Pre-install checklist#
This checklist should be used to verify all requirements have been met prior to any installation.
For many of these items, we have provided some commands or commmand templates to run in order to verify the given prequisite, along with a typical output to give you an idea of the kind of information you should be given. Please run each of these commands, modified as appropriate for your environment, and copy the outputs into a document for sending to the Anaconda implementation team so that they may verify that the requirements are ready.
Basic requirements#
An administration server has been provisioned with appropriate versions of
kubectl
,helm
, and other tools needed to perform installation and administration tasks.Command:
helm version
:version.BuildInfo{Version:"v3.7.1", GitCommit:"1d11fcb5d3f3bf00dbe6fe31b8412839a96b3dc4", GitTreeState:"clean", GoVersion:"go1.16.9"}
The API version of the Kubernetes cluster is between 1.15 and 1.24.
Command:
kubectl version
:Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.12", GitCommit:"e2a822d9f3c2fdb5c9bfbe64313cf9f657f0a725", GitTreeState:"clean", BuildDate:"2020-05-06T05:17:59Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.12", GitCommit:"e2a822d9f3c2fdb5c9bfbe64313cf9f657f0a725", GitTreeState:"clean", BuildDate:"2020-05-06T05:09:48Z", GoVersion:"go1.12.17", Compiler:"gc", Platform:"linux/amd64"}
All nodes nodes on which Anaconda Enterprise will be installed have sufficient CPU and memory allocations.
Command:
kubectl get nodes -o=jsonpath="{range .items[*]}{.metadata.name}{'\t'}{.status.capacity.cpu}{'\t'}{.status.capacity.memory}{'\n'}{end}"
:10.234.2.18 16 65806876Ki 10.234.2.19 16 65806876Ki 10.234.2.20 16 65806876Ki 10.234.2.21 16 65806876Ki 10.234.2.6 16 65974812Ki
Access control and security#
The namespace into which Anaconda Enterprise will be installed has been created.
Command:
kubectl describe namespace <NAMESPACE>
:Name: default Labels: <none> Annotations: <none> Status: Active No resource quota. No resource limits.
The service account that will be used during the installation process as well as by Anaconda Enterprise itself, has been created.
Command:
kubectl describe sa <SERVICEACCOUNT>
:Name: anaconda-enterprise Namespace: default Labels: <none> Annotations: <none> Image pull secrets: <none> Mountable secrets: anaconda-enterprise-token-cdmnf Tokens: anaconda-enterprise-token-cdmnf Events: <none>
(Openshift) The Security Context Constraint (SCC) associated with the service account contains all of the necessary permisisons. Note the example below uses the
anyuid
scc, however therestricted
scc can also be used, as long as theuid
range is known.Command:
oc describe scc <SCC_NAME>
:Name: anyuid Priority: 10 Access: Users: <none> Groups: system:cluster-admins
The
ClusterRole
resource associated with the service account has the necessary permissions to facilitate installation and operation.Command:
kubectl describe clusterrole <CR_NAME>
:Name: anaconda-enterprise Labels: app.kubernetes.io/managed-by=Helm skaffold.dev/run-id=8d38b94a-ab82-49d7-a6fd-0bc0fb549d1c Annotations: meta.helm.sh/release-name: anaconda-enterprise meta.helm.sh/release-namespace: default PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
Note
The above example is fully permissive. See this example for a more realistic choice.
The numeric UID to use to run Anaconda Enterprise containers has been identified. Furthermore, GID 0 is verified to be permitted by the security context. Please include the UID in your checklist results.
Any tolerations and/or node labels required to permit Anaconda Enterprise to run on its assigned nodes have been identified.
Command (tolerations only):
kubectl get nodes -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.taints[*].key}{"\n"}{end}'
Storage#
A Persistent Volume Claim (PVC) has been created within the application namespace, referencing a statically provisioned Persistent Volume that meets the storage requirements for the
anaconda-storage
volume.Command:
kubectl describe pvc anaconda-storage
:Name: anaconda-storage Namespace: default StorageClass: anaconda-storage Status: Bound Volume: anaconda-storage Labels: <none> Annotations: pv.kubernetes.io/bind-completed: yes pv.kubernetes.io/bound-by-controller: yes Finalizers: [kubernetes.io/pvc-protection] Capacity: 500Gi Access Modes: RWO VolumeMode: Filesystem Mounted By: anaconda-enterprise-ap-git-storage-6658575d6f-vxj4s anaconda-enterprise-ap-object-storage-76bcfc4d44-ctlhp anaconda-enterprise-postgres-c76869799-cbqzq Events: <none>
A Persistent Volume Claim (PVC) has been created within the application namespace, referencing a statically provisioned Persistent Volume that meets the storage requirements for the
anaconda-persistence
volume.Command:
kubectl describe pvc anaconda-persistence
:Name: anaconda-persistence Labels: <none> Annotations: pv.kubernetes.io/bound-by-controller: yes Finalizers: [kubernetes.io/pv-protection] StorageClass: Status: Bound Claim: default/anaconda-persistence Reclaim Policy: Retain Access Modes: RWX VolumeMode: Filesystem Capacity: 500Gi Node Affinity: <none> Message: Source: Type: NFS (an NFS mount that lasts the lifetime of a pod) Server: 10.234.2.7 Path: /data/persistence ReadOnly: false Events: <none>
Cluster Sizing / Resources#
The cluster is sized appropriately (CPU / Memory) for user workload, including consideration for “burst” workloads. Cluster considerations
Resource Profiles have been determined, and created in the “values.yaml” file prior to install. Resource Profile guide
Networking#
The domain name for the Anaconda Enterprise application has been identified. In the next several bullets, we will use the sample domain
anaconda.example.com
as a stand-in for this choice. Please include this domain name in your checklist output.If a customer-selected ingress controller is to be used, this controller has already been installed, and its master IP address and
ingressClassName
value have been identified. Please include both the IP address ingress class name in your checklist output.The DNS records for both
anaconda.example.com
and*.anaconda.example.com
have been created, pointing to the IP address of the ingress controller.Command:
ping test.anaconda.example.com
:PING test.anaconda.example.com (167.172.143.144): 56 data bytes
If the ingress controller is to be installed with Anaconda Enterprise, this may not be possible; in this case, it is sufficient to confirm that the networking team is prepared to instantiate these records immediately following installation.
A wildcard SSL secret for
anaconda.example.com
and*.anaconda.example.com
has been created. The public and private keys for the main certificate, as well as the full public certificate chain, are accessible from the administration server. Please share the public certificate chain in your checklist output.If the SSL secret was created using a private CA, the public root certificate has been obtained.
Docker Images#
If a private Docker registry is to be used, the full set of Docker images have been transferred to this registry.
If a pull secret is required to access the Docker images—whether from the standard Anaconda Enterprise Docker channel or the private registry—the secret has been created in the application namespace.
Command:
kubectl get secret -n <NAMESPACE> <PULL_SECRET_NAME>