Skip to content

Integrating Posit Workbench with Kubernetes#

Overview#

These steps describe how to integrate Posit Workbench, formerly RStudio Workbench, with Launcher and Kubernetes.

Info

Launcher is a new feature of RStudio Server Pro 1.21 that is only available under named user licensing. RStudio Server Pro 1.2 without Launcher is available under existing server-based licensing. For questions about using Launcher with Workbench, please contact sales@rstudio.com.

Prerequisites#

This integration is intended to be performed on top of a base installation of Workbench.

Pre-Flight Configuration Checks#

Verifying active Kubernetes worker nodes

  • On a machine with kubectl configured, ensure that you have one or more worker nodes that are ready to accept pods as part of the Kubernetes cluster by running the following command:

    Terminal
    $ kubectl get nodes
    NAME STATUS ROLES AGE VERSION
    ip-172-31-12-54.ec2.internal Ready <none> 90d v1.11.5
    ip-172-31-15-141.ec2.internal Ready <none> 90d v1.11.5
    ip-172-31-18-59.ec2.internal Ready <none> 90d v1.11.5
    ip-172-31-20-112.ec2.internal Ready <none> 90d v1.11.5
    

Verifying functionality with a test deployment

  • On a machine with kubectl configured, ensure that you are able to deploy a sample application to your Kubernetes cluster by running the following command:

    Terminal
    $ kubectl create deployment hello-node --image=gcr.io/google-samples/node-hello:1.0
    
  • Confirm that the pod is running by using the following command:

    Terminal
    $ kubectl get pods
    NAME READY STATUS RESTARTS AGE
    hello-node-6d6cd9679f-mllr7 1/1 Running 0 1m
    
  • Now, you can clean up the test deployment by running the following command:

    Terminal
    $ kubectl delete deployment hello-node
    deployment.extensions "hello-node" deleted
    

Step 1. Configure Workbench with Launcher#

  • Add the following lines to the Workbench configuration file:

    File: /etc/rstudio/rserver.conf
    # Launcher Config
    launcher-address=127.0.0.1
    launcher-port=5559
    launcher-sessions-enabled=1
    launcher-default-cluster=Kubernetes
    launcher-sessions-callback-address=http://<SERVER-ADDRESS>:8787
    launcher-sessions-container-run-as-root=0
    launcher-sessions-create-container-user=1
    
  • It is recommended that you do the following:

    • In the launcher-sessions-callback-address setting, you should replace <SERVER-ADDRESS> with the DNS name or IP address of Workbench.
    • You should also change the protocol and port if you are using HTTPS or a different port.

    Note

    The <SERVER-ADDRESS> needs to be reachable from the containers in Kubernetes to the instance of Workbench.

Step 2. Configure Launcher settings and plugins#

  • Add the following lines to the Launcher configuration file:

    File: /etc/rstudio/launcher.conf
    [server]
    address=127.0.0.1
    port=5559
    server-user=rstudio-server
    admin-group=rstudio-server
    authorization-enabled=1
    thread-pool-size=4
    enable-debug-logging=1
    
    [cluster]
    name=Kubernetes
    type=Kubernetes
    

Step 3. Configure profile for Launcher Kubernetes plugin#

  • Add the following lines to the Launcher profiles configuration file:

    File: /etc/rstudio/launcher.kubernetes.profiles.conf
    [*]
    default-cpus=1
    default-mem-mb=512
    max-cpus=2
    max-mem-mb=1024
    container-images=rstudio/r-session-complete:centos7-2023.03.1-446.pro1
    default-container-image=rstudio/r-session-complete:centos7-2023.03.1-446.pro1
    allow-unknown-images=0
    

For more information on using Docker images with Launcher, refer to the Support article on Using Docker images with Workbench, Launcher, and Kubernetes.

Step 4. Provision and configure NFS server#

Shared home directory storage via NFS is required for configurations of Workbench and Launcher. Workbench stores project data for each user in their respective home directory.

  • Perform the following steps in your environment:

    • Provision an NFS server that exports the /home directory. We recommend configuring an NFS server on a machine that runs separately from Workbench and Launcher.
    • On the machine with Workbench and Launcher, mount the NFS share at /home.

    Note

    Similar to any NFS configuration, all machines (e.g., the machine with the NFS server and the machine with Workbench and Launcher) should have the same users with matching user IDs and group IDs to avoid permission or ownership issues across NFS client machines.

Step 5. Configure NFS mounts for Launcher#

  • Add the following lines to the Launcher mounts configuration file, which is the NFS server and mount path that will be used by the containers to mount the home directory for each user:

    File: /etc/rstudio/launcher-mounts
    # Required home directory mount for RSW, Launcher, and Kubernetes
    Host: <NFS-IP-ADDRESS>
    Path: /home/{USER}
    MountPath: /home/{USER}
    ReadOnly: false
    Cluster: Kubernetes
    
  • Replace <NFS-IP-ADDRESS> with the IP address of your NFS server.

  • The Path and MountPath contain the special variable {USER} to indicate that the user’s name will be substituted when the container starts, so there is no need to change that variable in this configuration file.
  • The Path is the source directory of the mount, i.e., the home directory path within NFS server. Please replace it with the correct path if it is something different than /home/.
  • The MountPath is the path within the container that the home directory will be mounted to. It must match how the home directory is mounted on the RSW server. Please replace it with the correct path if it is something different than /home/.

Note

Shared home directory storage via NFS is required for configurations of Workbench and Launcher. Therefore, the configuration section shown above is required in the /etc/rstudio/launcher-mounts configuration file for Workbench and Launcher to function with Kubernetes.

Additional NFS mounts can be added to this same configuration file to make other read-only or read-write file storage mounts available within remote session containers.

Step 6. Create Kubernetes resources for Launcher sessions and Workbench jobs#

  • Run the following commands in a terminal to create the rstudio namespace and required service account, cluster role, and role bindings:

    Terminal
    $ kubectl create namespace rstudio
    
    $ kubectl create serviceaccount job-launcher --namespace rstudio
    
    $ kubectl create rolebinding job-launcher-admin \
        --clusterrole=cluster-admin \
        --group=system:serviceaccounts:rstudio \
        --namespace=rstudio
    
    $ kubectl create clusterrole job-launcher-clusters \
        --verb=get,watch,list \
        --resource=nodes
    
    $ kubectl create clusterrolebinding job-launcher-list-clusters \
        --clusterrole=job-launcher-clusters \
        --group=system:serviceaccounts:rstudio
    
  • As of Kubernetes 1.24, tokens are no longer automatically generated for service accounts. When using Kubernetes 1.24+, run the following command to manually create a token:

    Terminal
    $ kubectl apply -f - <<EOF
      apiVersion: v1
      kind: Secret
      type: kubernetes.io/service-account-token
      metadata:
        name: job-launcher-token
        namespace: rstudio
        annotations:
          kubernetes.io/service-account.name: job-launcher
      EOF
    
    Be sure that the account name specified in the line kubernetes.io/service-account.name: job-launcher exactly matches the service account name. Kubernetes uses this annotation to perform a match from the service account to this token secret.

    It is expected that service accounts will no longer list secrets by default, either. Even once this token secret is created, the service account will still show 0 secrets available (assuming it has just been created and not previously modified):

    Terminal
    $ kubectl get serviceaccounts
    
    NAME           SECRETS   AGE
    default        0         1d
    job-launcher   0         1d
    

    (Alternative) Using a custom role instead of the cluster-admin role

    The default steps above use the cluster-admin role on the Kubernetes cluster. If you are unable to use the cluster-admin role, then you can use a custom role that has full access to the rstudio namespace.

    In this case, you can run the following commands in a terminal to create the rstudio namespace and required service account, custom cluster role, and role bindings:

    Terminal
    $ kubectl create namespace rstudio
    
    $ kubectl create serviceaccount job-launcher --namespace rstudio
    
    # Create a role with full access to the rstudio namespace
    $ kubectl create role rstudio-full-access \
        --verb='*' \
        --resource='*.*' \
        --namespace=rstudio
    
    # Bind the new role to the service account
    $ kubectl create rolebinding job-launcher-admin \
        --role=rstudio-full-access \
        --group=system:serviceaccounts:rstudio \
        --namespace=rstudio
    
    $ kubectl create clusterrole job-launcher-clusters \
        --verb=get,watch,list \
        --resource=nodes
    
    $ kubectl create clusterrolebinding job-launcher-list-clusters \
        --clusterrole=job-launcher-clusters \
        --group=system:serviceaccounts:rstudio
    
    (Optional) Perform these steps if your Kubernetes cluster doesn't have impersonation enabled

    With the default configuration of most Kubernetes distributions, the above steps should be sufficient enough to allow Launcher session containers to run as the end user who created the session. If your Kubernetes cluster does not have impersonation enabled, then you can use a custom cluster role and role binding that allow for impersonation.

    After you run the above steps, run the following additional commands in a terminal to create cluster role and role binding resources that allow for impersonation:

    Terminal
    $ kubectl create clusterrole job-launcher-api \
        --verb=impersonate \
        --resource=users,groups,serviceaccounts
    
    $ kubectl create rolebinding job-launcher-impersonation \
        --clusterrole=job-launcher-api \
        --group=system:serviceaccounts:rstudio \
        --namespace=rstudio
    

Refer to the Launcher section of the Workbench Administration Guide for more information about how Launcher creates the session user within the container.

Refer to the user impersonation section of the Kubernetes documentation for more information about authentication and impersonation in Kubernetes.

Step 7. Configure Launcher with Kubernetes#

  • Obtain the Kubernetes token for the service account in the rstudio namespace by running the following command in your terminal:

    Terminal
    $ kubectl get secret $(kubectl get serviceaccount job-launcher --namespace=rstudio -o jsonpath='{.secrets[0].name}') --namespace=rstudio -o jsonpath='{.data.token}' | base64 -d && echo
    

    In Kubernetes 1.24+ you must use the secret that you previously created in step 6:

    Terminal
    $ kubectl get secret job-launcher-token --namespace=rstudio -o jsonpath='{.data.token}' | base64 -d && echo
    

  • Add the following lines to the Launcher Kubernetes configuration file, (where <KUBERNETES-API-ENDPOINT> is the URL for the Kubernetes API, <KUBERNETES-CLUSTER-TOKEN> is the Kubernetes service account token from the above kubectl get secret terminal command, and <BASE-64-ENCODED-CA-CERTIFICATE> is the Base64 encoded CA certificate for the Kubernetes API):

    File: /etc/rstudio/launcher.kubernetes.conf
    api-url=<KUBERNETES-API-ENDPOINT>
    auth-token=<KUBERNETES-CLUSTER-TOKEN>
    certificate-authority=<BASE-64-ENCODED-CA-CERTIFICATE>
    

    Note

    You can typically locate these values from your Kubernetes cluster console or dashboard.

Step 8. Restart Workbench and Launcher Services#

  • Run the following to restart services:

    Terminal
    $ sudo rstudio-server restart
    $ sudo rstudio-launcher restart
    

Step 9. Test Workbench with Launcher and Kubernetes#

  • Run the following command to test the installation and configuration of Workbench with Launcher and Kubernetes:

    Terminal
    $ sudo rstudio-server stop
    $ sudo rstudio-server verify-installation --verify-user=<USER>
    $ sudo rstudio-server start
    

Note

Replace <USER> with a valid username of a user that is setup to run Workbench in your installation. You only need to run this test once for one valid user to verify that Workbench and Launcher can successfully communicate with Kubernetes and start sessions/Workbench jobs.

For more information on using the Launcher verification tool, refer to the Troubleshooting section in the Workbench Administration Guide .

Additional information#

Use Custom Docker Images#

You can extend or build your own custom Docker images to use with Workbench and Kubernetes with different versions of R, R packages, or system packages.

For more information on using custom Docker images, refer to the support article on Using Docker images with Workbench, Launcher, and Kubernetes.

Perform Additional Configuration#

For more information on configuring Workbench and Launcher, including configuring additional shared file storage mounts, environment variables, and ports, refer to the following reference documentation:

Troubleshooting Workbench and Kubernetes#

Refer to the documentation page on Troubleshooting Launcher and Kubernetes in Workbench for additional information on troubleshooting Workbench with Launcher and Kubernetes.


  1. We will continue to use the RStudio Server Pro name for references to versions prior to 1.4.