User: Jose.druker@genesys.com/ArbitraryUIDs GCXI

From Genesys Documentation
Jump to: navigation, search

Override Helm chart values[ | edit source]

Before you begin, download the latest yaml files from the repository, or examine the attached files: Sample GCXI yaml files . Helm values are described in values.yaml. See the comments accompanying each Helm value.

You can override values in the Helm charts to configure Private Edition. For more information, see the "suite-level" documentation about how to override Helm chart values:

#mintydocs_link must be called from a MintyDocs-enabled page (User:Jose.druker@genesys.com/ArbitraryUIDs GCXI).

.

If you want to use arbitrary UIDs in your OpenShift deployment, you must override the securityContext settings in the values.yaml file, so that no user or group IDs are specified. For details, see Arbitrary UIDs in OpenShift, below.

Arbitrary UID[ | edit source]

  • An arbitrary user ID (UID) and group ID is assigned to pods during deployment (file ownership is assigned as genesys:root (500:0)).
  • If your OpenShift deployment uses arbitrary UIDs, you must override the securityContext settings in the values.yaml file (see line 456) as follows:
    secrets:
      securityContext:
        control:
          fsGroup: null
          runAsUser: null
          runAsGroup: null
        worker:
          fsGroup: null
          runAsUser: null
          runAsGroup: null
    The default values (user ID = 500) are suitable for many other deployment scenarios:
    secrets:
      securityContext:
        control:
          fsGroup: null
          runAsUser: 500
          runAsGroup: 500
        worker:
          fsGroup: null
          runAsUser: 500
          runAsGroup: 500

Configure Kubernetes[ | edit source]

...

Configure security[ | edit source]

(Highlights to flag new subheadings aren't displaying)

Pod Security Policy considerations[ | edit source]

GCXI is based on a 3rd-party product (MicroStrategy), and as result has some special considerations:

  • The main container is about 12 GB.
  • GCXI requires specific hostIPC configuration at the node level:
    echo "kernel.sem = 250 1024000 250 4096" >> /etc/sysctl.conf
    echo "vm.max_map_count = 5242880" >> /etc/sysctl.conf
    sysctl -p
  • In most deployments, GCXI requires that hostIPC be set:
    hostIPC: true

Arbitrary UIDs in OpenShift[ | edit source]

  • By default, file ownership is assigned as genesys:root (500:0)).
  • Security context parameters in the Helm charts specify the users authorized to access the pods. If your OpenShift deployment uses arbitrary UIDs, you must override the securityContext settings in the values.yaml file (see line 456) as follows:
    secrets:
      securityContext:
        control:
          fsGroup: null
          runAsUser: null
          runAsGroup: null
        worker:
          fsGroup: null
          runAsUser: null
          runAsGroup: null
    The default values (user and group IDs = 500:500:500) are suitable for all other deployment scenarios. However, if you do not use arbitrary UIDs in your OpenShift deployment, you must associate the customized genesys-restricted Security Context Constraint (SCC) with the ServiceAccount used to deploy GCXI. For more information, see OpenShift security settings.