Feedback

Chat Icon

AWX in Action

Ansible Orchestration at Scale

Scale AWX Without Breaking It: Mesh, Hop Nodes, and Capacity Planning
49%

Container Groups: Running Jobs as Kubernetes Pods

Sometimes you may want to run jobs as Kubernetes (or OpenShift) pods instead of as containers on a fixed execution node VM. To do this, you create a Container Group in AWX.

A Container Group is an instance group that runs each job as a freshly spawned pod in a Kubernetes cluster. It has two main parts:

  • A credential of type OpenShift or Kubernetes API Bearer Token that tells AWX how to reach the target cluster (server URL, CA certificate, bearer token).
  • An optional pod spec override that defines how AWX should template the job pod (resource requests/limits, node selectors, tolerations, volume mounts, image pull secrets, the EE image to use, and so on).

When AWX is installed via the operator, it ships with a Container Group named default that runs jobs as pods in the same cluster AWX itself runs in. This is the fallback AWX uses if no other instance group is set on the job template, inventory, or organization. If you want to run jobs in a different cluster, create a new Container Group with a credential pointing at that cluster's API.

Container groups don't replace execution nodes; they're a different way to provide job-running capacity. Use execution nodes when you need a long-lived VM with network access to specific managed targets. Use container groups when you want ephemeral, scalable, Kubernetes-native job execution.

How Container Groups work

How Container Groups work

What you have to do is described in the following steps:

1. Create a new credential: In this step, you provide the CA certificate, the server URL, and the token. This credential authenticates AWX with the cluster.

Apply the following manifest to your cluster. It creates a namespace, a ServiceAccount, a Role with the permissions AWX needs to manage job pods, a RoleBinding, and (for K8s 1.24+) a Secret to hold a long-lived token for the ServiceAccount:

kubectl apply -f - <
---
apiVersion: v1
kind: Namespace
metadata:
  name: containergroup-namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: containergroup-service-account
  namespace: containergroup-namespace
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: containergroup-role
  namespace: containergroup-namespace
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods/log", "pods/attach", "pods/exec"]
    verbs: ["get", "list", "watch", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: containergroup-rolebinding
  namespace: containergroup-namespace
subjects:
  - kind: ServiceAccount
    name

AWX in Action

Ansible Orchestration at Scale

Enroll now to unlock all content and receive all future updates for free.

Unlock now   $25.99 Learn More
Previous Next