{
  "id": "allow-resource-adjustment",
  "title": "Allow automatic resource adjustment",
  "url": "https://redis.io/docs/latest/operate/kubernetes/8.0/security/allow-resource-adjustment/",
  "summary": "Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.",
  "content": "\nRedis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.\n\n## Default behavior\n\nAutomatic resource adjustment is disabled by default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later. This default behavior is in effect if REC spec has `allowAutoAdjustment` set to `false` or removed.\n\nIf automatic resource adjustment is disabled, the REC security context looks like this:\n\n```yaml\nsecurityContext:\n  allowPrivilegeEscalation: false\n  capabilities:\n    drop:\n    - ALL\n  privileged: false\n  readOnlyRootFilesystem: false\n```\n\n## Enable automatic resource adjustment\n\nTo allow the Redis Enterprise container to adjust system resource limits automatically, set `allowAutoAdjustment` to `true`. This will grant the container elevated capabilities such as `SYS_RESOURCE`. Note that changing this value on a running cluster will trigger a rolling update.\n\n```yaml\nspec:\n  securityContext:\n    resourceLimits:\n      allowAutoAdjustment: true\n```\n\nEnabling automatic resource adjustment results in the following security context:\n\n**Note:** Enabling `allowAutoAdjustment` grants the container the `SYS_RESOURCE` capability and permits privilege escalation.\n\n```yaml\nsecurityContext:\n  allowPrivilegeEscalation: true\n  capabilities:\n    add:\n    - SYS_RESOURCE\n    drop:\n    - ALL\n  privileged: false\n  readOnlyRootFilesystem: false\n```\n\n## OpenShift upgrades\n\nIf you're upgrading OpenShift to 7.22.0-6, update your existing SCC (security context constraint).\n\nIf running with automatic resource adjustment disabled, remove the custom `redis-enterprise-scc-v2` SCC and unbind it from the REC service account after you complete the upgrade.\n\n```sh\noc delete scc/redis-enterprise-scc-v2\n```\n\n```sh\noc adm policy remove-scc-from-user redis-enterprise-scc-v2 -z \u003cservice-account-name\u003e\n```\n\nIf running with automatic resource adjustment enabled, manually reapply the [security context constraints (SCC)](https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html) file ([`scc.yaml`](https://redis.io/docs/latest/operate/kubernetes/deployment/openshift/openshift-cli#deploy-the-operator)).\n\n```sh\noc apply -f openshift/scc.yaml\n```\n\n```sh\noc adm policy add-scc-to-user redis-enterprise-scc-v2 \\\n  system:serviceaccount:\u003cmy-project\u003e:\u003crec-name\u003e\n```\n\n## New OpenShift installations\n\nNew installations of Redis Enterprise for Kubernetes 7.22.0-6 and later automatically run with automatic resource adjustment disabled, using a built-in `nonroot-v2` which is more secure and less permissive.\n\nTo enable automatic resource adjustment after installation, apply and grant permissions to the `redis-enterprise-scc-v2` SCC.\n\n1. Apply the `scc.yaml` file.\n\n   \nDo not edit this file.\n    \n\n    ```sh\n    oc apply -f openshift/scc.yaml\n    ```\n\n    You should see the following output:\n\n    ```sh\n    securitycontextconstraints.security.openshift.io \"redis-enterprise-scc-v2\" configured\n    ```\n\n1. Provide the operator permissions for the pods.\n\n    ```sh\n    oc adm policy add-scc-to-user redis-enterprise-scc-v2 \\\n      system:serviceaccount:\u003cmy-project\u003e:\u003crec\u003e\n    ```\n\n## SYS_RESOURCE\n\nSome Redis Enterprise processes may require the `SYS_RESOURCE` capability to raise resource limits, such as the maximum number of open file descriptors.\n\nSome Redis Enterprise processes require the ability to open at least 100,000 file descriptors. If the default is lower and `SYS_RESOURCE` is not enabled, these processes may fail.\n\n## Choose whether to enable automatic resource adjustment\n\nUse the following guidance to decide whether to enable automatic resource adjustment:\n\n- If you're running on a major cloud provider such as AWS, GKE, or AKS, automatic resource adjustment disabled is likely sufficient.\n- If you're running on-prem or using Kubespray, verify your file descriptor limits. You can:\n  - Configure limits manually and use automatic resource adjustment disabled.\n  - Enable automatic resource adjustment to allow Redis Enterprise to increase limits, which requires privilege escalation.\n\nIf you are already running a Redis Enterprise cluster on Kubernetes, your worker nodes are likely configured correctly. In this case, it is safe to upgrade the operator and use automatic resource adjustment disabled.\n\nBased on our testing, all major cloud providers configure Kubernetes worker nodes with file descriptor limits well above the required minimum. These environments typically work without enabling automatic resource adjustment. The only known exception is clusters created with [Kubespray](https://kubespray.io/#/), which sets default file descriptor limits below the required 100,000. If you use Kubespray with default settings, you must run the operator with automatic resource adjustment enabled.\n",
  "tags": ["docs","operate","kubernetes"],
  "last_updated": "2026-06-04T14:49:57+01:00"
}