K8s: sys_resource revision

content/operate/kubernetes/deployment/helm.md

@@ -9,7 +9,6 @@ description: Install Redis Enterprise for Kubernetes version 7.8.6 using Helm ch
 linkTitle: Helm
 weight: 11
 ---
-
 Helm charts provide a simple way to install the Redis Enterprise for Kubernetes operator in just a few steps. For more information about Helm, go to [https://helm.sh/docs/](https://helm.sh/docs/).
 
 {{<note>}} This feature is currently in public preview and is not supported on production workloads. Only new installations of the Redis operator are supported at this time. The steps for [creating the RedisEnterpriseCluster (REC)]({{<relref "operate/kubernetes/deployment/quick-start#create-a-redis-enterprise-cluster-rec">}}) and other custom resources remain the same.{{</note>}}
@@ -21,6 +20,8 @@ Helm charts provide a simple way to install the Redis Enterprise for Kubernetes
 - [Kubernetes client (kubectl)](https://kubernetes.io/docs/tasks/tools/).
 - [Helm 3.10 or later](https://helm.sh/docs/intro/install/).
 
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
+
 ### Example values
 
 The steps below use the following placeholders to indicate command line parameters you must provide:

content/operate/kubernetes/deployment/openshift/openshift-cli.md

@@ -10,6 +10,7 @@ description: Redis Enterprise for Kubernetes and cluster can be installed via CL
 linkTitle: OpenShift CLI
 weight: 60
 ---
+
 Use these steps to set up a Redis Enterprise Software cluster with OpenShift.
 
 ## Prerequisites
@@ -19,6 +20,10 @@ Use these steps to set up a Redis Enterprise Software cluster with OpenShift.
 
 To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}).
 
+{{<note>}}
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
+{{</note>}}
+
 ## Deploy the operator
 
 1. Create a new project.
@@ -70,16 +75,18 @@ DO NOT modify or delete the StatefulSet created during the deployment process. D
 
 ## Security context constraints
 
-Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account.
-
-To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{<relref "/operate/kubernetes/security/enable-privileged-mode#new-openshift-installations">}}).
+Versions 7.22.0-6 and later run in without permissions to [allow automatic resource adjustment]({{<relref "content/operate/kubernetes/security/allow-resource-adjustment">}}). If you use the recommended default security constraints, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after upgrading.
 
 ## Create a Redis Enterprise cluster custom resource
 
 1. Apply the `RedisEnterpriseCluster` resource file ([rec_rhel.yaml](https://github.com/RedisLabs/redis-enterprise-k8s-docs/blob/master/openshift/rec_rhel.yaml)).
 
     You can rename the file to `<your_cluster_name>.yaml`, but it is not required. Examples below use `<rec_rhel>.yaml`. [Options for Redis Enterprise clusters]({{< relref "/operate/kubernetes/reference/redis_enterprise_cluster_api" >}}) has more info about the Redis Enterprise cluster (REC) custom resource, or see the [Redis Enterprise cluster API]({{<relref "/operate/kubernetes/reference/redis_enterprise_cluster_api">}}) for a full list of options.
 
+    {{<note>}}
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
+    {{</note>}}
+
     The REC name cannot be changed after cluster creation.
 
     {{<note>}}
@@ -88,6 +95,10 @@ Each Redis Enterprise cluster requires at least 3 nodes. Single-node RECs are no
 
 2. Apply the custom resource file to create your Redis Enterprise cluster.
 
+    {{<note>}}
+If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it.
+    {{</note>}}
+
     ```sh
     oc apply -f <rec_rhel>.yaml
     ```

content/operate/kubernetes/deployment/openshift/openshift-operatorhub.md

@@ -10,9 +10,10 @@ description: OpenShift provides the OperatorHub where you can install the Redis
 linkTitle: OpenShift OperatorHub
 weight: 70
 ---
-
 You can deploy Redis Enterprise for Kubernetes from the Red Hat OpenShift CLI. You can also use a UI, [OperatorHub](https://docs.openshift.com/container-platform/4.11/operators/index.html) (Red Hat) to install operators and create custom resources.
 
+{{<note>}}If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.{{</note>}}
+
 To see which version of Redis Enterprise for Kubernetes supports your OpenShift version, see [Supported Kubernetes distributions]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}).
 
 ## Install the Redis Enterprise operator
@@ -45,19 +46,19 @@ To see which version of Redis Enterprise for Kubernetes supports your OpenShift
 
 ## Security context constraints
 
-Upgrades to versions 7.22.0-6 and later run in **unprivileged mode** without any additional permissions or capabilities. If you don't specifally require additional capabilities, we recommend you maintain the default unprivileged mode, as its more secure. After upgrading, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account.
-
-To enable privileged mode, see [Enable privileged mode > OpenShift upgrades]({{<relref "/operate/kubernetes/security/enable-privileged-mode#new-openshift-installations">}}).
+Versions 7.22.0-6 and later run in without permissions to [allow automatic resource adjustment]({{<relref "content/operate/kubernetes/security/allow-resource-adjustment">}}). If you use the recommended default security constraints, remove the existing `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after upgrading.
 
 ## Create Redis Enterprise custom resources
 
 The **Installed Operators**->**Operator details** page shows the provided APIs: **RedisEnterpriseCluster** and **RedisEnterpriseDatabase**. You can select **Create instance** to create custom resources using the OperatorHub interface.
 
-Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view.
 
-<note> The REC name cannot be changed after cluster creation.</note>
+Use the YAML view to create a custom resource file or let OperatorHub generate the YAML file for you by specifying your configuration options in the form view.
 
-{{<note>}} In versions 6.4.2-4 and 6.4.2-5, REC creation might fail when using the form view due to an error related to the cluster level LDAP. To avoid this, use the YAML view.
+{{<note>}}
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/enable-privileged-mode" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
 {{</note>}}
 
+<note> The REC name cannot be changed after cluster creation.</note>
+
 For more information on creating and maintaining Redis Enterprise custom resources, see [Redis Enterprise clusters (REC)]({{< relref "/operate/kubernetes/re-clusters/" >}}) and [Redis Enterprise databases (REDB)]({{< relref "/operate/kubernetes/re-databases/" >}}).

content/operate/kubernetes/deployment/quick-start.md

@@ -9,7 +9,6 @@ description: How to install Redis Enterprise Software for Kubernetes.
 linkTitle: Kubernetes
 weight: 10
 ---
-
 To deploy Redis Enterprise Software for Kubernetes and start your Redis Enterprise cluster (REC), you need to do the following:
 
 - Create a new namespace in your Kubernetes cluster.
@@ -27,7 +26,10 @@ To deploy Redis Enterprise for Kubernetes, you'll need:
 - minimum of three worker nodes
 - Kubernetes client (kubectl)
 - access to DockerHub, RedHat Container Catalog, or a private repository that can hold the required images.
-NOTE: If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.
+
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
+
+{{<note>}}If you are applying version 7.8.2-6 or above, check if the [OS](https://redis.io/docs/latest/operate/kubernetes/release-notes/7-8-2-releases/7-8-2-6-nov24/#breaking-changes) installed on the node is supported.{{</note>}}
 
 ### Create a new namespace
 
@@ -114,6 +116,10 @@ that contains cluster specifications.
 
 The following example creates a minimal Redis Enterprise cluster. See the [RedisEnterpriseCluster API reference]({{<relref "/operate/kubernetes/reference/redis_enterprise_cluster_api">}}) for more information on the various options available.
 
+{{<note>}}
+If you suspect your file descriptor limits are below 100,000, you must either manually increase limits or [Allow automatic resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}). Most major cloud providers and standard container runtime configurations set default file descriptor limits well above the minimum required by Redis Enterprise. In these environments, you can safely run without enabling automatic resource adjustment.
+{{</note>}}
+
 1. Create a file that defines a Redis Enterprise cluster with three nodes.
 
     {{<note>}}
@@ -151,6 +157,10 @@ Each cluster must have at least 3 nodes. Single-node RECs are not supported.
 
     See the [Redis Enterprise hardware requirements]({{< relref "/operate/rs/installing-upgrading/install/plan-deployment/hardware-requirements" >}}) for more information on sizing Redis Enterprise node resource requests.
 
+    {{<note>}}
+If you enabled automatic resource adjustment in your configuration, this step will trigger the operator to apply elevated capabilities. Ensure your security context allows it.
+    {{</note>}}
+
 1. Apply your custom resource file in the same namespace as `my-rec.yaml`.
 
     ```sh

content/operate/kubernetes/security/allow-resource-adjustment.md

@@ -0,0 +1,128 @@
+---
+categories:
+- docs
+- operate
+- kubernetes
+description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.
+linkTitle: Auto resource adjustment
+title: Allow automatic resource adjustment
+weight: 98
+---
+
+Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.
+
+## Default behavior
+
+Automatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed.
+
+If automatic resource adjustment is disabled, the REC security context looks like this:
+
+```yaml
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: false
+```
+
+## Enable automatic resource adjustment
+
+To allow the Redis Enterprise container to adjust system resource limits automatically, set `allowAutoAdjustment` to `true`. This will grant the container elevated capabilities such as `SYS_RESOURCE`. Note that changing this value on a running cluster will trigger a rolling update.
+
+```yaml
+spec:
+  securityContext:
+    resourceLimits:
+      allowAutoAdjustment: true
+```
+
+Enabling automatic resource adjustment results in the following security context:
+
+**Note:** Enabling `allowAutoAdjustment` grants the container the `SYS_RESOURCE` capability and permits privilege escalation.
+
+```yaml
+securityContext:
+  allowPrivilegeEscalation: true
+  capabilities:
+    add:
+    - SYS_RESOURCE
+    drop:
+    - ALL
+  privileged: false
+  readOnlyRootFilesystem: false
+```
+
+## OpenShift upgrades
+
+If you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint).
+
+If running with automatic resource adjustment disabled, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after you complete the upgrade.
+
+```sh
+oc delete scc/redis-enterprise-scc-v2
+```
+
+```sh
+oc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z <service-account-name>
+```
+
+If running with automatic resource adjustment enabled, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`]({{< relref "/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator" >}})).
+
+```sh
+oc apply -f openshift/scc.yaml
+```
+
+```sh
+oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
+  system:serviceaccount:<my-project>:<rec-name>
+```
+
+## New OpenShift installations
+
+New installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in `nonroot-v2` which is more secure and less permissive.
+
+To enable automatic resource adjustment after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC.
+
+1. Apply the `scc.yaml` file.
+
+   {{<warning>}}
+Do not edit this file.
+    {{</warning>}}
+
+    ```sh
+    oc apply -f openshift/scc.yaml
+    ```
+
+    You should see the following output:
+
+    ```sh
+    securitycontextconstraints.security.openshift.io "redis-enterprise-scc-v2" configured
+    ```
+
+1. Provide the operator permissions for the pods.
+
+    ```sh
+    oc adm policy add-scc-to-user redis-enterprise-scc-v2 \
+      system:serviceaccount:<my-project>:<rec>
+    ```
+
+## SYS_RESOURCE
+
+Some Redis Enterprise processes may require the `SYS_RESOURCE` capability to raise resource limits, such as the maximum number of open file descriptors.
+
+Some Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and `SYS_RESOURCE` is not enabled, these processes may fail.
+
+## Choose whether to enable automatic resource adjustment
+
+Use the following guidance to decide whether to enable automatic resource adjustment:
+
+- If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient.
+- If you're running on-prem or using Kubespray, verify your file descriptor limits. You can:
+  - Configure limits manually and use automatic resource adjustment disabled.
+  - Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation.
+
+If you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled.
+
+Based on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with [Kubespray](https://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled.