Customer configs - Existing EKS Cluster

shrikant.pa · October 14, 2022, 3:45pm

We have a customer who wants to install app in their existing EKS cluster using airgap bundle.
After providing them the installation instruction they came back with below questions.

For security and compliance reasons we need to provide annotations, Pod SecurityContext, Container SecurityContext, k8s service annotations, Pod Label. How do we achive this for KotsAdmin and Application? Can we update the manifest files for KotsAdmin and Application before installation?

Can someone guide me on how to achieve this as part of installation?

jdewinne · October 14, 2022, 4:31pm

Hi @shrikant.pa ! Great question.
One option: kubectl kots install has a flag --strict-security-context that can be used. Our documentation details also other additional flags that can be used.

Other option: The customer can also generate the manifest using the kots admin-console generate-manifests command. That should give them 100% flexibility to change them to their own needs. Do know that if they change the manifests and it breaks kotsadm we might not be able to support.

shrikant.pa · October 14, 2022, 4:40pm

Thanks @jdewinne.

There are no flags for labels or other things. So I am assuming only option is generating the manifest.
I have also asked them to provide a spec of these customizations. I will post it here once available.

shrikant.pa · October 21, 2022, 6:03pm

This is the security SPEC customer wants to apply. How does --strict-security-context works in below context?

spec:
  serviceAccountName: <non-default-K8s-serviceaccount-name>
  securityContext:
    fsGroup: <min: 1000 max: 65535>
  containers:
  - name: <container-name>
    securityContext:
      privileged: false
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsGroup: <min: 1000 max: 65535>
      runAsNonRoot: true
      runAsUser: <min: 1000 max: 65535>
      capabilities:
        drop:
        - ALL

Chris_Sanders · October 21, 2022, 7:21pm

The command line flags allow you to tell KOTS to be a bit more restrictive with what it requires/expects. This include minimal-rbac which can help if the cluster scoped permissions aren’t desired.

However, those are the only options implemented today. The product manager of KOTS has confirmed they have seen requests for more direct customization including labels, annotations, etc. Until those are available modifying the manifests from generate-manifest as described above is the only way to do very specific customizations.

If you would like to talk to our product team to ensure they understand your use case for future feature additions please use https://vendor.replicated.com → support → Request a Feature and you formally request new features for your use case.

roderik · October 24, 2022, 6:33am

I have the same ticket open, tagged as sc::59455

Topic		Replies	Views
Read only root file system Troubleshooting kots	2	141	December 11, 2023
Existing Cluster Install: Using Custom RBAC roles Supporting your customers airgap , rbac , existing-cluster , openshift	1	443	December 23, 2022
Automated/Headless installations in existing cluster with CLI Supporting your customers kots , embedded-cluster , headless	7	397	July 25, 2022
New embedded cluster deployment	10	164	March 7, 2024
How do you get the cluster information to show in KOTS Admin? Supporting your customers	0	832	November 5, 2019

Customer configs - Existing EKS Cluster

Related topics