CaaS (Kubernetes)
CaaS (Container-as-a-Service) is Roche’s managed Kubernetes offering running on AWS. It hosts the OPA (Open Policy Agent) instances that enforce real-time policy evaluation for data products. Each entity gets a dedicated OPA deployment with its compiled Rego policies, accessible via a ClusterIP service.
Connection Details
Section titled “Connection Details”| Property | Value |
|---|---|
| Cluster | caasawsprod / Cloud Prod (eu-central-1) |
| Cluster ID | c-2dhbr |
| Project | rdt_model (ID: c-2dhbr:p-r4z25) |
| Auth method | Bearer token (Rancher-issued kubeconfig) |
| Network | Roche corporate network (VPN required) |
| Access task | A13 |
| GitHub issue | #28 |
| CIDM group | CAAS_MODEL_ADMIN |
| ServiceNow request | RITM6292237 |
Environment Variables
Section titled “Environment Variables”| Variable | Source | Description |
|---|---|---|
RANCHER_BEARER_TOKEN | Vault common/caas | API token for Rancher/K8s authentication |
RANCHER_URL | Vault common/caas | Rancher management plane URL |
CAAS_PROJECT | Vault common/caas | Rancher project identifier |
CAAS_NAMESPACE | Vault {env}/caas | Target namespace per environment |
CAAS_CLUSTER | Vault {env}/caas | Target cluster per environment |
Namespaces
Section titled “Namespaces”| Namespace | Environment | State | CPU | Memory | Storage |
|---|---|---|---|---|---|
rdt-model-dev | dev | Active | 300m | 340Mi | 1700Mi |
rdt-model-test | test | Active | 300m | 340Mi | 1700Mi |
rdt-model-prod | prod | Active | 300m | 340Mi | 1700Mi |
CLI Modules
Section titled “CLI Modules”| Module | Usage |
|---|---|
rdt-model-policy | Generates OPA Rego policies, K8s manifests (Deployment, Service, ConfigMap, CronJob), and deploys to the target namespace |
Deployed Artifacts (per entity)
Section titled “Deployed Artifacts (per entity)”| Manifest | Purpose |
|---|---|
opa-deployment.yaml | OPA server with sidecar bundle loader |
opa-service.yaml | ClusterIP service exposing /validate/* and /policy/* |
bundle-configmap.yaml | Pre-materialised lookup data (MRHub snapshots) |
bundle-refresh-cronjob.yaml | Scheduled Snowflake-to-bundle export |
Access Verification
Section titled “Access Verification”Script: scripts/access/check-caas.sh
Required tools: kubectl
Prerequisites: Roche CA certificates installed (/usr/local/share/ca-certificates/roche/)
Checks performed:
- Roche CA certificate installation
- kubectl context configuration (browser auth to Rancher if needed)
- Cluster connectivity (
kubectl get pods) - Namespace access:
rdt-model-dev,rdt-model-test,rdt-model-prod - RBAC permissions in
rdt-model-dev:create:deployments,create:services,create:configmapsget:pods,get:secrets,create:pods,delete:deployments
- Pod counts per namespace
Authentication
Section titled “Authentication”CaaS uses Rancher-issued kubeconfig with bearer token authentication:
# Download kubeconfig from Rancher# Rancher UI → Cluster → Kubeconfig File → Copyexport KUBECONFIG=~/.kube/config-caas
# Verify accesskubectl --context caasawsprod get namespaces | grep rdt-modelThe Rancher bearer token (name: token-2d9gz) expires 2026-07-28 — renewal required before expiry.
Kubeconfig Setup
Section titled “Kubeconfig Setup”The kubeconfig must have embedded CA certificates removed and rely on system trust store (Roche CA certs installed via require_roche_certs):
clusters:- cluster: server: https://rancher.emea.roche.com/k8s/clusters/c-2dhbr # certificate-authority-data removed — uses system trust name: caasawsprodResource Quotas
Section titled “Resource Quotas”Each namespace has strict resource quotas. OPA deployments must fit within:
- CPU: 300m total (OPA typically needs 50-100m per instance)
- Memory: 340Mi total (OPA typically needs 64-128Mi per instance)
- Storage: 1700Mi total (for ConfigMap-backed bundles)
This limits each namespace to approximately 3-4 OPA instances. Scaling beyond this requires a quota increase request via RITM.