Skip to content

7090 ocp ion to staging #7128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Dec 8, 2023
Merged

7090 ocp ion to staging #7128

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1815dd2
add OCP SCC info
dmuelle Dec 7, 2023
e76115c
edits per review
dmuelle Dec 7, 2023
44a9f6a
Update instanton.adoc
dmuelle Dec 7, 2023
baa71b5
edits per peer review
dmuelle Dec 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 31 additions & 1 deletion modules/ROOT/pages/instanton.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,7 @@ Currently, Open Liberty InstantOn is tested and supported on the following publi

- link:https://aws.amazon.com/eks/[Amazon Elastic Kubernetes Service (EKS)]
- link:https://azure.microsoft.com/en-us/products/kubernetes-service[Azure Kubernetes Service (AKS)]
- link:https://www.redhat.com/en/technologies/cloud-computing/openshift[Red Hat OpenShift] (version 4.14 and later)
- link:https://www.redhat.com/en/technologies/cloud-computing/openshift[Red Hat OpenShift (version 4.14 and later)]

Other public cloud Kubernetes services might also work if they have the <<#required-to-restore,prerequisites>> to allow the InstantOn application process to restore.

Expand All @@ -338,6 +338,36 @@ When you deploy to Kubernetes, the container must be granted the `CHECKPOINT_RES
- ALL
----

==== Red Hat OpenShift security context constraints

To deploy applications to Red Hat OpenShift with InstantOn, you must specify a security context constraint (SCC) that, at a minimum, specifies a list of additional capabilities that are added to any pod. The following SSC yaml file example defines an SCC with the required capabilities by using the `defaultAddCapabilities` parameter:

[source,yaml]
----
defaultAddCapabilities:
- CHECKPOINT_RESTORE
- SETPCAP
----

The applications you deploy must be associated with an SCC that adds the required capabilities. For example, you might deploy an SCC called `liberty-instanton-scc` that adds the required capabilities. In the following example, the deployment yaml file specifies the `serviceAccountName` parameter to set the SCC name to `liberty-instanton-scc`:

[source,yaml]
----
serviceAccountName: liberty-instanton-scc
securityContext:
allowPrivilegeEscalation: true
privileged: false
runAsNonRoot: true
capabilities:
add:
- CHECKPOINT_RESTORE
- SETPCAP
drop:
- ALL
----

For more information, see the Red Hat documentation for link:https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html[Managing security context constraints].

[#supported-features]
== Open Liberty InstantOn supported features

Expand Down