Accessing on-campus resources from containersServices hosted on-campus will need to allow access for Container Service applications. UMFW, any host-level firewalls, and any other IP ACLs should allow in the full subnets, as containerized workload IP addresses change regularly.AWS cluster https://containers.aws.web.umich.eduFor requests originating from this cluster, on-campus services should allow in:
Container Service
OverviewReview OpenShift documentation on NetworkPolicy.Review Kubernetes documentation on NetworkPolicy.Network Access to OpenShift ServicesOpenShift services act as virtual load balancers that route traffic to underlying pods.
OverviewDevelopers may wish to access (from outside the Container Service cluster) the fully-managed RDS shared databases that the MiDatabase team makes available to Container Service customers. DB instances can be accessed from:
OverviewReview OpenShift Auto-scaling documentation.Review OpenShift documentation on how Requests and Limits are used during auto-scaling.Auto-ScalingApplications running within OpenShift can incre
OverviewOccasionally you may need to copy files to a directory within one of your pods. This may be required if you are seeding a persistent volume with data that is not part of the build process. Or, you may need to copy files from the pod to your local computer to assist with debugging. The process below details how to execute this process via the cp and rsync commands.
OverviewReview OpenShift documentation on publishing routes.Easy custom domains with cluster suffixAWS cluster https://containers.aws.web.umich.eduRoutes can be self-published with suffix apps.aws.web.umich.edu. No DNS changes required.
OverviewReview Openshift documentation on viewing metrics.Review documentation on using the PromQL language.Viewing Metrics For A ProjectThe most robust way to view metrics is via the Developer perspective.
OptionsThere are several ways to use certificates to secure HTTPS traffic and get it to your application. Select the method that works best for you.MethodAdvantagesDisadvantagesDefault router with wildcard certificate
OverviewThe Container Service retains logs for customer applications for 180 days. These logs can be viewed in the OpenShift UI using instructions provided below.Logs for current pods are also available via the OpenShift CLI using the instructions in the OpenShift documentation.Current Logs in the OpenShift UILogs for running pods are visible from within the OpenShift UI.
OverviewThe Container Service uses Red Hat's OpenShift to host containerized applications. OpenShift is a multi-tenanted system, meaning that it is designed to be used by many users simulataneously. As such, certain permissions that are available when you run a containerized application locally are not available when running in OpenShift. One of those is the ability to run as the root user. Applications in OpenShift cannot run as the root user. Instead, applications run as an anonymous user.
