System requirements of an Edge site

EKS requirements

You can install the Edge software on managed Kubernetes clusters.

Important A managed Kubernetes cluster must be fully dedicated to a single Edge site installer, do not use the cluster for other purposes.

• AWS EKS 1.27 is supported for new and existing Edge sites.
  Note  

  • You must upgrade to the latest supported EKS version, EKS 1.27, by the 2024.02 release. If you are EKS 1.24 or lower, you must follow the instructions outlined in our How to upgrade Edge sites on EKS from EKS 1.24 and lower to EKS 1.27 on 2023.11 to ensure you can upgrade successfully.
• AWS EKS worker nodes use the EKS optimized Amazon Linux 2 AMI
• EKS cluster has IRSA enabled
• Set up security groups to ensure that worker nodes can communicate with each other on non-privileged ports.
  
  Example how the requirements can be met using Terraform

  module "eks" {
  	source            = "terraform-aws-modules/eks/aws"
  	version           = "17.24.0"
  	cluster_name      = "${var.vpc_name}-${var.cluster_name}-eks"
  	cluster_version   = "1.21"
  	vpc_id            = var.vpc_id
  	subnets           = data.aws_subnet_ids.public_subnet_ids.ids  # Subnets specified must be in at least two different AZs
  	worker_additional_security_group_ids = [aws_security_group.worker_sg.id]
  	enable_irsa       = true  # enable iam role for service account, for later use
  	worker_groups = [
  		{
  			name                = "${var.vpc_name}-${var.cluster_name}-eks-workers"
  			instance_type        = var.worker_type
  			asg_desired_capacity = var.instance_count_workers
  			key_name             = aws_key_pair.cluster-ssh-keypair.key_name
  			bootstrap_extra_args = "--container-runtime containerd"  # mandatory to run with containerd if on 1.21
  			subnets              = [subnet1]                             # restriction for now to use only 1 subnet due to EBS tied to AZ
  		},
  		]
  	map_accounts = [
  		data.aws_caller_identity.current.account_id
  		]
  
  	tags = {
  		Name            = "${var.vpc_name}-${var.cluster_name}-eks"
  		}
  }

Software requirements

• A Linux server with bash available. This is the server from which you install the Edge software on EKS.

  Tip This server will also contain the Edge tools.

• Plain cluster_admin kubectl access to the EKS cluster using its kubeconfig. With this kubeconfig, you must be able to use the kubectl command to communicate with the Kubernetes API server with full cluster access.
• Ensure your Kubectl client is compatible with the relevant EKS version.

Hardware requirements

You need an operational EKS cluster with at least 1 worker node. The cluster must meet the following requirements:

• The total cluster capacity has at least 16 core CPU and 64 GB memory, for example, 4 worker nodes each with 4 core CPU and 16 GB.
• Each worker node needs at least 100 GB free disk space to store Docker images.
• We recommend you have at least 2 worker nodes in the EKS cluster.

Network requirements

GKE requirements

You can install the Edge software on managed Kubernetes clusters.

Important A managed Kubernetes cluster must be fully dedicated to a single Edge site installer, do not use the cluster for other purposes.

• GKE 1.27 is supported for new Edge sites.
  Note Only new Edge sites can be installed on a GKE cluster. Existing Edge sites installed on EKS or k3s cannot be migrated to a GKE cluster.

Software requirements

• A Linux server with bash available. This is the server from which you install the Edge software on GKE.

  Tip This server will also contain the Edge tools.

• Plain cluster_admin kubectl access to the GKE cluster using its kubeconfig. With this kubeconfig, you must be able to use the kubectl command to communicate with the Kubernetes API server with full cluster access.
• Ensure your Kubectl client is compatible with the relevant GKE version.

Hardware requirements

You need an operational GKE cluster with at least 1 worker node. The cluster must meet the following requirements:

• The total cluster capacity has at least 16 core CPU and 64 GB memory, for example, 2 worker nodes each with 8 core CPU and 32 GB or 4 work nodes each with 4 core CPU and 16 GB.
• Each worker node needs at least 100 GB free disk space to store Docker images.
• We recommend you have at least 2 worker nodes in the GKE cluster.

Network requirements

AWS Fargate using EKS requirements

You can install the Edge software on managed Kubernetes clusters.

Important A managed Kubernetes cluster must be fully dedicated to a single Edge site installer, do not use the cluster for other purposes.

• AWS Fargate using EKS on Kubernetes 1.27 is supported for new Edge sites.
  Note Only new Edge sites can be installed on an AWS Fargate using EKS cluster. Existing Edge sites installed on EKS or k3s cannot be migrated to an AWS Fargate using EKS cluster.
• EKS cluster has IRSA enabled
• You must create an AWS Fargate profile for your cluster with the following namespace selectors:
  • kube-system
  • default
  • collibra-*
  • edge-kube-installer
• EKS cluster has CoreDNS enabled and running on a Fargate Node(s).

Software requirements

• A Linux server with bash available. This is the server from which you install the Edge software on AWS Fargate using EKS.

  Tip This server will also contain the Edge tools.

• Plain cluster_admin kubectl access to the cluster using its kubeconfig. With this kubeconfig, you must be able to use the kubectl command to communicate with the Kubernetes API server with full cluster access.
• Ensure your Kubectl client is compatible with the relevant EKS version.

Network requirements

OpenShift requirements

You can install the Edge software on managed Kubernetes clusters.

Important A managed Kubernetes cluster must be fully dedicated to a single Edge site installer, do not use the cluster for other purposes.

• OpenShift 4.14.7 is supported for new Edge sites.
  Note Only new Edge sites can be installed on a OpenShift cluster. Existing Edge sites installed on EKS or k3s cannot be migrated to an OpenShift cluster.

Software requirements

• A Linux server with bash available. This is the server from which you install the Edge software on OpenShift.

  Tip This server will also contain the Edge tools.

• Plain cluster_admin kubectl access to OpenShift using its kubeconfig. With this kubeconfig, you must be able to use the kubectl command to communicate with the Kubernetes API server with full cluster access.
• Ensure your Kubectl client is compatible with the relevant OpenShift version.
• Create Security Context Constraints (SCC) which provide Edge service accounts with the required permissions.
  How to create and install security constraints...

  Run the following commands from the cluster your Edge site will be installed on:

  1. Create the namespaces:

     kubectl create ns collibra-edge
     kubectl create ns collibra-fast
     kubectl create ns collibra-telemetry
     kubectl create ns edge-kube-installer

  2. Create the SCC file for non-privileged access, for example edge-scc-minimal.yaml:

     apiVersion: security.openshift.io/v1
     kind: SecurityContextConstraints
     metadata:
       annotations:
       name: edge-scc-minimal
     allowHostDirVolumePlugin: false
     allowHostIPC: false
     allowHostNetwork: false
     allowHostPID: false
     allowHostPorts: true
     allowPrivilegeEscalation: false
     allowPrivilegedContainer: false
     allowedCapabilities:
       - "*"
     allowedUnsafeSysctls: []
     defaultAddCapabilities: null
     fsGroup:
       type: RunAsAny
     groups:
       - system:cluster-admins
       - system:nodes
       - system:masters
     priority: null
     # switch for capabilities 
     readOnlyRootFilesystem: false
     requiredDropCapabilities: null
     runAsUser:
       type: RunAsAny
     seLinuxContext:
       type: RunAsAny
     seccompProfiles:
       - '*'
     supplementalGroups:
       type: RunAsAny
     users:
     volumes: 
       - '*'

  3. Create the SCC file for privileged access, for example edge-scc-privileged.yaml:

     apiVersion: security.openshift.io/v1
     kind: SecurityContextConstraints
     metadata:
       annotations:
       name: edge-scc-privileged
     allowHostDirVolumePlugin: true
     allowHostIPC: true
     allowHostNetwork: true
     allowHostPID: true
     allowHostPorts: true
     allowPrivilegeEscalation: true
     allowPrivilegedContainer: true
     allowedCapabilities:
       - '*'
     allowedUnsafeSysctls:
       - '*'
     defaultAddCapabilities: null
     fsGroup:
       type: RunAsAny
     groups:
       - system:cluster-admins
       - system:nodes
       - system:masters
     priority: null
     readOnlyRootFilesystem: false
     requiredDropCapabilities: null
     runAsUser:
       type: RunAsAny
     seLinuxContext:
       type: RunAsAny
     seccompProfiles:
       - '*'
     supplementalGroups:
       type: RunAsAny
     users:
     volumes:
       - '*'

  4. Create the security contexts:

     kubectl apply -f edge-scc-privileged.yaml
     kubectl apply -f edge-scc-minimal.yaml

  5. Create role binding SCC for non-privileged roles in the SCC non-privileged access file:

     apiVersion: rbac.authorization.k8s.io/v1
     kind: Role
     metadata:
       name: edge-scc-minimal
     rules:
       - apiGroups:
       - security.openshift.io
     resourceNames:
       - edge-scc-minimal
     resources:
       - securitycontextconstraints
     verbs:
       - use
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: edge-scc-minimal
     subjects:
       kind: Group
       name: system:serviceaccounts
       apiGroup: rbac.authorization.k8s.io
     roleRef:
       kind: Role
       name: edge-scc-minimal
       apiGroup: rbac.authorization.k8s.io

  6. Apply role binding SCC for non-privileged namespaces:

     kubectl apply -f edge-scc-role-minimal.yaml -n collibra-edge
     kubectl apply -f edge-scc-role-minimal.yaml -n collibra-fast

  7. Create role binding SCC for privileged roles in the SCC privileged access file:

     apiVersion: rbac.authorization.k8s.io/v1
     kind: Role
     metadata:
       name: edge-scc-privileged
     rules:
       - apiGroups:
       - security.openshift.io
     resourceNames:
       - edge-scc-privileged
     resources:
       - securitycontextconstraints
     verbs:
       - use
     ---
     apiVersion: rbac.authorization.k8s.io/v1
     kind: RoleBinding
     metadata:
       name: edge-scc-privileged
     subjects:
       kind: Group
       name: system:serviceaccounts
       apiGroup: rbac.authorization.k8s.io
     roleRef:
       kind: Role
       name: edge-scc-privileged
       apiGroup: rbac.authorization.k8s.io

  8. Apply role binding SCC for privileged namespaces:

     kubectl apply -f edge-scc-role-privileged.yaml -n collibra-telemetry
     kubectl apply -f edge-scc-role-privileged.yaml -n edge-kube-installer

  Note Currently, Edge provides 2 SCC files associated with the Edge namespaces. These files are based on the permissions required by the service accounts in these namespaces.

  • A non-privileged SCC is associated with both collibra-fast and collibra-edge.
  • A privileged SCC is associated with the edge-kube-installer and collibra-telemetry namespaces.

Hardware requirements

You need an operational OpenShift cluster with at least 1 worker node. The cluster must meet the following requirements:

• The total cluster capacity has at least 16 core CPU and 64 GB memory, for example, 4 worker nodes each with 4 core CPU and 16 GB.
• Each worker node needs at least 100 GB free disk space to store Docker images.
• We recommend you have at least 2 worker nodes in the OpenShift cluster.

Network requirements

AKS requirements

You can install the Edge software on managed Kubernetes clusters.

Important A managed Kubernetes cluster must be fully dedicated to a single Edge site installer, do not use the cluster for other purposes.

• AKS 1.27 is supported for new Edge sites.
  Note Only new Edge sites can be installed on a AKS cluster. Existing Edge sites installed on EKS or k3s cannot be migrated to a AKS cluster.

Software requirements

• A Linux server with bash available. This is the server from which you install the Edge software on AKS.

  Tip This server will also contain the Edge tools.

• Plain cluster_admin kubectl access to the AKS cluster using its kubeconfig. With this kubeconfig, you must be able to use the kubectl command to communicate with the Kubernetes API server with full cluster access.
• Ensure your Kubectl client is compatible with the relevant AKS version.

Hardware requirements

You need an operational AKS cluster with at least 1 worker node. The cluster must meet the following requirements:

• The total cluster capacity has at least 16 core CPU and 64 GB memory, for example, 2 worker nodes each with 8 core CPU and 32 GB or 4 work nodes each with 4 core CPU and 16 GB.
• Each worker node needs at least 100 GB free disk space to store Docker images.
• We recommend you have at least 2 worker nodes in the AKS cluster.

Network requirements