Preparing a K3s environment for Workbench#

Determining the resource requirements for a Kubernetes cluster depends on a number of different factors, including what type of applications you will be running, the number of users that are active at once, and the workloads you will be managing within the cluster. Data Science & AI Workbench’s performance is tightly coupled with the health of your Kubernetes stack, so it is important to allocate enough resources to manage your users’ workloads. Generally speaking, your system should contain at least 1 CPU, 1GB of RAM, and 5GB of disk space for each project session or deployment.

Hardware requirements#

Anaconda’s hardware recommendations ensure a reliable and performant Kubernetes cluster.

The following are minimum specifications for the control plane and worker nodes, as well as the entire cluster.

Control plane node

Minimum

CPU

16 cores

RAM

64GB

Disk space in /opt/anaconda

500GB

Disk space in /var/lib/rancher

300GB

Disk space in /tmp or $TMPDIR

50GB

Note

  • Disk space reserved for /var/lib/rancher is utilized as additional space to accommodate upgrades. Anaconda recommends having this available during installation.

  • The /var/lib/rancher volume must be mounted on local storage. Core components of Kubernetes run from this directory, some of which are extremely intolerant of disk latency. Therefore, Network-Attached Storage (NAS) and Storage Area Network (SAN) solutions are not supported for this volume.

  • Anaconda recommends that you set up the /opt/anaconda and /var/lib/rancher partitions using Logical Volume Management (LVM) to provide the flexibility needed to accommodate future expansion.

  • Disk space reserved for /opt/anaconda is utilized for project and package storage (including mirrored packages).

Worker node

Minimum

CPU

16 cores

RAM

64GB

Disk space in /var/lib/rancher

300GB

Disk space in /tmp or $TMPDIR

50GB

Note

When installing Workbench on a system with multiple nodes, verify that the clock of each node is in sync with the others prior to installation. Anaconda recommends using the Network Time Protocol (NTP) to synchronize computer system clocks automatically over a network. For step-by-step instructions, see How to Synchronize Time with Chrony NTP in Linux.

Disk IOPS requirements#

Nodes require a minimum of 3000 concurrent Input/Output operations Per Second (IOPS).

Note

Solid state disks are strongly recommended for optimal performance.

Cloud performance requirements#

Requirements for running Workbench in the cloud relate to compute power and disk performance.

Minimum specifications:

  • CPU: 8 vCPU

  • Memory: 32GB RAM

Recommended specifications:

  • CPU: 16 vCPU

  • Memory: 64GB RAM

Operating system requirements#

Please see the official K3s documentation for information on supported operating systems.

Caution

  • You must remove Docker or Podman from the server, if present.

Security requirements#

  • If your Linux system utilizes an antivirus scanner, ensure that the scanner excludes the /var/lib/rancher volume from its security scans.

  • Installation requires that you have sudo access.

  • RHEL instances must disable nm-cloud-setup.

    Disabling nm-cloud-setup

    Disable nm-cloud-setup by running the following command:

    systemctl disable nm-cloud-setup.service nm-cloud-setup.timer

  • Nodes running CentOS or RHEL must ensure that Security Enhanced Linux (SELinux) is set to either disabled or permissive mode in the /etc/selinux/config file.

    Tip

    Check the status of SELinux by running the following command:

    getenforce
    Configuring SELinux

    1. Open the /etc/selinux/config file using your preferred file editor.

    2. Find the line that starts with SELINUX= and set it to either disabled or permissive.

    3. Save and close the file.

    4. Reboot your system for changes to take effect.

Network requirements#

Please see the official K3s documentation regarding network requirements.

Firewall Requirements#

It is recommended to remove OS-level firewalls altogether. If that is not possible, review the K3s requirements on how to configure the firewall for your OS.

Mirroring with a firewall

If you plan to use online package mirroring, allowlist the following domains in your network’s firewall settings:

  • repo.anaconda.com

  • anaconda.org

  • conda.anaconda.org

  • binstar-cio-packages-prod.s3.amazonaws.com

To use Workbench in conjunction with Anaconda Navigator in online mode, allowlist the following sites in your network’s firewall settings as well:

  • https://repo.anaconda.com — For use of older versions of Navigator and conda

  • https://conda.anaconda.org — For use of conda-forge and other channels on Anaconda.org

  • google-public-dns-a.google.com (8.8.8.8:53) — To check internet connectivity with Google Public DNS.

TLS/SSL certificate requirements#

Workbench uses certificates to provide transport layer security for the cluster. Self-signed certificates are generated during the initial installation. Once installation is complete, you can configure the platform to use your organizational TLS/SSL certificates.

You can purchase certificates commercially or generate them using your organization’s internal public key infrastructure (PKI) system. When using an internal PKI-signed setup, the CA certificate is inserted into the Kubernetes secret.

In either case, the configuration will include the following:

  • A certificate for the root certificate authority (CA)

  • An intermediate certificate chain

  • A server certificate

  • A certificate private key

For more information about TLS/SSL certificates, see Updating TLS/SSL certificates.

DNS requirements#

Workbench assigns unique URL addresses to deployments by combining a dynamically generated universally unique identifier (UUID) with your organization’s domain name, like this: https://uuid001.anaconda.yourdomain.com.

This requires the use of wildcard DNS entries that apply to a set of domain names such as *.anaconda.yourdomain.com.

For example, if you are using the domain name anaconda.yourdomain.com with a control plane node IP address of 12.34.56.78, the DNS entries would be as follows:

anaconda.yourdomain.com IN A 12.34.56.78
*.anaconda.yourdomain.com IN A 12.34.56.78

Note

The wildcard subdomain’s DNS entry points to the Workbench control plane node.

The control plane node’s hostname and the wildcard domains must be resolvable with DNS from the control plane node, worker nodes, and the end user’s machines. To ensure the control plane node can resolve its own hostname, distribute any /etc/hosts entries to the K3s environment.

Caution

If dnsmasq is installed on the control plane node or any worker nodes, you’ll need to remove it from all nodes prior to installing Workbench.

Verify dnsmasq is disabled by running the following command:

sudo systemctl status dnsmasq

If necessary, stop and disable dnsmasq by running the following commands:

sudo systemctl stop dnsmasq
sudo systemctl disable dnsmasq

Pre-installation checklist#

Anaconda has created this pre-installation checklist to help you verify that you have properly prepared your environment prior to installation.

K3s pre-installation checklist

All nodes in the cluster meet the minimum or recommended specifications for CPU, RAM, and disk space.

All nodes in the cluster meet the minimum IOPS required for reliable performance.

All cluster nodes are operating the same OS version, and the OS is supported.

NTP is being used to synchronize computer system clocks, and all nodes are in sync.

The user account performing the installation has sudo access on all nodes and is not a root user.

The system meets all K3s network requirements.

The firewall is either disabled or configured correctly.

If necessary, the domains required for online package mirroring have been allowlisted.

The final TLS/SSL certificates <k3s_tls_ssl_reqs> to be installed with Workbench have been obtained, including the private keys.

The Workbench A or CNAME domain record is fully operational and points to the IP address of the control plane node.

The wildcard DNS entry for Workbench is also fully operational and points to the IP address of the control plane node. More information about the wildcard DNS requirements can be found here.

The /etc/resolv.conf file on all the nodes does not include the rotate option.

Any existing installations of Docker (and dockerd), dnsmasq, and lxd have been removed from all nodes, as they will conflict with Workbench.

On this page