-
Notifications
You must be signed in to change notification settings - Fork 232
K8s: Add YAML examples #1872
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
K8s: Add YAML examples #1872
Changes from all commits
f64f63f
847ed14
9b4d5e9
0d8da15
2443841
5c369ef
6f9c84d
9683c0e
acbfaf1
37caa05
f7daf5c
3d1f5c5
ba19a2f
7a262d6
a538390
793f6d4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
--- | ||
Title: Log collector RBAC examples | ||
alwaysopen: false | ||
categories: | ||
- docs | ||
- operate | ||
- kubernetes | ||
description: YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool in restricted and all modes. | ||
linkTitle: Log collector RBAC | ||
weight: 50 | ||
--- | ||
|
||
This page provides YAML examples for configuring RBAC permissions for the Redis Enterprise log collector tool. The log collector requires different permission levels depending on the collection mode you choose. | ||
|
||
For complete log collection instructions, see [Collect logs]({{< relref "/operate/kubernetes/logs/collect-logs" >}}). | ||
|
||
## Prerequisites | ||
|
||
- [Deployment]({{< relref "/operate/kubernetes/deployment" >}}) must be installed | ||
- Appropriate permissions to create RBAC resources in target namespaces | ||
- Understanding of your deployment model (single namespace, multi-namespace, etc.) | ||
|
||
## Collection modes | ||
|
||
The log collector has two collection modes that require different RBAC permissions: | ||
|
||
- **Restricted mode** (recommended): Collects only Redis Enterprise resources with minimal security exposure. Default for versions 6.2.18-3 and later. | ||
- **All mode**: Collects comprehensive cluster information including nodes, storage classes, and operator resources. Use when specifically requested by Redis Support. | ||
|
||
## Restricted mode | ||
|
||
The restricted mode configuration provides minimal permissions for collecting Redis Enterprise resources only. | ||
|
||
{{<embed-yaml "k8s/log_collector_role_restricted_mode.md" "log-collector-restricted-rbac.yaml">}} | ||
|
||
Restricted mode configuration: | ||
- `Role`: Namespace-scoped permissions for Redis Enterprise resources | ||
- `ClusterRole`: Cluster-wide permissions for CRDs and basic cluster resources | ||
- `rules`: Minimal permissions for Redis Enterprise diagnostics | ||
|
||
Key permissions: | ||
- `pods, pods/log, pods/exec`: Access to pod information and logs | ||
- `app.redislabs.com/*`: All Redis Enterprise custom resources | ||
- `persistentvolumes`: Storage information for troubleshooting | ||
|
||
## All mode | ||
|
||
The all mode configuration provides comprehensive permissions for collecting detailed cluster information. | ||
|
||
{{<embed-yaml "k8s/log_collector_role_all_mode.md" "log-collector-all-rbac.yaml">}} | ||
|
||
All mode configuration: | ||
- `Role`: Extended namespace permissions including operator resources | ||
- `ClusterRole`: Additional cluster-wide permissions for nodes and storage | ||
- `rules`: Comprehensive permissions for full cluster diagnostics | ||
|
||
Additional permissions in all mode: | ||
- `nodes`: Node information and status | ||
- `storageclasses, volumeattachments`: Storage system details | ||
- `operators.coreos.com/*`: OpenShift operator information | ||
- `networking.istio.io/*`: Istio service mesh resources | ||
|
||
## Apply the configuration | ||
|
||
### Manual deployment | ||
|
||
To apply the RBAC configurations manually: | ||
|
||
```bash | ||
# Apply restricted mode RBAC | ||
kubectl apply -f log-collector-restricted-rbac.yaml --namespace <namespace> | ||
|
||
# Apply all mode RBAC | ||
kubectl apply -f log-collector-all-rbac.yaml --namespace <namespace> | ||
``` | ||
### Namespace requirements | ||
|
||
The Role and RoleBinding must be created in every namespace where you need to collect logs: | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "You must create" to avoid PV? |
||
|
||
- **Single namespace**: Apply to the namespace where Redis Enterprise runs | ||
- **Multi-namespace with single REC**: Apply to the REC namespace plus each REDB namespace | ||
- **Multi-namespace with multiple RECs**: Apply to each REC namespace | ||
|
||
The ClusterRole and ClusterRoleBinding need to be created only once per cluster. | ||
|
||
Edit the values in the downloaded YAML file for your specific setup, updating the namespace references and role binding subjects to match your environment. | ||
|
||
## Security considerations | ||
|
||
### Best practices | ||
|
||
- Use restricted mode unless you specifically need additional cluster information | ||
- Limit namespace access to only where log collection is needed | ||
- Handle collected data according to your organization's security policies | ||
|
||
### Secrets permission explanation | ||
|
||
The RBAC configurations request read access to secrets in the collected namespaces. **Secrets are not collected or included in the log package sent to Redis Support.** This permission is required because: | ||
|
||
- The log collector uses Helm commands (`helm list`, `helm get all`) to gather Redis Enterprise Helm chart deployment information | ||
- Helm stores its deployment metadata in Kubernetes secrets | ||
- This metadata contains only deployment configuration (not sensitive data) | ||
|
||
If your security policies prohibit secrets access, you can remove the secrets permission from the Role, but this will limit the log collector's ability to gather Helm deployment information. | ||
|
||
## Troubleshooting | ||
|
||
### Permission errors | ||
|
||
- Verify that roles and bindings are applied correctly in the target namespaces | ||
- Check that the ClusterRole is applied cluster-wide | ||
- Ensure the service account has proper role bindings | ||
|
||
### Missing resources | ||
|
||
- Consider switching to all mode if additional cluster resources are needed | ||
- Verify that custom resource definitions are installed | ||
- Check that the operator has proper permissions | ||
|
||
## Next steps | ||
|
||
- [Collect logs]({{< relref "/operate/kubernetes/logs/collect-logs" >}}) | ||
|
||
## Related documentation | ||
|
||
- [Kubernetes RBAC documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) | ||
- [Logs]({{< relref "/operate/kubernetes/logs" >}}) | ||
- [Deployment]({{< relref "/operate/kubernetes/deployment" >}}) |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -5,30 +5,30 @@ categories: | |||||
- docs | ||||||
- operate | ||||||
- kubernetes | ||||||
description: API reference and guides for managing Redis Enterprise custom resources on Kubernetes. | ||||||
description: Resources to help you manage Redis Enterprise custom resources on Kubernetes. | ||||||
hideListLinks: true | ||||||
linkTitle: Reference | ||||||
weight: 89 | ||||||
--- | ||||||
|
||||||
Reference documentation for Redis Enterprise custom resources, including API specifications and practical guides for creating, configuring, and managing Redis Enterprise deployments on Kubernetes. | ||||||
This reference documentation covers Redis Enterprise custom resources, API specifications, and practical instructions for creating, configuring, and managing Redis Enterprise deployments on Kubernetes. | ||||||
|
||||||
## Working with custom resources | ||||||
## Work with custom resources | ||||||
|
||||||
Redis Enterprise for Kubernetes uses custom resources to manage clusters and databases. You can create, modify, and delete these resources using standard Kubernetes tools. | ||||||
Redis Enterprise for Kubernetes uses custom resources to manage clusters and databases. Use standard Kubernetes tools to create, modify, and delete these resources. | ||||||
|
||||||
### Creating custom resources | ||||||
### Create custom resources | ||||||
|
||||||
Create custom resources using `kubectl apply` with YAML manifests: | ||||||
Use `kubectl apply` with YAML manifests to create custom resources: | ||||||
|
||||||
```bash | ||||||
kubectl apply -f my-redis-cluster.yaml | ||||||
kubectl apply -f my-redis-database.yaml | ||||||
``` | ||||||
|
||||||
### Viewing custom resources | ||||||
### View custom resources | ||||||
|
||||||
List and inspect existing custom resources: | ||||||
Use these commands to list and inspect existing custom resources: | ||||||
|
||||||
```bash | ||||||
# List Redis Enterprise clusters | ||||||
|
@@ -48,9 +48,9 @@ kubectl describe rec my-cluster | |||||
kubectl describe redb my-database | ||||||
``` | ||||||
|
||||||
### Modifying custom resources | ||||||
### Modify custom resources | ||||||
|
||||||
Update custom resources by editing the YAML manifest and reapplying: | ||||||
Edit the YAML manifest and reapply to update custom resources: | ||||||
|
||||||
```bash | ||||||
# Edit and apply updated manifest | ||||||
|
@@ -61,20 +61,22 @@ kubectl edit rec my-cluster | |||||
kubectl edit redb my-database | ||||||
``` | ||||||
|
||||||
### Deleting custom resources | ||||||
## YAML examples | ||||||
|
||||||
Remove custom resources when no longer needed: | ||||||
Find complete YAML examples for common deployment scenarios: | ||||||
|
||||||
```bash | ||||||
kubectl delete redb my-database | ||||||
kubectl delete rec my-cluster | ||||||
``` | ||||||
- [YAML examples]({{< relref "/operate/kubernetes/reference/yaml-examples" >}}) - Ready-to-use YAML configurations for different deployment types | ||||||
|
||||||
### Example categories | ||||||
|
||||||
**Important:** Always delete databases (REDB) before deleting the cluster (REC) to ensure proper cleanup. | ||||||
- [Basic deployment]({{< relref "/operate/kubernetes/reference/yaml-examples/basic-deployment" >}}) - Essential YAML files for simple Redis Enterprise deployment | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. These are all dead links. I think the
Suggested change
|
||||||
- [Rack awareness]({{< relref "/operate/kubernetes/reference/yaml-examples/rack-awareness" >}}) - YAML examples for rack-aware deployments across availability zones | ||||||
- [Active-Active]({{< relref "/operate/kubernetes/reference/yaml-examples/active-active" >}}) - YAML examples for Active-Active databases across multiple clusters | ||||||
- [Multi-namespace]({{< relref "/operate/kubernetes/reference/yaml-examples/multi-namespace" >}}) - YAML examples for deploying across multiple namespaces | ||||||
|
||||||
## API reference | ||||||
|
||||||
Complete API specifications for all Redis Enterprise custom resources: | ||||||
Review complete API specifications for all Redis Enterprise custom resources: | ||||||
|
||||||
### Core resources | ||||||
|
||||||
|
@@ -88,16 +90,16 @@ Complete API specifications for all Redis Enterprise custom resources: | |||||
|
||||||
## Compatibility | ||||||
|
||||||
Information about supported Kubernetes distributions and versions: | ||||||
Check supported Kubernetes distributions and versions: | ||||||
|
||||||
- [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}) - Compatible Kubernetes platforms and versions | ||||||
|
||||||
## Best practices | ||||||
|
||||||
When working with custom resources: | ||||||
Follow these best practices when working with custom resources: | ||||||
|
||||||
- **Use version control**: Store your YAML manifests in version control systems | ||||||
- **Validate before applying**: Use `kubectl apply --dry-run=client` to validate changes | ||||||
- **Monitor resource status**: Check resource status after applying changes | ||||||
- **Monitor resource status**: Check resource status after you apply changes | ||||||
- **Follow naming conventions**: Use consistent naming for easier management | ||||||
- **Document configurations**: Add annotations and labels to describe resource purpose |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,56 @@ | ||||||
--- | ||||||
title: API reference | ||||||
categories: | ||||||
- docs | ||||||
- operate | ||||||
- kubernetes | ||||||
linkTitle: API reference | ||||||
description: Reference documentation for Redis Enterprise operator APIs | ||||||
weight: 30 | ||||||
alwaysopen: false | ||||||
hideListLinks: true | ||||||
aliases: | ||||||
--- | ||||||
|
||||||
The Redis Enterprise operator provides Kubernetes custom resource definitions (CRDs) that let you manage Redis Enterprise clusters and databases declaratively. This section contains the complete API reference for all operator resources. | ||||||
|
||||||
## API versions and stability | ||||||
|
||||||
The operator uses different API versions to indicate stability and feature maturity: | ||||||
|
||||||
- **`app.redislabs.com/v1`** - Stable APIs for production use | ||||||
- **`app.redislabs.com/v1alpha1`** - Alpha APIs that may change in future releases | ||||||
|
||||||
## Custom resources | ||||||
|
||||||
| Resource | API Version | Purpose | | ||||||
|----------|-------------|---------| | ||||||
| [RedisEnterpriseCluster (REC)](redis_enterprise_cluster_api) | `v1` | Manages Redis Enterprise cluster deployments | | ||||||
| [RedisEnterpriseDatabase (REDB)](redis_enterprise_database_api) | `v1alpha1` | Creates and configures Redis databases | | ||||||
| [RedisEnterpriseActiveActiveDatabase (REAADB)](redis_enterprise_active_active_database_api) | `v1alpha1` | Sets up active-active databases across clusters | | ||||||
| [RedisEnterpriseRemoteCluster (RERC)](redis_enterprise_remote_cluster_api) | `v1alpha1` | Defines remote cluster connections for active-active | | ||||||
|
||||||
## Working with the APIs | ||||||
|
||||||
### Using kubectl | ||||||
|
||||||
Manage all resources using standard `kubectl` commands: | ||||||
|
||||||
```bash | ||||||
# List all Redis Enterprise clusters | ||||||
kubectl get rec | ||||||
|
||||||
# Get detailed information about a specific database | ||||||
kubectl describe redb my-database | ||||||
|
||||||
# Apply a configuration from a YAML file | ||||||
kubectl apply -f my-redis-config.yaml | ||||||
``` | ||||||
|
||||||
### Resource relationships | ||||||
|
||||||
- Create a `RedisEnterpriseCluster` (REC) first to provide the Redis Enterprise infrastructure | ||||||
- Create `RedisEnterpriseDatabase` (REDB) resources within a cluster to provision individual databases | ||||||
- Use `RedisEnterpriseActiveActiveDatabase` (REAADB) with `RedisEnterpriseRemoteCluster (RERC)` resources to define participating clusters | ||||||
|
||||||
For complete YAML configuration examples, see the [YAML examples](../yaml/) section. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should be a relref.
Suggested change
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nothing major, but I'm just wondering if there's an easy way to add italics or code style or something to "all" when it's used as the mode name (and I guess you would do the same for "restricted" for consistency)? For example, later in the page you say "Consider switching to all mode..." and it took me a second reading to get what it meant.