This document lists the best practices that Workload Manager supports for evaluating Red Hat OpenShift clusters that run on Google Cloud. To learn about Workload Manager, see Product overview .
Severity levels
When you run an evaluation, Workload Manager evaluates resources by comparing their current state with best practices. If a resource doesn't comply with a selected best practice, Workload Manager assigns it a severity level that indicates how far the resource is out of compliance. The Google Cloud console marks each non-compliant resource with an icon. The following table explains these icons, their corresponding severity levels, how the current resource setting might impact your workload, and recommendations for modifying the resource to adhere to best practices.| Icon | Severity level | Impacts | Recommendation |
|---|---|---|---|
| Critical | System Reliability, Unplanned Outages, Unsupported Configuration | Resolve as soon as possible to prevent an impact on system availability and data integrity due to a high risk of an unplanned outage. |
|
| High | Degraded Performance, System Stability | Resolve during the next planned maintenance window. | |
| Medium | Suboptimal Performance, Supportability | Resolve at your earliest convenience. | |
| Low | Informational, Non-essential Behavior | Although there's no resolution needed, reviewing this best practice can provide useful insights. |
Best practices for Red Hat OpenShift clusters
The following table shows the Workload Manager best practices for evaluating Red Hat OpenShift clusters that run on Google Cloud.
Note that to enable Workload Manager for evaluating your Red Hat OpenShift workloads, you must set up the Cluster Services for OpenShift Telemetry operator .
Select one or more rule categories to filter the following table.
| Category | Best practice name and description | Severity |
|---|---|---|
|
Security
|
Cloud KMS (CMEK) for Managed Block Storage
We recommend that you use customer-managed encryption keys (CMEKs) with block storage options managed by Google Cloud. Using CMEKs provides you greater control over data encryption, supports key revocation and rotation policies, and enhances auditability that helps you meet strict compliance requirements. For information about how to use CMEK, see the Red Hat document GCP PD CSI Driver Operator . |
|
|
Security
|
Require etcd encryption for External Secrets Operator
If you install External Secrets Operator
(ESO) for use with Secret Manager, then you must enable For information about how to enable |
|
|
Reliability
|
Recommend Filestore Regional over Zonal Tier
We recommend that you use the Regional tier of Filestore instead of the Zonal tier. This is because the Regional tier replicates data across zones and helps you ensure data availability in case of zonal failures. For information about Filestore service tiers, see About service tiers . |
|
|
Reliability
|
Prefer Filestore Zonal over Basic Tiers
Use the Zonal or Regional tier of Filestore instead of any type of Basic tier. When compared to a Basic tier, the Zonal and Regional tiers of Filestore support the following features: availability during maintenance events, the NFSv4.1 protocol, custom performance, instance performance, and snapshots. For information about Filestore service tiers, see About service tiers . |
|
|
Operational Efficiency
|
Google Cloud Filestore for Shared Storage Recommendation
For workloads that require more than 90 GiB of shared storage (RWX) capacity, we recommend that you use Filestore. This service provides seamless infrastructure integration, reliable performance, and automated lifecycle management on Google Cloud. For information about how to migrate your Persistent Volume Claims
(PVCs) with |
|
|
Operational Efficiency
|
Recommend Applications to be Monitored by Google Managed Prometheus
We recommend that you configure application metric scraping by using Google Cloud. For information about how to set up Google Cloud Managed Service for Prometheus with managed collection, see Get started with managed collection . |
|
|
Reliability
|
Control Plane Multi-Zonal Distribution
We recommend that you distribute your OpenShift control plane nodes across at least two different zones within a Google Cloud region. This helps you ensure high availability (HA) and the continuity of management layer operations during zonal outages. For more information, see Best practices for high availability with OpenShift . |
|
|
Reliability
|
Worker Node Multi-Zonal Distribution
We recommend that you provision OpenShift worker nodes in multiple zones within a Google Cloud region. This lets you build a resilient infrastructure that can withstand zonal disruptions and help you provide high availability (HA) for the hosted workloads. For more information, see Best practices for high availability with OpenShift . |
|
|
Cost Optimization
|
Recommendation of Storage Pool Usage for Hyperdisk Storage Classes
When you're using the Google Cloud Hyperdisk storage class with your OpenShift cluster, we recommend that you use storage pools. This helps you achieve more efficient management of disk resources, improved performance predictability, and simplified scaling of block storage within your OpenShift environment. For information about how to configure your storage classes to use Hyperdisk storage pools, see Storage pools for hyperdisk-balanced disks overview . |
|
|
Reliability
|
Workload Agent Metric Freshness Check
To ensure that your evaluation results are accurate, the telemetry data collected from your OpenShift cluster must not be older than 24 hours. If the collected metrics are older than 24 hours, then it is considered stale and Workload Manager cannot use it for a reliable evaluation. Stale metrics typically indicate that the telemetry operator is misconfigured or cannot connect to Google Cloud. If you're unable to troubleshoot and fix this issue, then contact Cloud Customer Care. |
|
|
Operational Efficiency
|
Google Cloud Managed Block Storage Recommendation
For seamless infrastructure integration, performance reliability, and automated lifecycle management, we recommend that you use Google Cloud managed block storage solutions for workloads running on your OpenShift cluster. For information about how to migrate your Persistent Volume Claims (PVCs) to use Google Cloud managed block storage, see the Red Hat document GCP PD CSI Driver Operator . |
|
|
Operational Efficiency
|
Recommend Sidecar OpenTelemetry Injection for Applications.
For better metrics collection isolation between applications, deploy the OpenTelemetry Operator in Sidecar mode for application telemetry. For information about how to deploy this operator, see OpenTelemetry Operator for Kubernetes . |
|
|
Operational Efficiency
|
OpenShift Environment Labeling (Production/Non-Production)
To consistently implement policy, monitor alerts, and allocate
cost for your OpenShift cluster, we recommend that you apply the
label |
|
|
Operational Efficiency
|
Google Cloud Secret Manager Integration
To handle sensitive information within OpenShift clusters that run on Google Cloud, use Secret Manager. This service lets you centralize the lifecycle management of secrets and enhance security by providing IAM-based access control. For information about how to install the Secrets Store CSI Driver and the Google Cloud Secret Manager provider, see Mounting secrets from Google Secret Manager . |
|
|
Security
|
Disallow ALLOW_NODE_PUBLISH_SECRET
in Secret Manager provider
When you're using Secret Manager with the Secrets Store CSI
Driver, you must not use the For information about how to use Security Token Service, see the Google Cloud security bulletin GCP-2025-006 . |
|
|
Security
|
Recommended to not sync Secrets Store CSI Driver secrets to etcd
If you're using Secret Manager with the Secrets Store CSI Driver,
we recommend that |
|
|
Security
|
Use Workload Identity Federation (WIF) for integrating with Google Managed Prometheus
For OTLP or Google Cloud authentication, we recommend that you use Workload Identity Federation (WIF). Static JSON keys (service account keys) are high-risk "long-lived" credentials. WIF replaces these with short-lived tokens projected directly into the pod. For information about how to use WIF, see Workload Identity Federation . |
|
|
Security
|
Workload Identity Federation for Cloud Credentials
To grant Kubernetes service accounts access to Google Cloud resources without using long-lived keys, configure your OpenShift cluster to use Workload Identity Federation. For information about how to configure your cluster to use WIF, see the Red Hat document Configuring a GCP cluster to use short-term credentials . |
|

