Documentation Center

Prerequisites

The following prerequisites need to be met in order to deploy Language Weaver Edge on Kubernetes.

Considerations for RedHat OpenShift (ROSA)

Running Language Weaver Edge on RedHat OpenShift (ROSA) requires some security related changes when compared to a standard Kubernetes deployment hosted on any other cloud or on-premise platform, like AKS, GKE or EKS.

Mandatory requirements

  1. UID and GID of mtedge user should be 1001000000 or higher.
  2. User mtedge should not run as root, nor as a privileged user.
  3. Privilege escalation must be disabled.
  4. All capabilities of pods must be disabled.

Example:

securityContext:
  default: 
    pod:
      runAsNonRoot: true
      fsGroup: 990000000
      fsGroupChangePolicy: Always
    container:
        seccompProfile:
           type: RuntimeDefault
        allowPrivilegeEscalation: false
        capabilities:
          drop: ["ALL"]
        runAsNonRoot: true
        runAsUser: 990000000
        runAsGroup: 990000000

Optional requirements

There are also some optional requirements. These requirements can be adjusted based on customer preference.
  1. Namespace: Security context (SCC) of “default” namespace is different to any other customer created namespaces in a ROSA Kubernetes cluster. Security context settings applied by the helm charts are written for “restricted” SCC and not for “privileged” SCC. It is highly recommended to deploy Language Weaver Edge in a newly created namespace and not in the default namespace.

    Example:

    name=default
    pod-security.kubernetes.io/audit=privileged
    pod-security.kubernetes.io/enforce=privileged
    pod-security.kubernetes.io/warn=privileged
    pod-security.kubernetes.io/audit=restricted
    pod-security.kubernetes.io/audit-version=v1.24
    pod-security.kubernetes.io/warn=restricted
    pod-security.kubernetes.io/warn-version=v1.24
  2. UID & GID: Standard image of Language Weaver Edge (8.6.4.3) has a UID & GID of 10001. Whereas ROSA version of Language Weaver Edge image (8.6.4.3-oshift) has a UID & GID of 990000000. UID of the namespace where Language Weaver Edge will be deployed must be set accordingly.

    Example:

    kubectl edit ns mtedge 
  3. Service account: Default service account (“default”) is used by the Language Weaver Edge deployment by default. This works "out of the box" and has no implication to Language Weaver Edge deployment. There is, however, a provision in the latest helm chart (8.6.4-3) to specify a different service account, other than the “default”, should it be required.

    Example:

    kubectl create serviceaccount mtedge-sa -n mtedge
    serviceAccounts:
      installer:
        name: mtedge-sa
      controller:
        name: mtedge-sa
      worker:
        name: mtedge-sa
  4. Persistent volumes: ROSA supports a variety of different storage vendors, which are not available in standard cloud Kubernetes deployments, like Azure blob or Google Filestore. There is a provision in the latest helm charts (8.6.4-3) to bring your own persistent volume (BYOP). Customers can choose which block storage (RWO) is used as the controller persistent volume and which file storage (RWX) is used as the language pair storage. Names of persistent volumes do not need to be exactly the defaults.

    Example:

    storage:
      controller:
        size: 200Gi
        class: ebs-sc
        pvc: my-controller-pvc
      lp:
        size: 1200Gi
        class: efs-sc
        pvc: my-languagepair-pvc