Containerize step groups
By default, the tasks performed by Harness CD steps are run on the Harness Delegate host system, for example, the Kubernetes cluster where a Kubernetes delegate is running.
To provide greater control over the resources used for CD steps, Harness also lets you use your own Kubernetes cluster as the runtime infrastructure for CD steps.
You can use a CD step group that points to your cluster as the runtime infrastructure. Next, in the step group, you can add the steps supported by containerized step groups.
In this architecture, no tooling is installed on delegates. Delegates simply act as orchestrators. Any tooling is installed and removed on demand in the ephemeral step containers.
When you use deployment types that support containerized step groups (for example, AWS SAM), containerized steps are automatically generated when you add the execution strategy for the stage.
When you manually add a step group, you can enable containerized step groups by selecting the Enable container based execution option.
This option is disabled for deployment types that do not support containerized step groups.
Important notes
- CD containerized step groups are supported in Deploy and Custom stages.
- Not all steps are supported in containerized step groups. You can see which steps are supported when you try to add steps in the containerized step group.
- You can use the same cluster to run the Harness Delegate and the containerized step group(s), but it is not required.
- Permissions configuration are inherited by a step within a step group. This logic has been updated over the course of Harness NextGen's lifespan. This has caused breaking changes for some users. To learn more about it, go to Step Group Inheritance Logic.
Add a containerized step group
Typically, Harness adds the step group and steps needed for a deployment automatically when you select the stage execution strategy in the Execution section.
Whether the containerized step group is added automatically or manually, you must configure it.
Here are the steps for adding a containerized step group manually:
- In your Deploy (CD) stage, in Execution, select Add Step, and then select Add Step Group.
- To configure a step group as containerized, enable the Enable container based execution setting.
- Configure the following settings.
Kubernetes Cluster
Select or add a Harness Kubernetes Cluster connector to connect to the cluster where the containers will run.
Namespace
Enter an existing namespace in the cluster.
Shared Paths
This setting is the same as Kubernetes mountPath
. The name
for the volumeMounts
is added internally.
Enter shared directories or specific paths within the filesystem to have them shared between containers running within the same pod.
Volumes
This setting is the same as Kubernetes volumes
. Harness supports Host Path (hostPath
), Empty Directory (emptyDir
), and Persistent Volume Claim (persistentVolumeClaim
).
Service Account Name
Specify a Kubernetes service account for step containers to use when communicating with the Kubernetes API server. Leave blank to use the namespace's default service account.
Automount Service Account Token
An application running inside a pod can access the Kubernetes API using automatically mounted service account credentials. See Accessing the Cluster to learn more.
To use a different service account, enter its name here.
Labels
Enter any labels to apply to the pods.
Annotations
Enter any annotations to apply to the pods.
Privileged
The standard privileged
property for Kubernetes securityContext
.
When this setting is enabled, it grants the container elevated privileges within the underlying host environment. This means that the container has access to all Linux kernel capabilities and devices, similar to running processes outside the container. It effectively removes the isolation provided by the container runtime and can potentially pose security risks if not used carefully.
Allow Privilege Escalation
The standard allowPrivilegeEscalation
property for Kubernetes securityContext
.
When this setting in enabled, it allows the container to gain additional privileges beyond those initially granted during container startup.
Add Capabilities
The standard add
setting for the capabilities
property in the Kubernetes securityContext
.
Simply add the name of the capability, like NET_ADMIN
.
Drop Capabilities
The standard drop
setting for the capabilities
property in the Kubernetes securityContext
.
Simply add the name of the capability, like CHOWN
.
Run as Non Root
Enable this setting to run the container as a non-root user.
Read-only Root Filesystem
The standard readOnlyRootFilesystem
setting for the securityContext
property.
Enable this setting to ensure that the root filesystem of the container is mounted as read-only.
Run as User
The standard runAsUser
setting for the securityContext
property.
Specify the user ID (UID) under which the container should run.
Priority Class
The standard Kubernetes PriorityClass
.
Enter a standard priorityClassName
like system-node-critical
.
Node Selector
The standard Kubernetes nodeSelector
.
Enter a key like disktype
and and value like ssd
.