Workload Manager best practices for Red Hat OpenShift

This document lists the best practices that Workload Manager supports for evaluating Red Hat OpenShift clusters that run on Google Cloud. To learn about Workload Manager, see Product overview .

Severity levels

When you run an evaluation, Workload Manager evaluates resources by comparing their current state with best practices. If a resource doesn't comply with a selected best practice, Workload Manager assigns it a severity level that indicates how far the resource is out of compliance. The Google Cloud console marks each non-compliant resource with an icon. The following table explains these icons, their corresponding severity levels, how the current resource setting might impact your workload, and recommendations for modifying the resource to adhere to best practices.
Icon Severity level Impacts Recommendation
Critical System Reliability, Unplanned Outages, Unsupported Configuration

Resolve as soon as possible to prevent an impact on system availability and data integrity due to a high risk of an unplanned outage.

High Degraded Performance, System Stability Resolve during the next planned maintenance window.
Medium Suboptimal Performance, Supportability Resolve at your earliest convenience.
Low Informational, Non-essential Behavior Although there's no resolution needed, reviewing this best practice can provide useful insights.

Best practices for Red Hat OpenShift clusters

The following table shows the Workload Manager best practices for evaluating Red Hat OpenShift clusters that run on Google Cloud.

Note that to enable Workload Manager for evaluating your Red Hat OpenShift workloads, you must set up the Cluster Services for OpenShift Telemetry operator .

Select one or more rule categories to filter the following table.

Category Best practice name and description Severity
Security
Cloud KMS (CMEK) for Managed Block Storage

We recommend that you use customer-managed encryption keys (CMEKs) with block storage options managed by Google Cloud. Using CMEKs provides you greater control over data encryption, supports key revocation and rotation policies, and enhances auditability that helps you meet strict compliance requirements.

For information about how to use CMEK, see the Red Hat document GCP PD CSI Driver Operator .

Severity: Medium Medium
Security
Require etcd encryption for External Secrets Operator

If you install External Secrets Operator (ESO) for use with Secret Manager, then you must enable etcd encryption. ESO pulls secrets from external sources syncs them with Kubernetes Secrets. If you don't enable etcd encryption, then secrets are stored in plain text, and this is a deviation from security best practices.

For information about how to enable etcd encryption, see the Red Hat document Encrypting etcd data .

Severity: High High
Reliability
Recommend Filestore Regional over Zonal Tier

We recommend that you use the Regional tier of Filestore instead of the Zonal tier. This is because the Regional tier replicates data across zones and helps you ensure data availability in case of zonal failures.

For information about Filestore service tiers, see About service tiers .

Severity: Medium Medium
Reliability
Prefer Filestore Zonal over Basic Tiers

Use the Zonal or Regional tier of Filestore instead of any type of Basic tier. When compared to a Basic tier, the Zonal and Regional tiers of Filestore support the following features: availability during maintenance events, the NFSv4.1 protocol, custom performance, instance performance, and snapshots.

For information about Filestore service tiers, see About service tiers .

Severity: Medium Medium
Operational Efficiency
Google Cloud Filestore for Shared Storage Recommendation

For workloads that require more than 90 GiB of shared storage (RWX) capacity, we recommend that you use Filestore. This service provides seamless infrastructure integration, reliable performance, and automated lifecycle management on Google Cloud.

For information about how to migrate your Persistent Volume Claims (PVCs) with ReadWriteMany access mode to use Filestore, see Google Cloud Filestore CSI Driver Operator .

Severity: Medium Medium
Operational Efficiency
Recommend Applications to be Monitored by Google Managed Prometheus

We recommend that you configure application metric scraping by using Google Cloud.

For information about how to set up Google Cloud Managed Service for Prometheus with managed collection, see Get started with managed collection .

Severity: Medium Medium
Reliability
Control Plane Multi-Zonal Distribution

We recommend that you distribute your OpenShift control plane nodes across at least two different zones within a Google Cloud region. This helps you ensure high availability (HA) and the continuity of management layer operations during zonal outages.

For more information, see Best practices for high availability with OpenShift .

Severity: Critical Critical
Reliability
Worker Node Multi-Zonal Distribution

We recommend that you provision OpenShift worker nodes in multiple zones within a Google Cloud region. This lets you build a resilient infrastructure that can withstand zonal disruptions and help you provide high availability (HA) for the hosted workloads.

For more information, see Best practices for high availability with OpenShift .

Severity: Critical Critical
Cost Optimization
Recommendation of Storage Pool Usage for Hyperdisk Storage Classes

When you're using the Google Cloud Hyperdisk storage class with your OpenShift cluster, we recommend that you use storage pools. This helps you achieve more efficient management of disk resources, improved performance predictability, and simplified scaling of block storage within your OpenShift environment.

For information about how to configure your storage classes to use Hyperdisk storage pools, see Storage pools for hyperdisk-balanced disks overview .

Severity: Medium Medium
Reliability
Workload Agent Metric Freshness Check

To ensure that your evaluation results are accurate, the telemetry data collected from your OpenShift cluster must not be older than 24 hours. If the collected metrics are older than 24 hours, then it is considered stale and Workload Manager cannot use it for a reliable evaluation. Stale metrics typically indicate that the telemetry operator is misconfigured or cannot connect to Google Cloud. If you're unable to troubleshoot and fix this issue, then contact Cloud Customer Care.

Severity: Medium Medium
Operational Efficiency
Google Cloud Managed Block Storage Recommendation

For seamless infrastructure integration, performance reliability, and automated lifecycle management, we recommend that you use Google Cloud managed block storage solutions for workloads running on your OpenShift cluster.

For information about how to migrate your Persistent Volume Claims (PVCs) to use Google Cloud managed block storage, see the Red Hat document GCP PD CSI Driver Operator .

Severity: Medium Medium
Operational Efficiency
Recommend Sidecar OpenTelemetry Injection for Applications.

For better metrics collection isolation between applications, deploy the OpenTelemetry Operator in Sidecar mode for application telemetry.

For information about how to deploy this operator, see OpenTelemetry Operator for Kubernetes .

Severity: Medium Medium
Operational Efficiency
OpenShift Environment Labeling (Production/Non-Production)

To consistently implement policy, monitor alerts, and allocate cost for your OpenShift cluster, we recommend that you apply the label environment with the value production or non-production to the cluster. This label helps convey whether your cluster runs in a production or non-production environment.

Severity: Medium Medium
Operational Efficiency
Google Cloud Secret Manager Integration

To handle sensitive information within OpenShift clusters that run on Google Cloud, use Secret Manager. This service lets you centralize the lifecycle management of secrets and enhance security by providing IAM-based access control.

For information about how to install the Secrets Store CSI Driver and the Google Cloud Secret Manager provider, see Mounting secrets from Google Secret Manager .

Severity: Medium Medium
Security
Disallow ALLOW_NODE_PUBLISH_SECRET in Secret Manager provider

When you're using Secret Manager with the Secrets Store CSI Driver, you must not use the ALLOW_NODE_PUBLISH_SECRET option in the Secret Manager provider DaemonSet. To prevent token leakage, you need to use Security Token Service.

For information about how to use Security Token Service, see the Google Cloud security bulletin GCP-2025-006 .

Severity: High High
Security
Recommended to not sync Secrets Store CSI Driver secrets to etcd

If you're using Secret Manager with the Secrets Store CSI Driver, we recommend that SecretProviderClass resources don't contain a secretObjects block. This helps you ensure that secrets exist only in tmpfs memory and don't affect the control plane datastore.

Severity: Medium Medium
Security
Use Workload Identity Federation (WIF) for integrating with Google Managed Prometheus

For OTLP or Google Cloud authentication, we recommend that you use Workload Identity Federation (WIF). Static JSON keys (service account keys) are high-risk "long-lived" credentials. WIF replaces these with short-lived tokens projected directly into the pod.

For information about how to use WIF, see Workload Identity Federation .

Severity: Critical Critical
Security
Workload Identity Federation for Cloud Credentials

To grant Kubernetes service accounts access to Google Cloud resources without using long-lived keys, configure your OpenShift cluster to use Workload Identity Federation.

For information about how to configure your cluster to use WIF, see the Red Hat document Configuring a GCP cluster to use short-term credentials .

Severity: Critical Critical
Create a Mobile Website
View Site in Mobile | Classic
Share by: