Allow automatic resource adjustment

Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.

Redis Enterprise for Kubernetes

Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets allowPrivilegeEscalation to false. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.

Default behavior

Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has allowAutoAdjustment set to false or removed.

If automatic resource adjustment is disabled, the REC security context looks like this:

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: false

Enable automatic resource adjustment

To allow the Redis Enterprise container to adjust system resource limits automatically, set allowAutoAdjustment to true. This will grant the container elevated capabilities such as SYS_RESOURCE. Note that changing this value on a running cluster will trigger a rolling update.

spec:
  securityContext:
    resourceLimits:
      allowAutoAdjustment: true

Enabling automatic resource adjustment results in the following security context:

Note: Enabling allowAutoAdjustment grants the container the SYS_RESOURCE capability and permits privilege escalation.

securityContext:
  allowPrivilegeEscalation: true
  capabilities:
    add:
    - SYS_RESOURCE
    drop:
    - ALL
  privileged: false
  readOnlyRootFilesystem: false

OpenShift upgrades

If you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint).

If running with automatic resource adjustment disabled, remove the custom redis-enterprise-scc-v2 SCC and unbind it from the REC service account after you complete the upgrade.

oc delete scc/redis-enterprise-scc-v2

oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z <service-account-name>

If running with automatic resource adjustment enabled, manually reapply the security context constraints (SCC) file (scc.yaml).

oc apply -f openshift/scc.yaml

oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
  system:serviceaccount:<my-project>:<rec-name>

New OpenShift installations

New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in nonroot-v2 which is more secure and less permissive.

To enable automatic resource adjustment after installation, apply and grant permissions to the redis-enterprise-scc-v2 SCC.

  1. Apply the scc.yaml file.

    Warning:
    Do not edit this file.
    oc apply -f openshift/scc.yaml

    You should see the following output:

    securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured

  2. Provide the operator permissions for the pods.

    oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
  system:serviceaccount:<my-project>:<rec>

SYS_RESOURCE

Some Redis Enterprise processes may require the SYS_RESOURCE capability to raise resource limits, such as the maximum number of open file descriptors.

Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and SYS_RESOURCE is not enabled, these processes may fail.

Choose whether to enable automatic resource adjustment

Use the following guidance to decide whether to enable automatic resource adjustment:

  • If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient.
  • If you're running on-prem or using Kubespray, verify your file descriptor limits. You can:
    • Configure limits manually and use automatic resource adjustment disabled.
    • Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation.

If you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled.

Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with Kubespray, which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled.

RATE THIS PAGE
Back to top ↑