Overriding the active deadline for run-once pods

You can use the Run Once Duration Override Operator to specify a maximum time limit that run-once pods can be active for. By enabling the run-once duration override on a namespace, all future run-once pods created or updated in that namespace have their activeDeadlineSeconds field set to the value specified by the Run Once Duration Override Operator.

Important

The Run Once Duration Override Operator is not currently available for OpenShift Container Platform 4.19. The Operator is planned to be released in the near future.

Note

If both the run-once pod and the Run Once Duration Override Operator have their activeDeadlineSeconds value set, the lower of the two values is used.

Installing the Run Once Duration Override Operator

You can use the web console to install the Run Once Duration Override Operator.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Create the required namespace for the Run Once Duration Override Operator.
1. Navigate to Administration → Namespaces and click Create Namespace.
2. Enter openshift-run-once-duration-override-operator in the Name field and click Create.
Install the Run Once Duration Override Operator.
1. Navigate to Ecosystem → Software Catalog.
2. Enter Run Once Duration Override Operator into the filter box.
3. Select the Run Once Duration Override Operator and click Install.
4. On the Install Operator page:
  1. The Update channel is set to stable, which installs the latest stable release of the Run Once Duration Override Operator.
  2. Select A specific namespace on the cluster.
  3. Choose openshift-run-once-duration-override-operator from the dropdown menu under Installed namespace.
  4. Select an Update approval strategy.
    
    The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
    
    The Manual strategy requires a user with appropriate credentials to approve the Operator update.
  5. Click Install.
Create a RunOnceDurationOverride instance.
1. From the Ecosystem → Installed Operators page, click Run Once Duration Override Operator.
2. Select the Run Once Duration Override tab and click Create RunOnceDurationOverride.
3. Edit the settings as necessary.
  
  Under the runOnceDurationOverride section, you can update the spec.activeDeadlineSeconds value, if required. The predefined value is 3600 seconds, or 1 hour.
4. Click Create.

Verification

Log in to the OpenShift CLI.

Verify all pods are created and running properly.

$ oc get pods -n openshift-run-once-duration-override-operator

Example output

NAME                                                   READY   STATUS    RESTARTS   AGE
run-once-duration-override-operator-7b88c676f6-lcxgc   1/1     Running   0          7m46s
runoncedurationoverride-62blp                          1/1     Running   0          41s
runoncedurationoverride-h8h8b                          1/1     Running   0          41s
runoncedurationoverride-tdsqk                          1/1     Running   0          41s

Enabling the run-once duration override on a namespace

To apply the run-once duration override from the Run Once Duration Override Operator to run-once pods, you must enable it on each applicable namespace.

Prerequisites

The Run Once Duration Override Operator is installed.

Procedure

Log in to the OpenShift CLI.
Add the label to enable the run-once duration override to your namespace:
```
$ oc label namespace <namespace> \ 
    runoncedurationoverrides.admission.runoncedurationoverride.openshift.io/enabled=true
```
1. Specify the namespace to enable the run-once duration override on.

After you enable the run-once duration override on this namespace, future run-once pods that are created in this namespace will have their activeDeadlineSeconds field set to the override value from the Run Once Duration Override Operator. Existing pods in this namespace will also have their activeDeadlineSeconds value set when they are updated next.

Verification

Create a test run-once pod in the namespace that you enabled the run-once duration override on:

apiVersion: v1
kind: Pod
metadata:
  name: example
  namespace: <namespace>                 
spec:
  restartPolicy: Never                   
  securityContext:
    runAsNonRoot: true
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: busybox
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop: [ALL]
      image: busybox:1.25
      command:
        - /bin/sh
        - -ec
        - |
          while sleep 5; do date; done

Replace <namespace> with the name of your namespace.
The restartPolicy must be Never or OnFailure to be a run-once pod.

Verify that the pod has its activeDeadlineSeconds field set:

$ oc get pods -n <namespace> -o yaml | grep activeDeadlineSeconds

Example output

    activeDeadlineSeconds: 3600

Updating the run-once active deadline override value

You can customize the override value that the Run Once Duration Override Operator applies to run-once pods. The predefined value is 3600 seconds, or 1 hour.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have installed the Run Once Duration Override Operator.

Procedure

Log in to the OpenShift CLI.

Edit the RunOnceDurationOverride resource:

$ oc edit runoncedurationoverride cluster

Update the activeDeadlineSeconds field:

apiVersion: operator.openshift.io/v1
kind: RunOnceDurationOverride
metadata:
# ...
spec:
  runOnceDurationOverride:
    spec:
      activeDeadlineSeconds: 1800 
# ...

Set the activeDeadlineSeconds field to the desired value, in seconds.

Save the file to apply the changes.

Any future run-once pods created in namespaces where the run-once duration override is enabled will have their activeDeadlineSeconds field set to this new value. Existing run-once pods in these namespaces will receive this new value when they are updated.