Cluster Template#
A cluster template is a predefined configuration or blueprint for setting up and managing clusters. Cluster templates allow you to rapidly provision and deploy clusters with uniform configurations, minimizing time and effort.
Edge Orchestrator supports the JSON format for creating, exporting, or importing a cluster template.
Note
Only an edge manager can create a cluster template.
Edge Orchestrator comes with three built-in cluster templates:
restricted
baseline
privileged
To go to the Cluster Templates page, click the Settings tab and then click Clusters Templates on the left menu. You can view the built-in cluster template. Intel provides and maintains these default templates. Each built-in template provides different restrictions that are automatically applied for customer workloads:
The common settings in the cluster templates include:
Kubernetes* platform version v1.30.10+rke2r1
Preconfigured mirrors for Container Runtime Interface (CRI)
Preconfigured Container Network Interface (CNI) – Multus, Calico, and Wireguard* CNIs that are enhanced by preconfigured network policies.
Common configuration of the cluster IP addresses - cluster or service CIDRs
Optional list of deployment metadata key-value pairs populated as cluster labels and used to identify clusters as targets for Automated Deployment.
Built-in cluster templates have the following deployment metadata labels:
Cluster Template Name |
deployment-metdata |
|---|---|
restricted |
“default-extension”: “restricted” |
baseline |
“default-extension”: “baseline” |
privileged |
“default-extension”: “privileged” |
Edge Orchestrator comes with three built-in deployments corresponding to default deployment metadata. These are referred to as base extensions and contain the following set of common preconfigured Kubernetes extensions:
The following table lists the various enabled and disabled settings for the default templates:
Constraints |
restricted |
baseline |
privileged |
|---|---|---|---|
capabilities Controls Linux* capabilities on containers. Corresponds to the allowedCapabilities field in PodSecurityPolicy Allowed: NET_BIND_SERVICE All others are denied. |
ENABLED |
ENABLED |
DISABLED |
host-network Controls the usage of host network namespace by pod containers. Corresponds to the hostNetwork fields in a PodSecurityPolicy. |
ENABLED |
DISABLED |
DISABLED |
volumeTypes Forbids hostPath volume type. Corresponds to the volumes field in a PodSecurityPolicy. |
ENABLED |
ENABLED |
DISABLED |
hostNamespace Disallows sharing of host PID and IPC namespaces by pod containers. Corresponds to the hostPID and hostIPC fields in a PodSecurityPolicy. |
ENABLED |
ENABLED |
DISABLED |
hostPorts Controls usage of host ports by pod containers. If usage of host ports is allowed, you must specify specific port ranges. Corresponds to the hostPorts field in a PodSecurityPolicy. HostPorts usage is not allowed when this constraint is enabled. |
ENABLED |
ENABLED |
DISABLED |
privilegedContainer Disallows enabling privileged mode in containers. Corresponds to the privileged field in a PodSecurityPolicy. |
ENABLED |
ENABLED |
DISABLED |
privilegedEscalation Restricts escalation to root privileges. Corresponds to the allowPrivilegeEscalation field in a PodSecurityPolicy. |
ENABLED |
DISABLED |
DISABLED |
read-only-root-filesystem Requires the use of the read-only root file system by pod containers. Corresponds to the readOnlyRootFilesystem field in a PodSecurityPolicy. |
ENABLED |
DISABLED |
DISABLED |
Sysctls Controls the sysctl profile used by containers. Allowed sysctls when the constraint is enabled: - kernel.shm_rmid_forced - net.ipv4.ip_local_port_range - net.ipv4.ip_unprivileged_port_start - net.ipv4.tcp_syncookies - net.ipv4.ping_group_range |
ENABLED |
ENABLED |
DISABLED |
Note
When security is of highest priority, Intel recommends using the ‘restricted’ template as a default for all clusters managed by Edge Orchestrator. Otherwise, Intel recommends assigning ‘baseline’ as the default cluster template.
From this page, you can click the three-dot (…) icon in the Actions column and you can do the following: