscalers, especially the ones offered by your cloud provider.
The cluster autoscaler only adds nodes in autoscaled node groups if doing so would result in a schedulable pod. If the available node types cannot meet the requirements for a pod request, or if the node groups that could meet these requirements are at their maximum size, the cluster autoscaler cannot scale up.
3.1.3. Interaction with other scheduling features
The horizontal pod autoscaler (HPA) and the cluster autoscaler modify cluster resources in different ways. The HPA changes the deployment’s or replica set’s number of replicas based on the current CPU load. If the load increases, the HPA creates new replicas, regardless of the amount of resources available to the cluster. If there are not enough resources, the cluster autoscaler adds resources so that the HPA-created pods can run. If the load decreases, the HPA stops some replicas. If this action causes some nodes to be underutilized or completely empty, the cluster autoscaler deletes the unnecessary nodes.
The cluster autoscaler takes pod priorities into account. The Pod Priority and Preemption feature enables scheduling pods based on priorities if the cluster does not have enough resources, but the cluster autoscaler ensures that the cluster has resources to run all pods. To honor the intention of both features, the cluster autoscaler includes a priority cutoff function. You can use this cutoff to schedule "best-effort" pods, which do not cause the cluster autoscaler to increase resources but instead run only when spare resources are available.
Pods with priority lower than the cutoff value do not cause the cluster to scale up or prevent the cluster from scaling down. No new nodes are added to run the pods, and nodes running these pods might be deleted to free resources.
3.2. Enable autoscaling during cluster creation with OpenShift Cluster Manager
Enable cluster autoscaling during cluster creation by using OpenShift Cluster Manager to automatically adjust the number of nodes based on workload demands.
Procedure
During cluster creation, check the Enable autoscaling box. The Edit cluster autoscaling settings button becomes selectable.
- You can also choose the minimum or maximum amount of nodes to autoscale.
- Click Edit cluster autoscaling settings.
- Edit any settings you want and then click Close.
3.3. Enable autoscaling after cluster creation with OpenShift Cluster Manager
Enable cluster autoscaling on an existing cluster by using OpenShift Cluster Manager to automatically adjust the number of nodes based on workload demands.
Procedure
- In OpenShift Cluster Manager, click the name of the cluster you want to autoscale. The Overview page for the cluster has a Autoscaling item that indicates if it is enabled or disabled.
- Click the Machine Pools tab.
- Click the Edit cluster autoscaling button. The Edit cluster autoscaling settings window is shown.
- Click the Autoscale cluster toggle at the top of the window. All the settings are now editable.
- Edit any settings you want and then click Save.
Click the x at the top right of the screen to close the settings window.
To revert all autoscaling settings to the defaults if they have been changed, click the Revert all to defaults button.
3.4. Cluster autoscaling settings using OpenShift Cluster Manager
The tables explain all the configurable UI settings when using cluster autoscaling with OpenShift Cluster Manager.
Table 3.1. Configurable general settings for cluster autoscaling when using OpenShift Cluster Manager
| Setting | Description | Type or Range | Default |
|---|---|---|---|
|
| Sets the autoscaler log level. The default value is 1. Level 4 is recommended for debugging. Level 6 enables almost everything. |
| 1 |
|
|
If |
| true |
|
| Gives pods graceful termination time in seconds before scaling down. |
| 600 |
|
| Maximum time the cluster autoscaler waits for nodes to be provisioned. |
| 15m |
|
| Allows users to schedule "best-effort" pods, which are not expected to trigger cluster autoscaler actions. These pods only run when spare resources are available. |
| -10 |
|
| Determines whether the cluster autoscaler ignores daemon set pods when calculating resource utilization for scaling down. |
| false |
|
|
If |
| false |
|
| This option specifies labels that the cluster autoscaler should ignore when considering node group similarity. This option cannot contain spaces. |
| Format should be a comma-separated list of labels. |
Table 3.2. Configurable resource limit settings for cluster autoscaling when using OpenShift Cluster Manager
| Setting | Description | Type or Range | Default |
|---|---|---|---|
|
| Minimum number of cores in cluster. The cluster autoscaler does not scale the cluster less than this number. |
| 0 |
|
| Maximum number of cores in cluster. The cluster autoscaler does not scale the cluster greater than this number. |
| 180 * 64 (11520) |
|
| Minimum number of gigabytes of memory in cluster. The cluster autoscaler does not scale the cluster less than this number. |
| 0 |
|
| Maximum number of gigabytes of memory in cluster. The cluster autoscaler does not scale the cluster greater than this number. |
| 180 * 64 * 20 (230400) |
|
| Maximum number of nodes in all node groups. Includes all nodes, not just automatically scaled nodes. The cluster autoscaler does not grow the cluster greater than this number. |
| 180 |
| GPUs | Minimum and maximum number of different GPUs in cluster. The cluster autoscaler does not scale the cluster less than or greater than these numbers. |
| Format should be a comma-separated list of "<gpu_type>:<min>:<max>". |
Table 3.3. Configurable scale down settings for cluster autoscaling when using OpenShift Cluster Manager
| Setting | Description | Type or Range | Default |
|---|---|---|---|
|
| Should the cluster autoscaler scale down the cluster. |
| true |
|
| Node utilization level, defined as the sum of the requested resources divided by capacity, below which a node can be considered for scale down. |
| 0.5 |
|
| How long a node should be unneeded before it is eligible for scale down. |
| 10m |
|
| How long after scale up that scale-down evaluation resumes. |
| 10m |
|
| How long after node deletion that scale-down evaluation resumes. |
| 0s |
|
| How long after scale down failure that scale-down evaluation resumes. |
| 3m |
3.5. Additional resources
Chapter 4. Managing compute nodes using machine pools
4.1. About machine pools
OpenShift Dedicated uses machine pools as an elastic, dynamic provisioning method on top of your cloud infrastructure. The primary resources are machines, machine sets, and machine pools.
As of OpenShift Dedicated 4.11, the default per-pod PID limit is 4096. If you want to enable this PID limit, you must upgrade your OpenShift Dedicated clusters to this version or later. OpenShift Dedicated clusters running versions earlier than 4.11 use a default PID limit of 1024.
You cannot configure the per-pod PID limit on any OpenShift Dedicated cluster.
A machine is a fundamental unit that describes the host for a worker node. MachineSet resources are groups of compute machines. If you need more machines or must scale them down, change the number of replicas in the machine pool to which the compute machine sets belong.
Machine pools are a higher level construct to compute machine sets. A machine pool creates compute machine sets that are all clones of the same configuration across availability zones. Machine pools perform all of the host node provisioning management actions on a worker node. If you need more machines or must scale them down, change the number of replicas in the machine pool to meet your compute needs. You can manually configure scaling or set autoscaling.
By default, a cluster is created with one machine pool. You can add additional machine pools to an existing cluster, modify the default machine pool, and delete machine pools. Multiple machine pools can exist on a single cluster, and they can each have different types or different size nodes.
By default, when you create a machine pool in a multiple availability zone (Multi-AZ) cluster, that one machine pool has 3 zones. The machine pool, in turn, creates a total of 3 compute machine sets - one for each zone in the cluster. Each of those compute machine sets manages one or more machines in its respective availability zone.
If you create a new Multi-AZ cluster, the machine pools are replicated to those zones automatically. If you add a machine pool to an existing Multi-AZ, the new pool is automatically created in those zones. Similarly, deleting a machine pool will delete it from all zones. Due to this multiplicative effect, using machine pools in Multi-AZ cluster can consume more of your project’s quota for a specific region when creating machine pools.
4.1.1. Deploy a machine pool in a single availability zone within a Multi-AZ cluster
Deploy a single machine pool to a specific availability zone that is part of a Multi-AZ cluster. This option is useful when a required instance type is not available in all availability zones of a region or when your cluster does not need multiple instances of the required instance type.
Prerequisites
The This content is not included.OpenShift Cluster Manager API command-line interface (
ocm) is installed.ImportantOpenShift Cluster Manager API command-line interface (
ocm) is a Developer Preview feature only. For more information about the support scope of Red Hat Developer Preview features, see This content is not included.Developer Preview Support Scope.
Procedure
Deploy a machine pool to a specific availability zone by running the following command:
ocm create machine-pool \ --cluster <cluster_name> \ --instance-type <instance_type> \ --replicas <number_of_replicas> \ --availability-zone <availability_zone> \ [<flags>] \ <machine_pool_id>
Where:
-
<cluster_name>: Replace with the name or ID of the cluster that you want to add the machine pool to. -
<instance_type>: Replace with the instance type you want to deploy to the single availability zone. -
<number_of_replicas>: Replace with the number of replicas of the selected instance type you want to include in the machine pool. -
<availability_zone>: Replace with the availability zone you want to add the machine pool to. -
<flags>: Optional. Replace with any additional flags available for machine pool creation. <machine_pool_id>: Replace with an ID for your machine pool.NoteTo view the additional flags available for machine pool creation, run the
ocm create machine-pool --helpcommand.
-
4.1.2. Additional resources
- Managing compute nodes
- Managing cluster autoscaling
- This page is not included, but the link has been rewritten to point to the nearest parent document.Overview of machine management
- Content from cloud.google.com is not included.Google Cloud instance types
- Content from cloud.google.com is not included.Google Cloud regions and availability zones
4.2. Managing compute nodes
Manage compute nodes, also known as worker nodes, in OpenShift Dedicated clusters to optimize workload placement and resource allocation. Configure machine pools to control node scaling, apply labels for workload targeting, and add taints to control pod scheduling.
4.2.1. Creating a machine pool
A machine pool is created when you install an OpenShift Dedicated cluster. After installation, you can create additional machine pools for your cluster by using OpenShift Cluster Manager.
The compute, also known as worker, node instance types, autoscaling options, and node counts that are available depend on your OpenShift Dedicated subscriptions, resource quotas and deployment scenario. For more information, contact your sales representative or Red Hat support.
Prerequisites
- You created an OpenShift Dedicated cluster.
Procedure
- Navigate to This content is not included.OpenShift Cluster Manager and select your cluster.
- Under the Machine pools tab, click Add machine pool.
- Add a Machine pool name.
Select a Compute node instance type from the list. The instance type defines the vCPU and memory allocation for each compute node in the machine pool.
NoteYou cannot change the instance type for a machine pool after the pool is created.
Configure the node count by choosing one of the following options:
Enable autoscaling: Select Enable autoscaling to automatically scale the number of machines in your machine pool to meet the deployment needs. Set the minimum and maximum node count limits for autoscaling. The cluster autoscaler does not reduce or increase the machine pool node count beyond the limits that you specify.
NoteThe Enable autoscaling option is only available for OpenShift Dedicated if you have the
capability.cluster.autoscale_clusterssubscription. For more information, contact your sales representative or Red Hat support.- If you deployed your cluster using a single availability zone, set the Minimum and maximum node count. This defines the minimum and maximum compute node limits in the availability zone.
- If you deployed your cluster using multiple availability zones, set the Minimum nodes per zone and Maximum nodes per zone. This defines the minimum and maximum compute node limits per zone.
Manual node count: If you do not enable autoscaling, select a compute node count:
- If you deployed your cluster using a single availability zone, select a Compute node count from the drop-down menu. This defines the number of compute nodes to provision to the machine pool for the zone.
- If you deployed your cluster using multiple availability zones, select a Compute node count (per zone) from the drop-down menu. This defines the number of compute nodes to provision to the machine pool per zone.
Optional: Configure advanced machine pool settings by expanding the appropriate sections and providing values:
- For Node labels and taints, expand the Edit node labels and taints menu.
- Under Node labels, add Key and Value entries for your node labels.
Under Taints, add Key and Value entries for your taints. For each taint, select an Effect from the drop-down menu. Available options include
NoSchedule,PreferNoSchedule, andNoExecute.NoteCreating a machine pool with taints is only possible if the cluster already has at least one machine pool without a taint. Alternatively, you can add node labels and taints after you create the machine pool.
- Custom security groups: Select additional custom security groups to use for nodes in this machine pool. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups after you create the machine pool. For more information, see the requirements for security groups in the "Additional resources" section.
- Amazon EC2 Spot Instances: If you deployed OpenShift Dedicated on AWS using the Customer Cloud Subscription (CCS) model and want to configure your machine pool to deploy machines as non-guaranteed AWS Spot Instances, select Use Amazon EC2 Spot Instances. Leave Use On-Demand instance price selected to use the on-demand instance price, or select Set maximum price to define a maximum hourly price for a Spot Instance. For more information about Amazon EC2 Spot Instances, see the Content from aws.amazon.com is not included.AWS documentation.
- Click Add machine pool to create the machine pool.
Verification
- Verify that the machine pool is visible on the Machine pools page and the configuration is as expected.
4.2.2. Deleting a machine pool
You can delete a machine pool if your workload requirements have changed and your current machine pools no longer meet your needs. You can delete machine pools by using Red Hat OpenShift Cluster Manager.
Prerequisites
- You have created an OpenShift Dedicated cluster.
- The cluster is in the ready state.
- You have an existing machine pool without any taints and with at least two replicas for a Single-AZ cluster or three replicas for a Multi-AZ cluster.
Procedure
- From This content is not included.OpenShift Cluster Manager, navigate to the Cluster List page and select the cluster that contains the machine pool that you want to delete.
- On the selected cluster, select the Machine pools tab.
-
Under the Machine pools tab, click the Options menu
for the machine pool that you want to delete.
- Click Delete.
Verification
- Verify that the machine pool no longer is displayed in the list of machine pools on the Machine pools tab.
4.2.3. Scale compute nodes manually
If you have not enabled autoscaling for your machine pool, you can manually scale the number of compute nodes, also known as worker nodes, in the pool to meet your deployment needs. You must scale each machine pool separately.
Prerequisites
- You created an OpenShift Dedicated cluster.
- You have an existing machine pool.
Procedure
- Navigate to This content is not included.OpenShift Cluster Manager and select your cluster.
-
Under the Machine pools tab, click the Options menu
for the machine pool that you want to scale.
- Select Scale.
Specify the node count:
- If you deployed your cluster using a single availability zone, specify the Node count in the drop-down menu.
If you deployed your cluster using multiple availability zones, specify the Node count per zone in the drop-down menu.
NoteYour subscription determines the number of nodes that you can select.
- Click Apply to scale the machine pool.
Verification
- Under the Machine pools tab, verify that the Node count for your machine pool is as expected.
4.2.4. Node labels for managing machine pools in OpenShift Dedicated
A label is a key-value pair applied to a Node object. You can use labels to organize sets of objects and control the scheduling of pods. You can add labels during cluster creation or after. Labels can be modified or updated at any time.
Additional resources
4.2.4.1. Add node labels to a machine pool
Add or edit labels for compute nodes at any time to manage the nodes in a manner that is relevant to you. For example, you can assign types of workloads to specific nodes. Each key must be unique to the object it is assigned to.
Prerequisites
- You created an OpenShift Dedicated cluster.
- You have an existing machine pool.
Procedure
- Navigate to This content is not included.OpenShift Cluster Manager and select your cluster.
-
Under the Machine pools tab, click the Options menu
for the machine pool that you want to add a label to.
- Select Edit labels.
- If you have existing labels in the machine pool that you want to remove, select x next to the label to delete it.
-
Add a label using the format
<key>=<value>and press enter. For example, addapp=dband then press Enter. If the format is correct, the key value pair is then highlighted. - Repeat the previous step if you want to add additional labels.
- Click Save to apply the labels to the machine pool.
Verification
- Under the Machine pools tab, select > next to your machine pool to expand the view.
- Verify that your labels are listed under Labels in the expanded view.
4.2.5. Add taints to a machine pool
You can add taints for compute nodes in a machine pool to control which pods are scheduled to them. When you apply a taint to a machine pool, the scheduler cannot place a pod on the nodes in the pool unless the pod specification includes a toleration for the taint.
A cluster must have at least one machine pool that does not contain any taints.
Prerequisites
- You created an OpenShift Dedicated cluster.
- You have an existing machine pool that does not contain any taints and contains at least two instances.
Procedure
- Navigate to This content is not included.OpenShift Cluster Manager and select your cluster.
-
Under the Machine pools tab, click the Options menu
for the machine pool that you want to add a taint to.
- Select Edit taints.
- Add Key and Value entries for your taint.
-
Select an Effect for your taint from the list. Available options include
NoSchedule,PreferNoSchedule, andNoExecute. - Select Add taint if you want to add more taints to the machine pool.
- Click Save to apply the taints to the machine pool.
Verification
- Under the Machine pools tab, select > next to your machine pool to expand the view.
- Verify that your taints are listed under Taints in the expanded view.
4.2.6. Additional resources
4.3. Managing cluster autoscaling
Configure cluster autoscaling to automatically adjust the number of worker nodes based on workload demands. Enable autoscaling for specific machine pools to optimize resource utilization and reduce costs.
Autoscaling is available only on clusters that were purchased through Google Cloud Marketplace.
When you enable autoscaling, you must also set a minimum and maximum number of worker nodes.
Only cluster owners and organization admins can scale or delete a cluster.
Applying autoscaling to an OpenShift Dedicated cluster involves deploying a cluster autoscaler and then deploying machine autoscalers for each machine type in your cluster.
You can configure the cluster autoscaler only in clusters where the Machine API is operational.
You can enable autoscaling on worker nodes to increase or decrease the number of nodes available by editing the machine pool definition for an existing cluster. You can also disable autoscaling on worker nodes by using OpenShift Cluster Manager console.
4.3.1. Enable autoscaling nodes in an existing cluster using Red Hat OpenShift Cluster Manager
Enable autoscaling for worker nodes in the machine pool definition from OpenShift Cluster Manager console.
Procedure
- From This content is not included.OpenShift Cluster Manager, navigate to the Cluster List page and select the cluster that you want to enable autoscaling for.
- On the selected cluster, select the Machine pools tab.
-
Click the Options menu
at the end of the machine pool that you want to enable autoscaling for and select Edit.
- On the Edit machine pool dialog, select the Enable autoscaling checkbox.
- Select Save to save these changes and enable autoscaling for the machine pool.
4.3.2. Disable autoscaling nodes in an existing cluster using Red Hat OpenShift Cluster Manager
Disable autoscaling for worker nodes in the machine pool definition from OpenShift Cluster Manager.
Procedure
- From This content is not included.OpenShift Cluster Manager, navigate to the Cluster List page and select the cluster with autoscaling that must be disabled.
- On the selected cluster, select the Machine pools tab.
-
Click the Options menu
at the end of the machine pool with autoscaling and select Edit.
- On the Edit machine pool dialog, clear the Enable autoscaling checkbox.
- Select Save to save these changes and disable autoscaling from the machine pool.
4.3.3. The cluster autoscaler
The cluster autoscaler adjusts the size of an OpenShift Dedicated cluster to meet its current deployment needs. It uses declarative, Kubernetes-style arguments to provide infrastructure management that does not rely on objects of a specific cloud provider.
The cluster autoscaler increases the size of the cluster when there are pods that fail to schedule on any of the current worker nodes due to insufficient resources or when another node is necessary to meet deployment needs. The cluster autoscaler does not increase the cluster resources beyond the limits that you specify.
The cluster autoscaler computes the total memory and CPU on all nodes the cluster, even though it does not manage the control plane nodes. These values are not single-machine oriented. They are an aggregation of all the resources in the entire cluster. For example, if you set the maximum memory resource limit, the cluster autoscaler includes all the nodes in the cluster when calculating the current memory usage. That calculation is then used to determine if the cluster autoscaler has the capacity to add more worker resources.
Ensure that the maxNodesTotal value in the ClusterAutoscaler custom resource (CR) that you create is large enough to account for the total possible number of machines in your cluster. This value must encompass the number of control plane machines and the possible number of compute machines that you might scale to.
4.3.3.1. Automatic node removal
Every 10 seconds, the cluster autoscaler checks which nodes are unnecessary in the cluster and removes them. The cluster autoscaler considers a node for removal if the following conditions apply:
-
The node utilization is less than the node utilization level threshold for the cluster. The node utilization level is the sum of the requested resources divided by the allocated resources for the node. If you do not specify a value in the
ClusterAutoscalercustom resource, the cluster autoscaler uses a default value of0.5, which corresponds to 50% utilization. - The cluster autoscaler can move all pods running on the node to the other nodes. The Kubernetes scheduler is responsible for scheduling pods on the nodes.
- The cluster autoscaler does not have scale down disabled annotation.
If the following types of pods are present on a node, the cluster autoscaler will not remove the node:
- Pods with restrictive pod disruption budgets (PDBs).
- Kube-system pods that do not run on the node by default.
- Kube-system pods that do not have a PDB or have a PDB that is too restrictive.
- Pods that are not backed by a controller object such as a deployment, replica set, or stateful set.
- Pods with local storage.
- Pods that cannot be moved elsewhere because of a lack of resources, incompatible node selectors or affinity, matching anti-affinity, and so on.
-
Unless they also have a
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation, pods that have a"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"annotation.
For example, you set the maximum CPU limit to 64 cores and configure the cluster autoscaler to only create machines that have 8 cores each. If your cluster starts with 30 cores, the cluster autoscaler can add up to 4 more nodes with 32 cores, for a total of 62.
By default, when the cluster autoscaler removes a node, it does not cordon the node when draining the pods from the node. You can configure the cluster autoscaler to cordon the node before draining and moving the pods by setting the spec.scaleDown.cordonNodeBeforeTerminating parameter to enabled in the ClusterAutoscaler CR. This parameter is disabled by default. It is recommended to enable this parameter in production clusters because of the risk of data loss, application errors, pods getting stuck in the terminating state, or other issues if the cluster autoscaler removes a node when the parameter is disabled. Leaving this parameter disabled, which can result in faster node removal, might be appropriate in clusters that run only stateless workloads.
4.3.3.2. Limitations
If you configure the cluster autoscaler, additional usage restrictions apply:
- Do not modify the nodes that are in autoscaled node groups directly. All nodes within the same node group have the same capacity and labels and run the same system pods.
- Specify requests for your pods.
- If you have to prevent pods from being deleted too quickly, configure appropriate PDBs.
- Confirm that your cloud provider quota is large enough to support the maximum node pools that you configure.
- Do not run additional node group autoscalers, especially the ones offered by your cloud provider.
The cluster autoscaler only adds nodes in autoscaled node groups if doing so would result in a schedulable pod. If the available node types cannot meet the requirements for a pod request, or if the node groups that could meet these requirements are at their maximum size, the cluster autoscaler cannot scale up.
4.3.3.3. Interaction with other scheduling features
The horizontal pod autoscaler (HPA) and the cluster autoscaler modify cluster resources in different ways. The HPA changes the deployment’s or replica set’s number of replicas based on the current CPU load. If the load increases, the HPA creates new replicas, regardless of the amount of resources available to the cluster. If there are not enough resources, the cluster autoscaler adds resources so that the HPA-created pods can run. If the load decreases, the HPA stops some replicas. If this action causes some nodes to be underutilized or completely empty, the cluster autoscaler deletes the unnecessary nodes.
The cluster autoscaler takes pod priorities into account. The Pod Priority and Preemption feature enables scheduling pods based on priorities if the cluster does not have enough resources, but the cluster autoscaler ensures that the cluster has resources to run all pods. To honor the intention of both features, the cluster autoscaler includes a priority cutoff function. You can use this cutoff to schedule "best-effort" pods, which do not cause the cluster autoscaler to increase resources but instead run only when spare resources are available.
Pods with priority lower than the cutoff value do not cause the cluster to scale up or prevent the cluster from scaling down. No new nodes are added to run the pods, and nodes running these pods might be deleted to free resources.