Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 1. Prerequisites checklist for deploying Red Hat OpenShift Service on AWS
This is a high level checklist of prerequisites needed to create a Red Hat OpenShift Service on AWS cluster.
The machine that you run the installation process from must have access to the following:
- Amazon Web Services API and authentication service endpoints
-
Red Hat OpenShift API and authentication service endpoints (
api.openshift.comandsso.redhat.com) - Internet connectivity to obtain installation artifacts during deployment
1.1. Accounts and permissions
Ensure that you have the following accounts, credentials, and permissions.
1.1.1. AWS account
- Create an AWS account if you do not already have one.
- Gather the credentials required to log in to your AWS account.
- Ensure that your AWS account has sufficient permissions to use the ROSA CLI: Least privilege permissions for common ROSA CLI commands
Enable Red Hat OpenShift Service on AWS for your AWS account on the AWS console.
-
If your account is the management account for your organization (used for AWS billing purposes), you must have
aws-marketplace:Subscribepermissions available on your account. See Service control policy (SCP) prerequisites for more information, or see the AWS documentation for troubleshooting: AWS Organizations service control policy denies required AWS Marketplace permissions.
-
If your account is the management account for your organization (used for AWS billing purposes), you must have
- Ensure you have not enabled restrictive tag policies. For more information, see Tag policies in the AWS documentation.
1.1.2. Red Hat account
- Create a Red Hat account for the Red Hat Hybrid Cloud Console if you do not already have one.
- Gather the credentials required to log in to your Red Hat account.
1.2. CLI requirements
You need to download and install several CLI (command-line interface) tools to be able to deploy a cluster.
1.2.1. AWS CLI (aws)
- Install the AWS Command Line Interface.
- Log in to your AWS account using the AWS CLI: Sign in through the AWS CLI
Verify your account identity:
aws sts get-caller-identity
$ aws sts get-caller-identityCopy to Clipboard Copied! Toggle word wrap Toggle overflow Check whether the service role for ELB (Elastic Load Balancing) exists:
aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
$ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"Copy to Clipboard Copied! Toggle word wrap Toggle overflow If the role does not exist, create it by running the following command:
aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
$ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
1.2.2. ROSA CLI (rosa)
- Install the ROSA CLI from the web console.
Log in to your Red Hat account by running
rosa loginand following the instructions in the command output:rosa login
$ rosa login To login to your Red{nbsp}Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa ? Copy the token and paste it here:Copy to Clipboard Copied! Toggle word wrap Toggle overflow Alternatively, you can copy the full
$ rosa login --token=abc…command and paste that in the terminal:rosa login --token=<abc..>
$ rosa login --token=<abc..>Copy to Clipboard Copied! Toggle word wrap Toggle overflow Confirm you are logged in using the correct account and credentials:
rosa whoami
$ rosa whoamiCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.2.3. OpenShift CLI (oc)
The OpenShift CLI (oc) is not required to deploy a Red Hat OpenShift Service on AWS cluster, but is a useful tool for interacting with your cluster after it is deployed.
-
Download and install
ocfrom the OpenShift Cluster Manager Command-line interface (CLI) tools page, or follow the instructions in Getting started with the OpenShift CLI. Verify that the OpenShift CLI has been installed correctly by running the following command:
rosa verify openshift-client
$ rosa verify openshift-clientCopy to Clipboard Copied! Toggle word wrap Toggle overflow
1.3. AWS infrastructure prerequisites
Optionally, ensure that your AWS account has sufficient quota available to deploy a cluster.
rosa verify quota
$ rosa verify quotaCopy to Clipboard Copied! Toggle word wrap Toggle overflow This command only checks the total quota allocated to your account; it does not reflect the amount of quota already consumed from that quota. Running this command is optional because your quota is verified during cluster deployment. However, Red Hat recommends running this command to confirm your quota ahead of time so that deployment is not interrupted by issues with quota availability.
- For more information about resources provisioned during Red Hat OpenShift Service on AWS cluster deployment, see Provisioned AWS Infrastructure.
- For more information about the required AWS service quotas, see Required AWS service quotas.
1.4. Service Control Policy (SCP) prerequisites
Red Hat OpenShift Service on AWS clusters are hosted in an AWS account within an AWS organizational unit. A service control policy (SCP) is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access.
- Ensure that your organization’s SCPs are not more restrictive than the roles and policies required by the cluster. For more information, see the Minimum set of effective permissions for SCPs.
- When you create a Red Hat OpenShift Service on AWS cluster, an associated AWS OpenID Connect (OIDC) identity provider is created.
1.5. Networking prerequisites
Prerequisites needed from a networking standpoint.
1.5.1. Minimum bandwidth
During cluster deployment, Red Hat OpenShift Service on AWS requires a minimum bandwidth of 120 Mbps between cluster infrastructure and the public internet or private network locations that provide deployment artifacts and resources. When network connectivity is slower than 120 Mbps (for example, when connecting through a proxy) the cluster installation process times out and deployment fails.
After cluster deployment, network requirements are determined by your workload. However, a minimum bandwidth of 120 Mbps helps to ensure timely cluster and operator upgrades.
1.5.2. Firewall
- Configure your firewall to allow access to the domains and ports listed in AWS firewall prerequisites
1.5.3. Create VPC before cluster deployment
Red Hat OpenShift Service on AWS clusters must be deployed into an existing AWS Virtual Private Cloud (VPC).
Installing a new Red Hat OpenShift Service on AWS cluster into a VPC that was automatically created by the installer for a different cluster is not supported.
Your VPC must meet the requirements shown in the following table.
| Requirement | Details |
|---|---|
| VPC name | You need to have the specific VPC name and ID when creating your cluster. |
| CIDR range | Your VPC CIDR range should match your machine CIDR. |
| Availability zone | You need one availability zone for a single zone, and you need three for availability zones for multi-zone. |
| Public subnet | You must have one public subnet with a NAT gateway for public clusters. Private clusters do not need a public subnet. |
| DNS hostname and resolution | You must ensure that the DNS hostname and resolution are enabled. |
1.5.4. Additional custom security groups
During cluster creation, you can add additional custom security groups to a cluster that has an existing non-managed VPC. To do so, complete these prerequisites before you create the cluster:
- Create the custom security groups in AWS before you create the cluster.
- Associate the custom security groups with the VPC that you are using to create the cluster. Do not associate the custom security groups with any other VPC.
-
You may need to request additional AWS quota for
Security groups per network interface.
For more details see the detailed requirements for Security groups.
1.5.5. Custom DNS and domains
You can configure a custom domain name server and custom domain name for your cluster. To do so, complete the following prerequisites before you create the cluster:
-
By default, Red Hat OpenShift Service on AWS clusters require you to set the
domain name serversoption toAmazonProvidedDNSto ensure successful cluster creation and operation. - To use a custom DNS server and domain name for your cluster, the Red Hat OpenShift Service on AWS installer must be able to use VPC DNS with default DHCP options so that it can resolve internal IPs and services. This means that you must create a custom DHCP option set to forward DNS lookups to your DNS server, and associate this option set with your VPC before you create the cluster.
Confirm that your VPC is using VPC Resolver by running the following command:
aws ec2 describe-dhcp-options
$ aws ec2 describe-dhcp-optionsCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}