Determining the resource requirements for a Kubernetes cluster depends on a number of different factors, including what type of applications you are going to be running, the number of users that are active at once, and the workloads you will be managing within the cluster. Data Science & AI Workbench’s performance is tightly coupled with the health of your Kubernetes stack, so it is important to allocate enough resources to manage your users workloads.Anaconda’s hardware recommendations ensure a reliable and performant Kubernetes cluster. However, most requirements are likely to be superseded by the requirements imposed by your existing Kubernetes cluster, whether that is an on-premise cluster that is configured to support multiple tenants or a cloud offering.To install Workbench successfully, your systems must meet or exceed the requirements listed below. Anaconda has created a pre-installation checklist to help prepare you for installation. The checklist helps you verify that your cluster is ready to install Workbench, and that the necessary resources are reserved. Anaconda’s Implementation team will review the checklist with you prior to your installation.
Workbench is compatible with Kubernetes API versions 1.15-1.28. If your version of Kubernetes utilizes the API at these versions, you can install Workbench!Workbench has been successfully installed on the following Kubernetes variants:
Installation requires a machine with direct access to the target Kubernetes cluster and Docker registry. Anaconda refers to this machine as the Administration Server. Anaconda recommends that you identify a machine to be your Administration Server that will remain available for ongoing management of the application once installed. It is useful for this server to be able to mount the storage volumes as well.The following software must be installed on the Administration Server:
Helm version 3.2+
The Kubernetes CLI tool - kubectl
(OpenShift only) The OpenShift oc CLI tool
(Optional) The watch command line tool
(Optional) The jq command line tool
Administration server setup
You can obtain all of the tools you need for your Administration Server by installing the ae5-conda environment. This environment already contains helm, kubectl, oc, jq, and a number of other useful Workbench management utilities. To install the environment:
Minimally sized nodes should be reserved for test environments with low user counts and small workloads. Any development or production environment should meet or exceed the recommended requirements.Workbench utilizes node labels and taints and tolerations to ensure that workloads run on the appropriate nodes. Anaconda recommends identifying any necessary affinity (which nodes a workload runs on based on its applied labels) or toleration settings prior to installation.
Resource profiles available to platform users for their sessions and deployments are created by the cluster administrator. Each resource profile can be customized for the amount of CPU, memory, and (optionally) GPU resources available. Anaconda recommends determining what resource profiles you will require prior to installation. For more information, see Configuring workload resource profiles.
Workbench should be installed in a namespace that is not occupied by any other applications, including other instances of Workbench. Create a service account for the namespace with sufficient permissions to complete the helm installation and enable the dynamic resource provisioning Workbench performs during normal operation.Workbench requires more permissions than would normally be given to an application that only requires read-only access to the Kubernetes API. However, with the exception of the ingress controller, all necessary permission grants are limited to the application namespace. Please speak with the Anaconda Implementation team about any questions you may have regarding these permissions.
RBAC template
The following Role and RoleBinding pair can be used to grant sufficient permissions to the Service Account.
Recent versions of OpenShift no longer allow granting direct access to the anyuid Security Context Constraint (SCC), or any other default SCC. Instead, access grants are defined within the role.
If you want to use the Anaconda-supplied ingress, it is also necessary to grant a small number of additional, cluster-wide permissions. This is because the ingress controller expects to be able to monitor ingress-related resources across all namespaces.
Ingress controller permissions
The following is a minimal ClusterRole and ClusterRoleBinding pair that has grants the ingress controller sufficient permissions to run without warnings:
If you want to use the Kubernetes Dashboard and resource monitoring services included with Workbench, you must include additional permissions for each service.
You must establish permissions for both Prometheus and kube-state-metrics to utilize Worbench’s resource monitoring features.
Please review these RBAC configurations with your Kubernetes administrator. While it is possible to further reduce these scopes, doing so is likely to prevent normal operation of Workbench.
Preparing your Kubernetes cluster to install Workbench involves configuring your environment in a way that both supports the functionality of Workbench and adheres to security best practices.Workbench containers can be run using any fixed, non-zero UID, making the application compatible with an OpenShift Container Platform (OCP) restricted SCC, or an equivalent non-permissive Kubernetes security context. This reduces the risk to your systems if the container is compromised.However, in order to enable the Authenticated Network File System (NFS) capability, allowing user containers to access external, authenticated fileshares (storage servers), user pods must be permitted to run as root (UID 0).
This configuration runs containers in a privileged state to determine and assign the authenticated group memberships of the user running the container only. Once authentication is complete, the container drops down to a non-privileged state for all further execution.Please speak with your Anaconda Implementation team for more information, and to see if it is possible for your application to avoid this requirement.
A standard installation of Workbench requires two Persistent Volume Claims (PVCs) to be statically provisioned and bound prior to installation. Anaconda strongly recommends a premium performance tier for provisioning your PVCs if the option is available. Expand the following sections for more information about the necessary volumes:
anaconda-storage
This volume contains:
Anaconda’s internal Postgres control database
Anaconda’s internal Git storage mechanism
Anaconda’s internal conda package repository
If you are hosting conda packages outside of Workbench, the minimum size of your anaconda-storage volume must be at least 100GiB.However, if you intend to mirror conda packages into the Workbench repository, the anaconda-storage volume will need to be much larger to accommodate those packages. Anaconda recommends at least 500GiB of storage.
The anaconda-storage volume must support either the ReadWriteOnce or ReadWriteMany access mode.
The ReadWriteOnce configuration requires that the postgres, git-storage, and object-storage pods run on the same node.
anaconda-persistence
This volume hosts Anaconda’s managed persistence storage. It contains:
Custom sample projects
Custom conda environments
User code and data
The anaconda-persistence volume requires ReadWriteMany access.
The demands on the anaconda-persistence volume will continuously grow with usage. Anaconda recommends you provision at least 1TiB of storage to start.
It is possible to combine these into a single PersistentVolumeClaim to cover both needs, as long as that single volume simultaneously meets the performance needs demanded by both.The root directories of these storage volumes must be writable by Workbench containers. This can be accomplished by configuring the volumes to be group writable by a single numeric GroupID (GID). Anaconda strongly recommends that this GID be 0. This is the default GID assigned to Kubernetes containers. If this is not possible, supply the GID within the Persistent Volume specification as a pv.beta.kubernetes.io/gid annotation.
To ensure that the data on these volumes is not lost if Workbench is uninstalled, do not change the ReclaimPolicy from its default value of Retain.
Workbench is compatible with most ingress controllers that are commonly used with Kubernetes clusters. Because ingress controllers are a cluster-wide resource, Anaconda recommends that the controller be installed and configured prior to installing Workbench. For example, if your Kubernetes version falls within 1.19-1.26, any ingress controller with full support for the networking.k8s.io/v1 ingress API enables Workbench to build endpoints for user sessions and deployments.
If your cluster is fully dedicated to Workbench, you can configure the Helm chart to install a version of the NGINX Ingress controller, which is compatible with multiple variants of Kubernetes, including OpenShift. Anaconda’s only modification to the stock NGINX container enables it to run without root privileges.
Your cluster configuration and firewall settings must allow all TCP traffic between nodes, particularly HTTP, HTTPS, and the standard Postgres ports.
Healthy clusters can block inter-node communication, which disrupts the pods that Workbench requires to provision user workloads.
External traffic to Workbench will be funneled entirely through the ingress controller, through the standard HTTPS port 443.
A valid, fully qualified domain name (FQDN) reserved for Workbench.
A DNS record for the FQDN, as well as a wildcard DNS record for its subdomains.
Both records must point to the IP address allocated by the ingress controller. If you are using an existing ingress controller, you may be able to obtain this address prior to installation. Otherwise, you must populate the DNS records with the address after the initial installation is complete.
A valid wildcard SSL certificate covering the cluster FQDN and its subdomains. Installation requires both the public certificate and the private key.
If the certificate chain includes an intermediate certificate, the public certificate for the intermediate is required. The scope of the wildcard only requires *.anaconda.company.com to be covered, ensuring that all subdomains under this specific domain are included in the SSL certificate and DNS configuration.
The public root certificate, if the above certificates were created with a private Certificate Authority (CA).
Wildcard DNS records and SSL certificates are required for correct operation of Workbench. If you have any objections to this requirement, speak with your Anaconda Implementation team.
Anaconda strongly recommends that you copy the Workbench Docker images from our authenticated source repository on Docker Hub into your internal docker registry. This ensures their availability even if there is an interruption in connectivity to Docker Hub. This registry must be accessible from the Kubernetes cluster where Workbench is installed.
In an air-gapped setting, this is required.
Docker images from the aedev/ Docker Hub channel
Anaconda provides a more precise manifest, including version numbers and the credentials required to pull these images from our authenticated repository, prior to installation.
This release of Workbench supports up to Compute Unified Device Architecture (CUDA) 11.6 DataCenter drivers.Anaconda has directly tested the application with the following GPU cards:
Tesla V100 (recommended)
Tesla P100 (adequate)
Theoretically, Workbench will work with any GPU card compatible with the CUDA drivers, as long as they are properly installed. Other cards supported by CUDA 11.6:
K-Series: Tesla K80, Tesla K520, Tesla K40c, Tesla K40m, Tesla K40s, Tesla K40st, Tesla K40t, Tesla K20Xm, Tesla K20m, Tesla K20s, Tesla K20c, Tesla K10, Tesla K8
M-Class: M60, M40 24GB, M40, M6, M4
Support for GPUs in Kubernetes is still a work in progress, and each cloud vendor provides different recommendations. For more information about GPUs, see Understanding GPUs.
Helm is a tool used by Workbench to streamline the creation, packaging, configuration, and deployment of the application’s configurations. It combines all of the config map objects into a single reusable package called a Helm chart. This chart contains all the necessary resources to deploy the application within your cluster. These resources include .yaml configuration files, services, secrets, and config maps.
Helm values.byok.*.yaml templates
For customer-supplied Kubernetes environments, Workbench includes templated values.byok.*.yaml files that override the default values in the top-level Helm chart. These template files are heavily commented to guide you through configuring the parameters that most commonly require modifications.If Workbench is the only application present within your cluster, use the single-tenant configurations. If Workbench shares the cluster with other applications, use the multi-tenant configurations. Choose the template that applies to your setup and make additions and modifications to the file with your current cluster configurations at this time.
Single-tenant clusters use the values.byok.cluster.yaml override file template.
Report incorrect code
Copy
Ask AI
# This values.yaml template is intended to be customized# for each installation. Its values *augment and override*# the default values found in Anaconda-Enterprise/values.yaml.global: # global.hostname -- The fully qualified domain name (FQDN) of the cluster. # @section -- Global Common Parameters hostname: "anaconda.example.com" # global.version -- (string) The application version; defaults to `Chart.AppVersion`. # @section -- Global Common Parameters version: # Uncomment for OpenShift only # dnsServer: dns-default.openshift-dns.svc.cluster.local # The UID under which to run the containers (required) runAsUser: 1000 # Docker registry information image: # Repository for Workbench images. # Trailing slash required if not empty server: "aedev/" # A single pull secret name, or a list of names, as required pullSecrets: # Global Service Account Settings serviceAccount: # global.serviceAccount.name -- Service account name # @section -- Global RBAC Parameters name: "anaconda-enterprise"# If the DNS record for the hostname above resolves to an# address inaccessible from the cluster, supply a valid# IP address for the ingress or load balancer here.privateIP: ""# rbacserviceAccount: # serviceAccount.create -- Controls the creation of the service account # @section -- RBAC Parameters create: truerbac: # rbac.create -- Controls the creation and binding of rbac resources. This excludes ingress. # See `.Values.ingress.install` for additional details on managing rbac for that resource # type. # @section -- RBAC Parameters create: true# generateCerts -- Generate Self-Signed Certificates.# `load`: use the certificates in Anaconda-Enterprise/certs.# `skip`: do nothing; assume the secrets already exist.# Existing secrets are always preserved during upgrades.# @section -- TLS / SSL Secret ManagementgenerateCerts: "generate"# Keycloak LDAPS Settings# truststore: path to your truststore file containing custom CA cert# truststore_password: password of the truststore# truststore_seret: name of secret used for the truststore such as anaconda-enterprise-truststorekeycloak: # keycloak.truststore -- Java Truststore File # @section -- Keycloak Parameters truststore: "" # keycloak.truststore_password -- Java Truststore Password # @section -- Keycloak Parameters truststore_password: "" # keycloak.truststore_secret -- Java Truststore Secret # @section -- Keycloak Parameters truststore_secret: "" # keycloak.tempUsername -- # Important note: these have an effect only during # initial installation. If an administrative user # already exists, these values are ignored. # @section -- Keycloak Parameters tempUsername: "admin" # keycloak.tempPassword -- # Important note: these have an effect only during # initial installation. If an administrative user # already exists, these values are ignored. # @section -- Keycloak Parameters tempPassword: "admin"ingress: # ingress.className -- (string) If an existing ingress controller is being used, this # must match the ingress.className of that controller. # Cannot be empty if ingress.install is true. # @section -- Ingress Parameters className: # ingress.install -- Ingress Install Control. # `false`: an existing ingress controller will be used. # `true`: install an ingress controller in this namespace. # @section -- Ingress Parameters install: false # ingress.installClass -- IngressClass Install Control. # `false`: an existing IngressClass resource will be used. # `true`: create a new IngressClass in the global namespace. # Ignored if ingress.install is `false`. # @section -- Ingress Parameters installClass: false # ingress.labels -- `.metadata.labels` for the ingress. # If your ingress controller requires custom labels to be # added to ingress entries, list them here as a dictionary # of key/value pairs. # @section -- Ingress Parameters labels: {} # If your ingress requires custom annotations to be added # to ingress entries, they can be included here. These # will be added to any existing annotations in the chart. # For all ingress entries global: {} # For the master ingress only system: {} # For sessions and deployments only user: {}# To configure an external Git repository, uncomment this section and fill# in the relevant values. For more details, consult this page:# https://www.anaconda.com/docs/data-science/latest/admin/advanced/config-repo## git:# type: github-v3-api# name: Github.com Repo# url: https://api.github.com/# credential-url: https://api.github.com/anaconda-test-org# organization: anaconda-test-org# repository: {owner}-{id}# username: somegituser# auth-token: 98bcf2261707794b4a56f24e23fd6ed771d6c742# http-timeout: 60# disable-tls-verification: false# create-args: {}# As discussed in the documentation, you may use the same# persistent volume for both storage resources. If so, make# sure to use the same pvc: value in both locations.storage: create: false pvc: "anaconda-storage"persistence: pvc: "anaconda-storage"# TOLERATIONS / AFFINITY# Please work with the Anaconda team for assistance# to configure these settings if you need them.tolerations: # For all pods global: [] # For system pods, except the ingress system: [] # For the ingress daemonset alone ingress: [] # For user pods user: []affinity: # For all pods global: {} # For system pods, except the ingress system: {} # For the ingress daemonset alone ingress: {} # For user pods user: {}# By default, all ops services are enabled for single-tenant BYOK installations.# Consult the documentation for details on how to configure each service.opsDashboard: enabled: trueopsMetrics: enabled: trueopsGrafana: enabled: true# By default, installs use the full ae-editor image. Uncomment the following lines to use the lightweight editor: # image:# suffix: lite
Anaconda has created this pre-installation checklist to help you verify that you have properly prepared your environment prior to installation.Within this checklist, Anaconda provides some commands or command templates for you to run in order to verify a given requirement, along with a typical output from the command to give you an idea of the kind of information you should see. Run each of these commands, (modified as appropriate for your environment) and copy the outputs into a document. Send this document to your Anaconda implementation team so that they can verify your environment is ready before you begin the installation process.
BYOK8s pre-installation checklist
Verify that your administration server has been provisioned with appropriate versions of kubectl, helm, and other tools needed to perform installation and administration tasks by running the following command:
(Openshift Only) Verify the Security Context Constraint (SCC) associated with the service account contains all of the necessary permissions by running the following command:
This example uses the anyuid SCC; however, the restricted SCC can also be used, as long as the uid range is known.
Verify the ClusterRole resource associated with the service account has the necessary permissions to facilitate installation and operation by running the following command:
Report incorrect code
Copy
Ask AI
# Replace <SERVICE_ACCOUNT> with the name of the service account you've created for Workbenchkubectl describe clusterrole <SERVICE_ACCOUNT>-ingress
The above example is fully permissive. See the RBAC template for more realistic configurations.
A numeric UID that will be used to run Workbench containers is reserved.
Include the UID in your checklist results.
Verify that GID 0 is permitted by the security context.
Verify any tolerations and/or node labels required to permit Workbench to run on its assigned nodes have been identified by running the following command:
Report incorrect code
Copy
Ask AI
# This command returns information for tolerations onlykubectl get nodes -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.taints[*].key}{"\n"}{end}'``
Verify that a Persistent Volume Claim (PVC) has been created within the application namespace, referencing a statically provisioned Persistent Volume that meets the storage requirements for the anaconda-storage volume by running the following command:
Verify a PVC has been created within the application namespace, referencing a statically provisioned Persistent Volume that meets the storage requirements for the anaconda-persistence volume by running the following command:
Report incorrect code
Copy
Ask AI
kubectl describe pvc anaconda-persistence
Here is an example response from the command:
Report incorrect code
Copy
Ask AI
Name: anaconda-persistenceLabels: <none>Annotations: pv.kubernetes.io/bound-by-controller: yesFinalizers: [kubernetes.io/pv-protection]StorageClass:Status: BoundClaim: default/anaconda-persistenceReclaim Policy: RetainAccess Modes: RWXVolumeMode: FilesystemCapacity: 500GiNode Affinity: <none>Message:Source: Type: NFS (an NFS mount that lasts the lifetime of a pod) Server: 10.234.2.7 Path: /data/persistence ReadOnly: falseEvents: <none>
The cluster is sized appropriately (CPU / Memory) for user workload, including consideration for “burst” workloads. For more information, see Understanding Workbench system requirements.
Resource Profiles have been determined, and created in the values.yaml file.
A domain name for the Workbench application has been identified.
Please include this domain name in your checklist output.
If you are supplying your own ingress controller, verify it has already been installed, and its master IP address and ingressClassName value have been identified.
Please include both the IP address ingress class name in your checklist output.
Verify the DNS records for both anaconda.example.com and *.anaconda.example.com have been created and point to the IP address of the ingress controller by running the following command:
Report incorrect code
Copy
Ask AI
ping test.anaconda.example.com
Here is an example response from the command:
Report incorrect code
Copy
Ask AI
PING test.anaconda.example.com (167.172.143.144): 56 data bytes
If the ingress controller is to be installed with Workbench, this may not be possible. In such cases, it is sufficient to confirm that the networking team is prepared to establish these records immediately following installation.
A wildcard SSL secret for anaconda.example.com and *.anaconda.example.com has been created. The public and private keys for the main certificate, as well as the full public certificate chain, are accessible from the administration server.
Please share the public certificate chain in your checklist output.
If the SSL secret was created using a private CA, verify the public root certificate has been obtained.
If you are using a private Docker registry, verify the full set of Docker images have been transferred to this registry.
If a pull secret is required to access the Docker images (whether from the standard Workbench Docker channel or the private registry) verify the secret has been created in the application namespace by running the following command:
Report incorrect code
Copy
Ask AI
# Replace <NAMESPACE> with the namespace you've reserved for Workbench# Replace <PULL_SECRET_NAME> with the name for your pull secretkubectl get secret -n <NAMESPACE> <PULL_SECRET_NAME>
