Installing on AWS
Installing OpenShift Container Platform on Amazon Web Services
Abstract
Chapter 1. Installation methods
You can install OpenShift Container Platform on Amazon Web Services (AWS) using installer-provisioned or user-provisioned infrastructure. The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster. You can also install OpenShift Container Platform on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself. You can also install OpenShift Container Platform on a single node, which is a specialized installation method that is ideal for edge computing environments.
1.1. Installing a cluster on installer-provisioned infrastructure
You can install a cluster on AWS infrastructure that is provisioned by the OpenShift Container Platform installation program, by using one of the following methods:
- Installing a cluster quickly on AWS: You can install OpenShift Container Platform on AWS infrastructure that is provisioned by the OpenShift Container Platform installation program. You can install a cluster quickly by using the default configuration options.
- Installing a customized cluster on AWS: You can install a customized cluster on AWS infrastructure that the installation program provisions. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available post-installation.
- Installing a cluster on AWS with network customizations: You can customize your OpenShift Container Platform network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements.
- Installing a cluster on AWS in a restricted network: You can install OpenShift Container Platform on AWS on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components.
- Installing a cluster on an existing Virtual Private Cloud: You can install OpenShift Container Platform on an existing AWS Virtual Private Cloud (VPC). You can use this installation method if you have constraints set by the guidelines of your company, such as limits when creating new accounts or infrastructure.
- Installing a private cluster on an existing VPC: You can install a private cluster on an existing AWS VPC. You can use this method to deploy OpenShift Container Platform on an internal network that is not visible to the internet.
- Installing a cluster on AWS into a government or secret region: OpenShift Container Platform can be deployed into AWS regions that are specifically designed for US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that must run sensitive workloads in the cloud.
1.2. Installing a cluster on user-provisioned infrastructure
You can install a cluster on AWS infrastructure that you provision, by using one of the following methods:
- Installing a cluster on AWS infrastructure that you provide: You can install OpenShift Container Platform on AWS infrastructure that you provide. You can use the provided CloudFormation templates to create stacks of AWS resources that represent each of the components required for an OpenShift Container Platform installation.
- Installing a cluster on AWS in a restricted network with user-provisioned infrastructure: You can install OpenShift Container Platform on AWS infrastructure that you provide by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components. You can also use this installation method to ensure that your clusters only use container images that satisfy your organizational controls on external content. While you can install OpenShift Container Platform by using the mirrored content, your cluster still requires internet access to use the AWS APIs.
1.3. Installing a cluster on a single node
				Installing OpenShift Container Platform on a single node alleviates some of the requirements for high availability and large scale clusters. However, you must address the requirements for installing on a single node, and the additional requirements for installing single-node OpenShift on a cloud provider. After addressing the requirements for single node installation, use the Installing a customized cluster on AWS procedure to install the cluster. The installing single-node OpenShift manually section contains an exemplary install-config.yaml file when installing an OpenShift Container Platform cluster on a single node.
			
Chapter 2. Configuring an AWS account
Before you can install OpenShift Container Platform, you must configure an Amazon Web Services (AWS) account.
2.1. Configuring Route 53
To install OpenShift Container Platform, the Amazon Web Services (AWS) account you use must have a dedicated public hosted zone in your Route 53 service. This zone must be authoritative for the domain. The Route 53 service provides cluster DNS resolution and name lookup for external connections to the cluster.
Procedure
- Identify your domain, or subdomain, and registrar. You can transfer an existing domain and registrar or obtain a new one through AWS or another source. Note- If you purchase a new domain through AWS, it takes time for the relevant DNS changes to propagate. For more information about purchasing domains through AWS, see Registering Domain Names Using Amazon Route 53 in the AWS documentation. 
- If you are using an existing domain and registrar, migrate its DNS to AWS. See Making Amazon Route 53 the DNS Service for an Existing Domain in the AWS documentation.
- Create a public hosted zone for your domain or subdomain. See Creating a Public Hosted Zone in the AWS documentation. - Use an appropriate root domain, such as - openshiftcorp.com, or subdomain, such as- clusters.openshiftcorp.com.
- Extract the new authoritative name servers from the hosted zone records. See Getting the Name Servers for a Public Hosted Zone in the AWS documentation.
- Update the registrar records for the AWS Route 53 name servers that your domain uses. For example, if you registered your domain to a Route 53 service in a different accounts, see the following topic in the AWS documentation: Adding or Changing Name Servers or Glue Records.
- If you are using a subdomain, add its delegation records to the parent domain. This gives Amazon Route 53 responsibility for the subdomain. Follow the delegation procedure outlined by the DNS provider of the parent domain. See Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain in the AWS documentation for an example high level procedure.
2.1.1. Ingress Operator endpoint configuration for AWS Route 53
					If you install in either Amazon Web Services (AWS) GovCloud (US) US-West or US-East region, the Ingress Operator uses us-gov-west-1 region for Route53 and tagging API clients.
				
					The Ingress Operator uses https://tagging.us-gov-west-1.amazonaws.com as the tagging API endpoint if a tagging custom endpoint is configured that includes the string 'us-gov-east-1'.
				
For more information on AWS GovCloud (US) endpoints, see the Service Endpoints in the AWS documentation about GovCloud (US).
						Private, disconnected installations are not supported for AWS GovCloud when you install in the us-gov-east-1 region.
					
Example Route 53 configuration
- 1
- Route 53 defaults tohttps://route53.us-gov.amazonaws.comfor both AWS GovCloud (US) regions.
- 2
- Only the US-West region has endpoints for tagging. Omit this parameter if your cluster is in another region.
2.2. AWS account limits
The OpenShift Container Platform cluster uses a number of Amazon Web Services (AWS) components, and the default Service Limits affect your ability to install OpenShift Container Platform clusters. If you use certain cluster configurations, deploy your cluster in certain AWS regions, or run multiple clusters from your account, you might need to request additional resources for your AWS account.
The following table summarizes the AWS components whose limits can impact your ability to install and run OpenShift Container Platform clusters.
| Component | Number of clusters available by default | Default AWS limit | Description | 
|---|---|---|---|
| Instance Limits | Varies | Varies | By default, each cluster creates the following instances: 
 These instance type counts are within a new account’s default limit. To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, review your account limits to ensure that your cluster can deploy the machines that you need. 
								In most regions, the worker machines use an  | 
| Elastic IPs (EIPs) | 0 to 1 | 5 EIPs per account | To provision the cluster in a highly available configuration, the installation program creates a public and private subnet for each availability zone within a region. Each private subnet requires a NAT Gateway, and each NAT gateway requires a separate elastic IP. Review the AWS region map to determine how many availability zones are in each region. To take advantage of the default high availability, install the cluster in a region with at least three availability zones. To install a cluster in a region with more than five availability zones, you must increase the EIP limit. Important 
									To use the  | 
| Virtual Private Clouds (VPCs) | 5 | 5 VPCs per region | Each cluster creates its own VPC. | 
| Elastic Load Balancing (ELB/NLB) | 3 | 20 per region | 
								By default, each cluster creates internal and external network load balancers for the master API server and a single Classic Load Balancer for the router. Deploying more Kubernetes  | 
| NAT Gateways | 5 | 5 per availability zone | The cluster deploys one NAT gateway in each availability zone. | 
| Elastic Network Interfaces (ENIs) | At least 12 | 350 per region | 
								The default installation creates 21 ENIs and an ENI for each availability zone in your region. For example, the  Additional ENIs are created for additional machines and ELB load balancers that are created by cluster usage and deployed workloads. | 
| VPC Gateway | 20 | 20 per account | Each cluster creates a single VPC Gateway for S3 access. | 
| S3 buckets | 99 | 100 buckets per account | Because the installation process creates a temporary bucket and the registry component in each cluster creates a bucket, you can create only 99 OpenShift Container Platform clusters per AWS account. | 
| Security Groups | 250 | 2,500 per account | Each cluster creates 10 distinct security groups. | 
2.3. Required AWS permissions for the IAM user
					Your IAM user must have the permission tag:GetResources in the region us-east-1 to delete the base cluster resources. As part of the AWS API requirement, the OpenShift Container Platform installation program performs various actions in this region.
				
				When you attach the AdministratorAccess policy to the IAM user that you create in Amazon Web Services (AWS), you grant that user all of the required permissions. To deploy all components of an OpenShift Container Platform cluster, the IAM user requires the following permissions:
			
Example 2.1. Required EC2 permissions for installation
- 
							ec2:AttachNetworkInterface
- 
							ec2:AuthorizeSecurityGroupEgress
- 
							ec2:AuthorizeSecurityGroupIngress
- 
							ec2:CopyImage
- 
							ec2:CreateNetworkInterface
- 
							ec2:CreateSecurityGroup
- 
							ec2:CreateTags
- 
							ec2:CreateVolume
- 
							ec2:DeleteSecurityGroup
- 
							ec2:DeleteSnapshot
- 
							ec2:DeleteTags
- 
							ec2:DeregisterImage
- 
							ec2:DescribeAccountAttributes
- 
							ec2:DescribeAddresses
- 
							ec2:DescribeAvailabilityZones
- 
							ec2:DescribeDhcpOptions
- 
							ec2:DescribeImages
- 
							ec2:DescribeInstanceAttribute
- 
							ec2:DescribeInstanceCreditSpecifications
- 
							ec2:DescribeInstances
- 
							ec2:DescribeInstanceTypes
- 
							ec2:DescribeInternetGateways
- 
							ec2:DescribeKeyPairs
- 
							ec2:DescribeNatGateways
- 
							ec2:DescribeNetworkAcls
- 
							ec2:DescribeNetworkInterfaces
- 
							ec2:DescribePrefixLists
- 
							ec2:DescribePublicIpv4Pools(only required ifpublicIpv4Poolis specified ininstall-config.yaml)
- 
							ec2:DescribeRegions
- 
							ec2:DescribeRouteTables
- 
							ec2:DescribeSecurityGroupRules
- 
							ec2:DescribeSecurityGroups
- 
							ec2:DescribeSubnets
- 
							ec2:DescribeTags
- 
							ec2:DescribeVolumes
- 
							ec2:DescribeVpcAttribute
- 
							ec2:DescribeVpcClassicLink
- 
							ec2:DescribeVpcClassicLinkDnsSupport
- 
							ec2:DescribeVpcEndpoints
- 
							ec2:DescribeVpcs
- 
							ec2:DisassociateAddress(only required ifpublicIpv4Poolis specified ininstall-config.yaml)
- 
							ec2:GetEbsDefaultKmsKeyId
- 
							ec2:ModifyInstanceAttribute
- 
							ec2:ModifyNetworkInterfaceAttribute
- 
							ec2:RevokeSecurityGroupEgress
- 
							ec2:RevokeSecurityGroupIngress
- 
							ec2:RunInstances
- 
							ec2:TerminateInstances
Example 2.2. Required permissions for creating network resources during installation
- 
							ec2:AllocateAddress
- 
							ec2:AssociateAddress
- 
							ec2:AssociateDhcpOptions
- 
							ec2:AssociateRouteTable
- 
							ec2:AttachInternetGateway
- 
							ec2:CreateDhcpOptions
- 
							ec2:CreateInternetGateway
- 
							ec2:CreateNatGateway
- 
							ec2:CreateRoute
- 
							ec2:CreateRouteTable
- 
							ec2:CreateSubnet
- 
							ec2:CreateVpc
- 
							ec2:CreateVpcEndpoint
- 
							ec2:ModifySubnetAttribute
- 
							ec2:ModifyVpcAttribute
If you use an existing Virtual Private Cloud (VPC), your account does not require these permissions for creating network resources.
Example 2.3. Required Elastic Load Balancing permissions (ELB) for installation
- 
							elasticloadbalancing:AddTags
- 
							elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- 
							elasticloadbalancing:AttachLoadBalancerToSubnets
- 
							elasticloadbalancing:ConfigureHealthCheck
- 
							elasticloadbalancing:CreateListener
- 
							elasticloadbalancing:CreateLoadBalancer
- 
							elasticloadbalancing:CreateLoadBalancerListeners
- 
							elasticloadbalancing:CreateTargetGroup
- 
							elasticloadbalancing:DeleteLoadBalancer
- 
							elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- 
							elasticloadbalancing:DeregisterTargets
- 
							elasticloadbalancing:DescribeInstanceHealth
- 
							elasticloadbalancing:DescribeListeners
- 
							elasticloadbalancing:DescribeLoadBalancerAttributes
- 
							elasticloadbalancing:DescribeLoadBalancers
- 
							elasticloadbalancing:DescribeTags
- 
							elasticloadbalancing:DescribeTargetGroupAttributes
- 
							elasticloadbalancing:DescribeTargetHealth
- 
							elasticloadbalancing:ModifyLoadBalancerAttributes
- 
							elasticloadbalancing:ModifyTargetGroup
- 
							elasticloadbalancing:ModifyTargetGroupAttributes
- 
							elasticloadbalancing:RegisterInstancesWithLoadBalancer
- 
							elasticloadbalancing:RegisterTargets
- 
							elasticloadbalancing:SetLoadBalancerPoliciesOfListener
- 
							elasticloadbalancing:SetSecurityGroups
						OpenShift Container Platform uses both the ELB and ELBv2 API services to provision load balancers. The permission list shows permissions required by both services. A known issue exists in the AWS web console where both services use the same elasticloadbalancing action prefix but do not recognize the same actions. You can ignore the warnings about the service not recognizing certain elasticloadbalancing actions.
					
Example 2.4. Required IAM permissions for installation
- 
							iam:AddRoleToInstanceProfile
- 
							iam:CreateInstanceProfile
- 
							iam:CreateRole
- 
							iam:DeleteInstanceProfile
- 
							iam:DeleteRole
- 
							iam:DeleteRolePolicy
- 
							iam:GetInstanceProfile
- 
							iam:GetRole
- 
							iam:GetRolePolicy
- 
							iam:GetUser
- 
							iam:ListInstanceProfilesForRole
- 
							iam:ListRoles
- 
							iam:ListUsers
- 
							iam:PassRole
- 
							iam:PutRolePolicy
- 
							iam:RemoveRoleFromInstanceProfile
- 
							iam:SimulatePrincipalPolicy
- 
							iam:TagInstanceProfile
- 
							iam:TagRole
- 
								If you specify an existing IAM role in the install-config.yamlfile, the following IAM permissions are not required:iam:CreateRole,iam:DeleteRole,iam:DeleteRolePolicy, andiam:PutRolePolicy.
- 
								If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRolepermission.
Example 2.5. Required Route 53 permissions for installation
- 
							route53:ChangeResourceRecordSets
- 
							route53:ChangeTagsForResource
- 
							route53:CreateHostedZone
- 
							route53:DeleteHostedZone
- 
							route53:GetChange
- 
							route53:GetHostedZone
- 
							route53:ListHostedZones
- 
							route53:ListHostedZonesByName
- 
							route53:ListResourceRecordSets
- 
							route53:ListTagsForResource
- 
							route53:UpdateHostedZoneComment
Example 2.6. Required Amazon Simple Storage Service (S3) permissions for installation
- 
							s3:CreateBucket
- 
							s3:DeleteBucket
- 
							s3:GetAccelerateConfiguration
- 
							s3:GetBucketAcl
- 
							s3:GetBucketCors
- 
							s3:GetBucketLocation
- 
							s3:GetBucketLogging
- 
							s3:GetBucketObjectLockConfiguration
- 
							s3:GetBucketPolicy
- 
							s3:GetBucketRequestPayment
- 
							s3:GetBucketTagging
- 
							s3:GetBucketVersioning
- 
							s3:GetBucketWebsite
- 
							s3:GetEncryptionConfiguration
- 
							s3:GetLifecycleConfiguration
- 
							s3:GetReplicationConfiguration
- 
							s3:ListBucket
- 
							s3:PutBucketAcl
- 
							s3:PutBucketPolicy
- 
							s3:PutBucketTagging
- 
							s3:PutEncryptionConfiguration
Example 2.7. S3 permissions that cluster Operators require
- 
							s3:DeleteObject
- 
							s3:GetObject
- 
							s3:GetObjectAcl
- 
							s3:GetObjectTagging
- 
							s3:GetObjectVersion
- 
							s3:PutObject
- 
							s3:PutObjectAcl
- 
							s3:PutObjectTagging
Example 2.8. Required permissions to delete base cluster resources
- 
							autoscaling:DescribeAutoScalingGroups
- 
							ec2:DeleteNetworkInterface
- 
							ec2:DeletePlacementGroup
- 
							ec2:DeleteVolume
- 
							elasticloadbalancing:DeleteTargetGroup
- 
							elasticloadbalancing:DescribeTargetGroups
- 
							iam:DeleteAccessKey
- 
							iam:DeleteUser
- 
							iam:DeleteUserPolicy
- 
							iam:ListAttachedRolePolicies
- 
							iam:ListInstanceProfiles
- 
							iam:ListRolePolicies
- 
							iam:ListUserPolicies
- 
							s3:DeleteObject
- 
							s3:ListBucketVersions
- 
							tag:GetResources
Example 2.9. Required permissions to delete network resources
- 
							ec2:DeleteDhcpOptions
- 
							ec2:DeleteInternetGateway
- 
							ec2:DeleteNatGateway
- 
							ec2:DeleteRoute
- 
							ec2:DeleteRouteTable
- 
							ec2:DeleteSubnet
- 
							ec2:DeleteVpc
- 
							ec2:DeleteVpcEndpoints
- 
							ec2:DetachInternetGateway
- 
							ec2:DisassociateRouteTable
- 
							ec2:ReleaseAddress
- 
							ec2:ReplaceRouteTableAssociation
						If you use an existing VPC, your account does not require these permissions to delete network resources. Instead, your account only requires the tag:UntagResources permission to delete network resources.
					
Example 2.10. Optional permissions for installing a cluster with a custom Key Management Service (KMS) key
- 
							kms:CreateGrant
- 
							kms:Decrypt
- 
							kms:DescribeKey
- 
							kms:Encrypt
- 
							kms:GenerateDataKey
- 
							kms:GenerateDataKeyWithoutPlainText
- 
							kms:ListGrants
- 
							kms:RevokeGrant
Example 2.11. Required permissions to delete a cluster with shared instance roles
- 
							iam:UntagRole
Example 2.12. Required permissions to delete a cluster with shared instance profiles
- 
							tag:UntagResources
Example 2.13. Additional IAM and S3 permissions that are required to create manifests
- 
							iam:GetUserPolicy
- 
							iam:ListAccessKeys
- 
							iam:PutUserPolicy
- 
							iam:TagUser
- 
							s3:AbortMultipartUpload
- 
							s3:GetBucketPublicAccessBlock
- 
							s3:ListBucket
- 
							s3:ListBucketMultipartUploads
- 
							s3:PutBucketPublicAccessBlock
- 
							s3:PutLifecycleConfiguration
						If you are managing your cloud provider credentials with mint mode, the IAM user also requires the iam:CreateAccessKey and iam:CreateUser permissions.
					
Example 2.14. Optional permissions for instance and quota checks for installation
- 
							ec2:DescribeInstanceTypeOfferings
- 
							servicequotas:ListAWSDefaultServiceQuotas
Example 2.15. Optional permissions for the cluster owner account when installing a cluster on a shared VPC
- 
							sts:AssumeRole
Example 2.16. Required permissions for enabling Bring your own public IPv4 addresses (BYOIP) feature for installation
- 
							ec2:DescribePublicIpv4Pools
- 
							ec2:DisassociateAddress
2.4. Creating an IAM user
Each Amazon Web Services (AWS) account contains a root user account that is based on the email address you used to create the account.
This is a highly-privileged account, and it is recommended to use it for only initial account and billing configuration, creating an initial set of users, and securing the account.
Before you install OpenShift Container Platform, create a secondary IAM administrative user. As you complete the Creating an IAM User in Your AWS Account procedure in the AWS documentation, set the following options:
Procedure
- 
						Specify the IAM user name and select Programmatic access.
- Attach the - AdministratorAccesspolicy to ensure that the account has sufficient permission to create the cluster. This policy provides the cluster with the ability to grant credentials to each OpenShift Container Platform component. The cluster grants the components only the credentials that they require.Note- While it is possible to create a policy that grants the all of the required AWS permissions and attach it to the user, this is not the preferred option. The cluster will not have the ability to grant additional credentials to individual components, so the same credentials are used by all components. 
- Optional: Add metadata to the user by attaching tags.
- 
						Confirm that the user name that you specified is granted the AdministratorAccesspolicy.
- Record the access key ID and secret access key values. You must use these values when you configure your local machine to run the installation program. Important- You cannot use a temporary session token that you generated while using a multi-factor authentication device to authenticate to AWS when you deploy a cluster. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. 
2.5. IAM Policies and AWS authentication
By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate.
					To enable pulling images from the Amazon Elastic Container Registry (ECR) as a postinstallation task in a single-node OpenShift cluster, you must add the AmazonEC2ContainerRegistryReadOnly policy to the IAM role associated with the cluster’s control plane role.
				
However, you can create your own IAM roles and specify them as part of the installation process. You might need to specify your own roles to deploy the cluster or to manage the cluster after installation. For example:
- Your organization’s security policies require that you use a more restrictive set of permissions to install the cluster.
- After the installation, the cluster is configured with an Operator that requires access to additional services.
If you choose to specify your own IAM roles, you can take the following steps:
- Begin with the default policies and adapt as required. For more information, see "Default permissions for IAM instance profiles".
- To create a policy template that is based on the cluster’s activity, see "Using AWS IAM Analyzer to create policy templates".
2.5.1. Default permissions for IAM instance profiles
By default, the installation program creates IAM instance profiles for the bootstrap, control plane and worker instances with the necessary permissions for the cluster to operate.
The following lists specify the default permissions for control plane and compute machines:
Example 2.17. Default IAM role permissions for control plane instance profiles
- 
								ec2:AttachVolume
- 
								ec2:AuthorizeSecurityGroupIngress
- 
								ec2:CreateSecurityGroup
- 
								ec2:CreateTags
- 
								ec2:CreateVolume
- 
								ec2:DeleteSecurityGroup
- 
								ec2:DeleteVolume
- 
								ec2:Describe*
- 
								ec2:DetachVolume
- 
								ec2:ModifyInstanceAttribute
- 
								ec2:ModifyVolume
- 
								ec2:RevokeSecurityGroupIngress
- 
								elasticloadbalancing:AddTags
- 
								elasticloadbalancing:AttachLoadBalancerToSubnets
- 
								elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- 
								elasticloadbalancing:CreateListener
- 
								elasticloadbalancing:CreateLoadBalancer
- 
								elasticloadbalancing:CreateLoadBalancerPolicy
- 
								elasticloadbalancing:CreateLoadBalancerListeners
- 
								elasticloadbalancing:CreateTargetGroup
- 
								elasticloadbalancing:ConfigureHealthCheck
- 
								elasticloadbalancing:DeleteListener
- 
								elasticloadbalancing:DeleteLoadBalancer
- 
								elasticloadbalancing:DeleteLoadBalancerListeners
- 
								elasticloadbalancing:DeleteTargetGroup
- 
								elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- 
								elasticloadbalancing:DeregisterTargets
- 
								elasticloadbalancing:Describe*
- 
								elasticloadbalancing:DetachLoadBalancerFromSubnets
- 
								elasticloadbalancing:ModifyListener
- 
								elasticloadbalancing:ModifyLoadBalancerAttributes
- 
								elasticloadbalancing:ModifyTargetGroup
- 
								elasticloadbalancing:ModifyTargetGroupAttributes
- 
								elasticloadbalancing:RegisterInstancesWithLoadBalancer
- 
								elasticloadbalancing:RegisterTargets
- 
								elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
- 
								elasticloadbalancing:SetLoadBalancerPoliciesOfListener
- 
								kms:DescribeKey
Example 2.18. Default IAM role permissions for compute instance profiles
- 
								ec2:DescribeInstances
- 
								ec2:DescribeRegions
2.5.2. Specifying an existing IAM role
					Instead of allowing the installation program to create IAM instance profiles with the default permissions, you can use the install-config.yaml file to specify an existing IAM role for control plane and compute instances.
				
Prerequisites
- 
							You have an existing install-config.yamlfile.
Procedure
- Update - compute.platform.aws.iamRolewith an existing role for the compute machines.- Sample - install-config.yamlfile with an IAM role for compute instances- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update - controlPlane.platform.aws.iamRolewith an existing role for the control plane machines.- Sample - install-config.yamlfile with an IAM role for control plane instances- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing the OpenShift Container Platform cluster.
To change or update an IAM account after the cluster has been installed, see RHOCP 4 AWS cloud-credentials access key is expired (Red Hat Knowledgebase).
2.5.3. Using AWS IAM Analyzer to create policy templates
The minimal set of permissions that the control plane and compute instance profiles require depends on how the cluster is configured for its daily operation.
One way to determine which permissions the cluster instances require is to use the AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) to create a policy template:
- A policy template contains the permissions the cluster has used over a specified period of time.
- You can then use the template to create policies with fine-grained permissions.
Procedure
The overall process could be:
- Ensure that CloudTrail is enabled. CloudTrail records all of the actions and events in your AWS account, including the API calls that are required to create a policy template. For more information, see the AWS documentation for working with CloudTrail.
- Create an instance profile for control plane instances and an instance profile for compute instances. Be sure to assign each role a permissive policy, such as PowerUserAccess. For more information, see the AWS documentation for creating instance profile roles.
- Install the cluster in a development environment and configure it as required. Be sure to deploy all of applications the cluster will host in a production environment.
- Test the cluster thoroughly. Testing the cluster ensures that all of the required API calls are logged.
- Use the IAM Access Analyzer to create a policy template for each instance profile. For more information, see the AWS documentation for generating policies based on the CloudTrail logs.
- Create and add a fine-grained policy to each instance profile.
- Remove the permissive policy from each instance profile.
- Deploy a production cluster using the existing instance profiles with the new policies.
You can add IAM Conditions to your policy to make it more restrictive and compliant with your organization security requirements.
2.6. Supported AWS Marketplace regions
Installing an OpenShift Container Platform cluster using an AWS Marketplace image is available to customers who purchase the offer in North America.
While the offer must be purchased in North America, you can deploy the cluster to any of the following supported paritions:
- Public
- GovCloud
Deploying a OpenShift Container Platform cluster using an AWS Marketplace image is not supported for the AWS secret regions or China regions.
2.7. Supported AWS regions
You can deploy an OpenShift Container Platform cluster to the following regions.
					Your IAM user must have the permission tag:GetResources in the region us-east-1 to delete the base cluster resources. As part of the AWS API requirement, the OpenShift Container Platform installation program performs various actions in this region.
				
2.7.1. AWS public regions
The following AWS public regions are supported:
- 
							af-south-1(Cape Town)
- 
							ap-east-1(Hong Kong)
- 
							ap-northeast-1(Tokyo)
- 
							ap-northeast-2(Seoul)
- 
							ap-northeast-3(Osaka)
- 
							ap-south-1(Mumbai)
- 
							ap-south-2(Hyderabad)
- 
							ap-southeast-1(Singapore)
- 
							ap-southeast-2(Sydney)
- 
							ap-southeast-3(Jakarta)
- 
							ap-southeast-4(Melbourne)
- 
							ap-southeast-5(Malaysia)
- 
							ap-southeast-7(Thailand)
- 
							ca-central-1(Central)
- 
							ca-west-1(Calgary)
- 
							eu-central-1(Frankfurt)
- 
							eu-central-2(Zurich)
- 
							eu-north-1(Stockholm)
- 
							eu-south-1(Milan)
- 
							eu-south-2(Spain)
- 
							eu-west-1(Ireland)
- 
							eu-west-2(London)
- 
							eu-west-3(Paris)
- 
							il-central-1(Tel Aviv)
- 
							me-central-1(UAE)
- 
							me-south-1(Bahrain)
- 
							sa-east-1(São Paulo)
- 
							us-east-1(N. Virginia)
- 
							us-east-2(Ohio)
- 
							us-west-1(N. California)
- 
							us-west-2(Oregon)
2.7.2. AWS GovCloud regions
The following AWS GovCloud regions are supported:
- 
							us-gov-west-1
- 
							us-gov-east-1
2.7.3. AWS SC2S and C2S secret regions
The following AWS secret regions are supported:
- 
							us-isob-east-1Secret Commercial Cloud Services (SC2S)
- 
							us-iso-east-1Commercial Cloud Services (C2S)
2.7.4. AWS China regions
The following AWS China regions are supported:
- 
							cn-north-1(Beijing)
- 
							cn-northwest-1(Ningxia)
2.8. Next steps
- Install an OpenShift Container Platform cluster: - Quickly install a cluster with default options on installer-provisioned infrastructure
- Install a cluster with cloud customizations on installer-provisioned infrastructure
- Install a cluster with network customizations on installer-provisioned infrastructure
- Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates
 
Chapter 3. Installer-provisioned infrastructure
3.1. Preparing to install a cluster on AWS
You prepare to install an OpenShift Container Platform cluster on AWS by completing the following steps:
- Verifying internet connectivity for your cluster.
- Configuring an AWS account.
- Downloading the installation program. Note- If you are installing in a disconnected environment, you extract the installation program from the mirrored content. For more information, see Mirroring images for a disconnected installation. 
- Installing the OpenShift CLI ( - oc).Note- If you are installing in a disconnected environment, install - octo the mirror host.
- Generating an SSH key pair. You can use this key pair to authenticate into the OpenShift Container Platform cluster’s nodes after it is deployed.
- 
						If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-systemnamespace, manually creating long-term credentials for AWS or configuring an AWS cluster to use short-term credentials with Amazon Web Services Security Token Service (AWS STS).
3.1.1. Internet access for OpenShift Container Platform
In OpenShift Container Platform 4.18, you require access to the internet to install your cluster.
You must have internet access to perform the following actions:
- Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
- Access Quay.io to obtain the packages that are required to install your cluster.
- Obtain the packages that are required to perform cluster updates.
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
3.1.2. Obtaining the installation program
Before you install OpenShift Container Platform, download the installation file on the host you are using for installation.
Prerequisites
- You have a computer that runs Linux or macOS, with 500 MB of local disk space.
Procedure
- Go to the Cluster Type page on the Red Hat Hybrid Cloud Console. If you have a Red Hat account, log in with your credentials. If you do not, create an account. Tip
- Select your infrastructure provider from the Run it yourself section of the page.
- Select your host operating system and architecture from the dropdown menus under OpenShift Installer and click Download Installer.
- Place the downloaded file in the directory where you want to store the installation configuration files. Important- The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both of the files are required to delete the cluster.
- Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider.
 
- Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command: - tar -xvf openshift-install-linux.tar.gz - $ tar -xvf openshift-install-linux.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download your installation pull secret from Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
Alternatively, you can retrieve the installation program from the Red Hat Customer Portal, where you can specify a version of the installation program to download. However, you must have an active subscription to access this page.
3.1.3. Installing the OpenShift CLI
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.18. Download and install the new version of oc.
					
3.1.3.1. Installing the OpenShift CLI on Linux
						You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the architecture from the Product Variant drop-down list.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Linux Clients entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.1.3.2. Installing the OpenShift CLI on Windows
						You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - C:\> oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.1.3.3. Installing the OpenShift CLI on macOS
						You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 macOS Clients entry and save the file. Note- For macOS arm64, choose the OpenShift v4.18 macOS arm64 Client entry. 
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify your installation by using an - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.1.4. Generating a key pair for cluster node SSH access
					During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
				
					After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
				
					If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
				
Do not skip this procedure in production environments, where disaster recovery and debugging is required.
You must use a local key, not one that you configured with platform-specific approaches.
Procedure
- If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command: - ssh-keygen -t ed25519 -N '' -f <path>/<file_name> - $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name, such as~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your~/.sshdirectory.
 Note- If you plan to install an OpenShift Container Platform cluster that uses the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the - x86_64,- ppc64le, and- s390xarchitectures, do not create a key that uses the- ed25519algorithm. Instead, create a key that uses the- rsaor- ecdsaalgorithm.
- View the public SSH key: - cat <path>/<file_name>.pub - $ cat <path>/<file_name>.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, run the following to view the - ~/.ssh/id_ed25519.pubpublic key:- cat ~/.ssh/id_ed25519.pub - $ cat ~/.ssh/id_ed25519.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the - ./openshift-install gathercommand.Note- On some distributions, default SSH private key identities such as - ~/.ssh/id_rsaand- ~/.ssh/id_dsaare managed automatically.- If the - ssh-agentprocess is not already running for your local user, start it as a background task:- eval "$(ssh-agent -s)" - $ eval "$(ssh-agent -s)"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Agent pid 31874 - Agent pid 31874- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. 
 
- Add your SSH private key to the - ssh-agent:- ssh-add <path>/<file_name> - $ ssh-add <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name for your SSH private key, such as~/.ssh/id_ed25519
 - Example output - Identity added: /home/<you>/<path>/<file_name> (<computer_name>) - Identity added: /home/<you>/<path>/<file_name> (<computer_name>)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- When you install OpenShift Container Platform, provide the SSH public key to the installation program.
3.1.5. Telemetry access for OpenShift Container Platform
In OpenShift Container Platform 4.18, the Telemetry service, which runs by default to provide metrics about cluster health and the success of updates, requires internet access. If your cluster is connected to the internet, Telemetry runs automatically, and your cluster is registered to OpenShift Cluster Manager.
After you confirm that your OpenShift Cluster Manager inventory is correct, either maintained automatically by Telemetry or manually by using OpenShift Cluster Manager, use subscription watch to track your OpenShift Container Platform subscriptions at the account or multi-cluster level.
3.2. Installing a cluster on AWS
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) that uses the default configuration options.
3.2.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.2.2. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When specifying the directory: - 
									Verify that the directory has the executepermission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.
 
- 
									Verify that the directory has the 
- Provide values at the prompts: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select aws as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. Note- The AWS access key ID and secret access key are stored in - ~/.aws/credentialsin the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from Red Hat OpenShift Cluster Manager.
 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.2.3. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.2.4. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.2.5. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
3.3. Installing a cluster on AWS with customizations
				In OpenShift Container Platform version 4.18, you can install a customized cluster on infrastructure that the installation program provisions on Amazon Web Services (AWS). To customize the installation, you modify parameters in the install-config.yaml file before you install the cluster.
			
The scope of the OpenShift Container Platform installation configurations is intentionally narrow. It is designed for simplicity and ensured success. You can complete many more OpenShift Container Platform configuration tasks after an installation completes.
3.3.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.3.2. Obtaining an AWS Marketplace image
If you are deploying an OpenShift Container Platform cluster using an AWS Marketplace image, you must first subscribe through AWS. Subscribing to the offer provides you with the AMI ID that the installation program uses to deploy compute nodes.
You should only modify the RHCOS image for compute machines to use an AWS Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your AWS bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the AWS Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- You have an AWS account to purchase the offer. This account does not have to be the same account that is used to install the cluster.
Procedure
- Complete the OpenShift Container Platform subscription from the AWS Marketplace.
- Record the AMI ID for your specific AWS Region. As part of the installation process, you must update the - install-config.yamlfile with this value before deploying the cluster.- Sample - install-config.yamlfile with AWS Marketplace compute nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3.3. Creating the installation configuration file
You can customize the OpenShift Container Platform cluster you install on Amazon Web Services (AWS).
Prerequisites
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 - When specifying the directory: - 
											Verify that the directory has the executepermission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.
 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select AWS as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
 
 
- Modify the - install-config.yamlfile. You can find more information about the available parameters in the "Installation configuration parameters" section.Note- If you are installing a three-node cluster, be sure to set the - compute.replicasparameter to- 0. This ensures that the cluster’s control planes are schedulable. For more information, see "Installing a three-node cluster on AWS".
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.3.3.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.3.3.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.1. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.3.3.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.2. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.3.3.4. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.3.3.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.3.4. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.3.4.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.3.4.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.3.4.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3.4.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.3.4.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.3.4.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.3.4.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3.5. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.3.6. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3.7. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.3.8. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
3.4. Installing a cluster on AWS with network customizations
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) with customized network configuration options. By customizing your network configuration, your cluster can coexist with existing IP address allocations in your environment and integrate with existing MTU and VXLAN configurations.
				You must set most of the network configuration parameters during installation, and you can modify only kubeProxy configuration parameters in a running cluster.
			
3.4.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.4.2. Network configuration phases
There are two phases prior to OpenShift Container Platform installation where you can customize the network configuration.
- Phase 1
- You can customize the following network-related fields in the - install-config.yamlfile before you create the manifest files:- 
										networking.networkType
- 
										networking.clusterNetwork
- 
										networking.serviceNetwork
- 
										networking.machineNetwork
- nodeNetworking- For more information, see "Installation configuration parameters". Note- Set the - networking.machineNetworkto match the Classless Inter-Domain Routing (CIDR) where the preferred subnet is located.Important- The CIDR range - 172.17.0.0/16is reserved by- libVirt. You cannot use any other CIDR range that overlaps with the- 172.17.0.0/16CIDR range for networks in your cluster.
 
- 
										
- Phase 2
- 
								After creating the manifest files by running openshift-install create manifests, you can define a customized Cluster Network Operator manifest with only the fields you want to modify. You can use the manifest to specify an advanced network configuration.
					During phase 2, you cannot override the values that you specified in phase 1 in the install-config.yaml file. However, you can customize the network plugin during phase 2.
				
3.4.3. Creating the installation configuration file
You can customize the OpenShift Container Platform cluster you install on Amazon Web Services (AWS).
Prerequisites
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 - When specifying the directory: - 
											Verify that the directory has the executepermission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.
 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select AWS as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
 
 
- 
							Modify the install-config.yamlfile. You can find more information about the available parameters in the "Installation configuration parameters" section.
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.4.3.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.4.3.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.3. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.4.3.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.4. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.4.3.4. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.4.3.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.4.4. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.4.4.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.4.4.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.4.4.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.4.4.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.4.4.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.4.4.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.4.4.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.4.5. Cluster Network Operator configuration
					The configuration for the cluster network is specified as part of the Cluster Network Operator (CNO) configuration and stored in a custom resource (CR) object that is named cluster. The CR specifies the fields for the Network API in the operator.openshift.io API group.
				
					The CNO configuration inherits the following fields during cluster installation from the Network API in the Network.config.openshift.io API group:
				
- clusterNetwork
- IP address pools from which pod IP addresses are allocated.
- serviceNetwork
- IP address pool for services.
- defaultNetwork.type
- 
								Cluster network plugin. OVNKubernetesis the only supported plugin during installation.
					You can specify the cluster network plugin configuration for your cluster by setting the fields for the defaultNetwork object in the CNO object named cluster.
				
3.4.5.1. Cluster Network Operator configuration object
The fields for the Cluster Network Operator (CNO) are described in the following table:
| Field | Type | Description | 
|---|---|---|
| 
										 | 
										 | 
										The name of the CNO object. This name is always  | 
| 
										 | 
										 | A list specifying the blocks of IP addresses from which pod IP addresses are allocated and the subnet prefix length assigned to each individual node in the cluster. For example: | 
| 
										 | 
										 | A block of IP addresses for services. The OVN-Kubernetes network plugin supports only a single IP address block for the service network. For example: spec: serviceNetwork: - 172.30.0.0/14 
										You can customize this field only in the  | 
| 
										 | 
										 | Configures the network plugin for the cluster network. | 
| 
										 | 
										 | The fields for this object specify the kube-proxy configuration. If you are using the OVN-Kubernetes cluster network plugin, the kube-proxy configuration has no effect. | 
							For a cluster that needs to deploy objects across multiple networks, ensure that you specify the same value for the clusterNetwork.hostPrefix parameter for each network type that is defined in the install-config.yaml file. Setting a different value for each clusterNetwork.hostPrefix parameter can impact the OVN-Kubernetes network plugin, where the plugin cannot effectively route object traffic among different nodes.
						
3.4.5.1.1. defaultNetwork object configuration
							The values for the defaultNetwork object are defined in the following table:
						
| Field | Type | Description | 
|---|---|---|
| 
											 | 
											 | 
											 Note OpenShift Container Platform uses the OVN-Kubernetes network plugin by default. | 
| 
											 | 
											 | This object is only valid for the OVN-Kubernetes network plugin. | 
3.4.5.1.1.1. Configuration for the OVN-Kubernetes network plugin
The following table describes the configuration fields for the OVN-Kubernetes network plugin:
| Field | Type | Description | 
|---|---|---|
| 
												 | 
												 | The maximum transmission unit (MTU) for the Geneve (Generic Network Virtualization Encapsulation) overlay network. This is detected automatically based on the MTU of the primary network interface. You do not normally need to override the detected MTU. If the auto-detected value is not what you expect it to be, confirm that the MTU on the primary network interface on your nodes is correct. You cannot use this option to change the MTU value of the primary network interface on the nodes. 
												If your cluster requires different MTU values for different nodes, you must set this value to  | 
| 
												 | 
												 | 
												The port to use for all Geneve packets. The default value is  | 
| 
												 | 
												 | Specify a configuration object for customizing the IPsec configuration. | 
| 
												 | 
												 | Specifies a configuration object for IPv4 settings. | 
| 
												 | 
												 | Specifies a configuration object for IPv6 settings. | 
| 
												 | 
												 | Specify a configuration object for customizing network policy audit logging. If unset, the defaults audit log settings are used. | 
| 
												 | 
												 | 
												Optional: Specify a configuration object for customizing how egress traffic is sent to the node gateway. Valid values are  Note While migrating egress traffic, you can expect some disruption to workloads and service traffic until the Cluster Network Operator (CNO) successfully rolls out the changes. | 
| Field | Type | Description | 
|---|---|---|
| 
												 | string | 
												If your existing network infrastructure overlaps with the  
												The default value is  | 
| 
												 | string | 
												If your existing network infrastructure overlaps with the  
												The default value is  | 
| Field | Type | Description | 
|---|---|---|
| 
												 | string | 
												If your existing network infrastructure overlaps with the  
												The default value is  | 
| 
												 | string | 
												If your existing network infrastructure overlaps with the  
												The default value is  | 
| Field | Type | Description | 
|---|---|---|
| 
												 | integer | 
												The maximum number of messages to generate every second per node. The default value is  | 
| 
												 | integer | 
												The maximum size for the audit log in bytes. The default value is  | 
| 
												 | integer | The maximum number of log files that are retained. | 
| 
												 | string | One of the following additional audit log targets: 
 | 
| 
												 | string | 
												The syslog facility, such as  | 
| Field | Type | Description | 
|---|---|---|
| 
												 | 
												 | 
												Set this field to  
												This field has an interaction with the Open vSwitch hardware offloading feature. If you set this field to  | 
| 
												 | 
												 | 
												You can control IP forwarding for all traffic on OVN-Kubernetes managed interfaces by using the  Note 
													The default value of  | 
| 
												 | 
												 | Optional: Specify an object to configure the internal OVN-Kubernetes masquerade address for host to service traffic for IPv4 addresses. | 
| 
												 | 
												 | Optional: Specify an object to configure the internal OVN-Kubernetes masquerade address for host to service traffic for IPv6 addresses. | 
| Field | Type | Description | 
|---|---|---|
| 
												 | 
												 | 
												The masquerade IPv4 addresses that are used internally to enable host to service traffic. The host is configured with these IP addresses as well as the shared gateway bridge interface. The default value is  Important 
													For OpenShift Container Platform 4.17 and later versions, clusters use  | 
| Field | Type | Description | 
|---|---|---|
| 
												 | 
												 | 
												The masquerade IPv6 addresses that are used internally to enable host to service traffic. The host is configured with these IP addresses as well as the shared gateway bridge interface. The default value is  Important 
													For OpenShift Container Platform 4.17 and later versions, clusters use  | 
| Field | Type | Description | 
|---|---|---|
| 
												 | 
												 | Specifies the behavior of the IPsec implementation. Must be one of the following values: 
 | 
Example OVN-Kubernetes configuration with IPSec enabled
3.4.6. Specifying advanced network configuration
You can use advanced network configuration for your network plugin to integrate your cluster into your existing network environment.
You can specify advanced network configuration only before you install the cluster.
Customizing your network configuration by modifying the OpenShift Container Platform manifest files created by the installation program is not supported. Applying a manifest file that you create, as in the following procedure, is supported.
Prerequisites
- 
							You have created the install-config.yamlfile and completed any modifications to it.
Procedure
- Change to the directory that contains the installation program and create the manifests: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <installation_directory>specifies the name of the directory that contains the- install-config.yamlfile for your cluster.
 
- Create a stub manifest file for the advanced network configuration that is named - cluster-network-03-config.ymlin the- <installation_directory>/manifests/directory:- apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec: - apiVersion: operator.openshift.io/v1 kind: Network metadata: name: cluster spec:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Specify the advanced network configuration for your cluster in the - cluster-network-03-config.ymlfile, such as in the following example:- Enable IPsec for the OVN-Kubernetes network provider - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Optional: Back up the manifests/cluster-network-03-config.ymlfile. The installation program consumes themanifests/directory when you create the Ignition config files.
- Remove the Kubernetes manifest files that define the control plane machines and compute - MachineSets:- rm -f openshift/99_openshift-cluster-api_master-machines-*.yaml openshift/99_openshift-cluster-api_worker-machineset-*.yaml - $ rm -f openshift/99_openshift-cluster-api_master-machines-*.yaml openshift/99_openshift-cluster-api_worker-machineset-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Because you create and manage these resources yourself, you do not have to initialize them. - 
									You can preserve the MachineSetfiles to create compute machines by using the machine API, but you must update references to them to match your environment.
 
- 
									You can preserve the 
For more information on using a Network Load Balancer (NLB) on AWS, see Configuring Ingress cluster traffic on AWS using a Network Load Balancer.
3.4.7. Configuring an Ingress Controller Network Load Balancer on a new AWS cluster
You can create an Ingress Controller backed by an AWS Network Load Balancer (NLB) on a new cluster.
Prerequisites
- 
							Create the install-config.yamlfile and complete any modifications to it.
Procedure
Create an Ingress Controller backed by an AWS NLB on a new cluster.
- Change to the directory that contains the installation program and create the manifests: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the name of the directory that contains theinstall-config.yamlfile for your cluster.
 
- Create a file that is named - cluster-ingress-default-ingresscontroller.yamlin the- <installation_directory>/manifests/directory:- touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml - $ touch <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name that contains themanifests/directory for your cluster.
 - After creating the file, several network configuration files are in the - manifests/directory, as shown:- ls <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml - $ ls <installation_directory>/manifests/cluster-ingress-default-ingresscontroller.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - cluster-ingress-default-ingresscontroller.yaml - cluster-ingress-default-ingresscontroller.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Open the - cluster-ingress-default-ingresscontroller.yamlfile in an editor and enter a custom resource (CR) that describes the Operator configuration you want:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Save the cluster-ingress-default-ingresscontroller.yamlfile and quit the text editor.
- 
							Optional: Back up the manifests/cluster-ingress-default-ingresscontroller.yamlfile. The installation program deletes themanifests/directory when creating the cluster.
3.4.8. Configuring hybrid networking with OVN-Kubernetes
You can configure your cluster to use hybrid networking with the OVN-Kubernetes network plugin. This allows a hybrid cluster that supports different node networking configurations.
This configuration is necessary to run both Linux and Windows nodes in the same cluster.
Prerequisites
- 
							You defined OVNKubernetesfor thenetworking.networkTypeparameter in theinstall-config.yamlfile. See the installation documentation for configuring OpenShift Container Platform network customizations on your chosen cloud provider for more information.
Procedure
- Change to the directory that contains the installation program and create the manifests: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <installation_directory>
- 
										Specifies the name of the directory that contains the install-config.yamlfile for your cluster.
 
- Create a stub manifest file for the advanced network configuration that is named - cluster-network-03-config.ymlin the- <installation_directory>/manifests/directory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <installation_directory>
- 
										Specifies the directory name that contains the manifests/directory for your cluster.
 
- Open the - cluster-network-03-config.ymlfile in an editor and configure OVN-Kubernetes with hybrid networking, as in the following example:- Specify a hybrid networking configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the CIDR configuration used for nodes on the additional overlay network. ThehybridClusterNetworkCIDR must not overlap with theclusterNetworkCIDR.
- 2
- Specify a custom VXLAN port for the additional overlay network. This is required for running Windows nodes in a cluster installed on vSphere, and must not be configured for any other cloud provider. The custom port can be any open port excluding the default4789port. For more information on this requirement, see the Microsoft documentation on Pod-to-pod connectivity between hosts is broken.
 Note- Windows Server Long-Term Servicing Channel (LTSC): Windows Server 2019 is not supported on clusters with a custom - hybridOverlayVXLANPortvalue because this Windows server version does not support selecting a custom VXLAN port.
- 
							Save the cluster-network-03-config.ymlfile and quit the text editor.
- 
							Optional: Back up the manifests/cluster-network-03-config.ymlfile. The installation program deletes themanifests/directory when creating the cluster.
For more information about using Linux and Windows nodes in the same cluster, see Understanding Windows container workloads.
3.4.9. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.4.10. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.4.11. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.4.12. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
3.5. Installing a cluster on AWS in a disconnected environment
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) in a restricted network by creating an internal mirror of the installation release content on an existing Amazon Virtual Private Cloud (VPC).
3.5.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You mirrored the images for a disconnected installation to your registry and obtained the - imageContentSourcesdata for your version of OpenShift Container Platform.Important- Because the installation media is on the mirror host, you can use that computer to complete all installation steps. 
- You have an existing VPC in AWS. When installing to a restricted network using installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements: - Contains the mirror registry
- Has firewall rules or a peering connection to access the mirror registry hosted elsewhere
 
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX) in the AWS documentation.
- If you use a firewall and plan to use the Telemetry service, you configured the firewall to allow the sites that your cluster requires access to. Note- If you are configuring a proxy, be sure to also review this site list. 
3.5.2. About installations in restricted networks
In OpenShift Container Platform 4.18, you can perform an installation that does not require an active connection to the internet to obtain software components. Restricted network installations can be completed using installer-provisioned infrastructure or user-provisioned infrastructure, depending on the cloud platform to which you are installing the cluster.
If you choose to perform a restricted network installation on a cloud platform, you still require access to its cloud APIs. Some cloud functions, like Amazon Web Service’s Route 53 DNS and IAM services, require internet access. Depending on your network, you might require less internet access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
To complete a restricted network installation, you must create a registry that mirrors the contents of the OpenShift image registry and contains the installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.
3.5.2.1. Additional limits
Clusters in restricted networks have the following additional limitations and restrictions:
- 
								The ClusterVersionstatus includes anUnable to retrieve available updateserror.
- By default, you cannot use the contents of the Developer Catalog because you cannot access the required image stream tags.
3.5.3. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.5.3.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.5.3.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
3.5.3.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.5.3.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.5.3.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.5.3.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.5.3.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.5.4. Creating the installation configuration file
You can customize the OpenShift Container Platform cluster you install on Amazon Web Services (AWS).
Prerequisites
- You have the OpenShift Container Platform installation program and the pull secret for your cluster. For a restricted network installation, these files are on your mirror host.
- 
							You have the imageContentSourcesvalues that were generated during mirror registry creation.
- You have obtained the contents of the certificate for your mirror registry.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 - When specifying the directory: - 
											Verify that the directory has the executepermission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.
 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select AWS as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
 
 
- Edit the - install-config.yamlfile to give the additional information that is required for an installation in a restricted network.- Update the - pullSecretvalue to contain the authentication information for your registry:- pullSecret: '{"auths":{"<mirror_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}'- pullSecret: '{"auths":{"<mirror_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <mirror_host_name>, specify the registry domain name that you specified in the certificate for your mirror registry, and for- <credentials>, specify the base64-encoded user name and password for your mirror registry.
- Add the - additionalTrustBundleparameter and value.- additionalTrustBundle: | -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE----- - additionalTrustBundle: | -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE------ Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The value must be the contents of the certificate file that you used for your mirror registry. The certificate file can be an existing, trusted certificate authority, or the self-signed certificate that you generated for the mirror registry. 
- Define the subnets for the VPC to install the cluster in: - subnets: - subnet-1 - subnet-2 - subnet-3 - subnets: - subnet-1 - subnet-2 - subnet-3- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the image content resources, which resemble the following YAML excerpt: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For these values, use the - imageContentSourcesthat you recorded during mirror registry creation.
- Optional: Set the publishing strategy to - Internal:- publish: Internal - publish: Internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By setting this option, you create an internal Ingress Controller and a private load balancer. 
 
- Make any other modifications to the - install-config.yamlfile that you require.- For more information about the parameters, see "Installation configuration parameters". 
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.5.4.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.5.4.2. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.5.4.3. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.5.5. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.5.5.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.5.5.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.5.5.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.5.5.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.5.5.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.5.5.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.5.5.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.5.6. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.5.7. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.5.8. Disabling the default OperatorHub catalog sources
Operator catalogs that source content provided by Red Hat and community projects are configured for OperatorHub by default during an OpenShift Container Platform installation. In a restricted network environment, you must disable the default catalogs as a cluster administrator.
Procedure
- Disable the sources for the default catalogs by adding - disableAllDefaultSources: trueto the- OperatorHubobject:- oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- $ oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create, update, delete, disable, and enable individual sources.
3.5.9. Next steps
- Validate an installation.
- Customize your cluster.
- 
							Configure image streams for the Cluster Samples Operator and the must-gathertool.
- Learn how to use Operator Lifecycle Manager in disconnected environments.
- If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by configuring additional trust stores.
- If necessary, you can Remote health reporting.
3.6. Installing a cluster on AWS into an existing VPC
				In OpenShift Container Platform version 4.18, you can install a cluster into an existing Amazon Virtual Private Cloud (VPC) on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the install-config.yaml file before you install the cluster.
			
3.6.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster.
- If the existing VPC is owned by a different account than the cluster, you shared the VPC between accounts. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.6.2. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.6.2.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- Create a public and private subnet for each availability zone that your cluster uses. Each availability zone can contain no more than one public and one private subnet. For an example of this type of configuration, see VPC with public and private subnets (NAT) in the AWS documentation. - Record each subnet ID. Completing the installation requires that you enter these values in the - platformsection of the- install-config.yamlfile. See Finding a subnet ID in the AWS documentation.
- 
								The VPC’s CIDR block must contain the Networking.MachineCIDRrange, which is the IP address pool for cluster machines. The subnet CIDR blocks must belong to the machine CIDR that you specify.
- The VPC must have a public internet gateway attached to it. For each availability zone: - The public subnet requires a route to the internet gateway.
- The public subnet requires a NAT gateway with an EIP address.
- The private subnet requires a route to the NAT gateway in public subnet.
 
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.6.2.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
3.6.2.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.6.2.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.6.2.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.6.2.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.6.2.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.6.2.5. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
						As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
					
For more information, see "Applying existing AWS security groups to the cluster".
3.6.3. Creating the installation configuration file
You can customize the OpenShift Container Platform cluster you install on Amazon Web Services (AWS).
Prerequisites
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 - When specifying the directory: - 
											Verify that the directory has the executepermission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.
 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select AWS as the platform to target.
- If you do not have an Amazon Web Services (AWS) profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.
- Select the AWS region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
 
 
- 
							Modify the install-config.yamlfile. You can find more information about the available parameters in the "Installation configuration parameters" section.
- Back up the - install-config.yamlfile so that you can use it to install multiple clusters.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.6.3.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.6.3.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.6. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.6.3.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.7. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.6.3.4. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.6.3.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.6.3.6. Applying existing AWS security groups to the cluster
Applying existing AWS security groups to your control plane and compute machines can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
Prerequisites
- You have created the security groups in AWS. For more information, see the AWS documentation about working with security groups.
- The security groups must be associated with the existing VPC that you are deploying the cluster to. The security groups cannot be associated with another VPC.
- 
								You have an existing install-config.yamlfile.
Procedure
- 
								In the install-config.yamlfile, edit thecompute.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your compute machines.
- 
								Edit the controlPlane.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your control plane machines.
- Save the file and reference it when deploying the cluster.
Sample install-config.yaml file that specifies custom security groups
3.6.4. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.6.4.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.6.4.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.6.4.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.6.4.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.6.4.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.6.4.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.6.4.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.6.5. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.6.6. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.6.7. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.6.8. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
- After installing a cluster on AWS into an existing VPC, you can extend the AWS VPC cluster into an AWS Outpost.
3.7. Installing a private cluster on AWS
				In OpenShift Container Platform version 4.18, you can install a private cluster into an existing VPC on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the install-config.yaml file before you install the cluster.
			
3.7.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.7.2. Private clusters
You can deploy a private OpenShift Container Platform cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet.
By default, OpenShift Container Platform is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
If the cluster has any public subnets, load balancer services created by administrators might be publicly accessible. To ensure cluster security, verify that these services are explicitly annotated as private.
To deploy a private cluster, you must:
- Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
- Deploy from a machine that has access to: - The API services for the cloud to which you provision.
- The hosts on the network that you provision.
- The internet to obtain installation media.
 
You can use any machine that meets these access requirements and follows your company’s guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
3.7.2.1. Private clusters in AWS
To create a private cluster on Amazon Web Services (AWS), you must provide an existing private VPC and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for access from only the private network.
The cluster still requires access to internet to access the AWS APIs.
The following items are not required or created when you install a private cluster:
- Public subnets
- Public load balancers, which support public ingress
- 
								A public Route 53 zone that matches the baseDomainfor the cluster
						The installation program does use the baseDomain that you specify to create a private Route 53 zone and the required records for the cluster. The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
					
3.7.2.1.1. Limitations
The ability to add public functionality to a private cluster is limited.
- You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VPC for each availability zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from the internet on 6443 (Kubernetes API port).
- 
									If you use a public Service type load balancer, you must tag a public subnet in each availability zone with kubernetes.io/cluster/<cluster-infra-id>: sharedso that AWS can use them to create public load balancers.
3.7.3. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.7.3.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.7.3.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
3.7.3.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.7.3.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.7.3.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.7.3.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.7.3.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.7.3.5. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
						As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
					
For more information, see "Applying existing AWS security groups to the cluster".
3.7.4. Manually creating the installation configuration file
Installing the cluster requires that you manually create the installation configuration file.
Prerequisites
- You have an SSH public key on your local machine for use with the installation program. You can use the key for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, such as bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the provided sample - install-config.yamlfile template and save the file in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.
- Back up the - install-config.yamlfile so that you can use it to install many clusters.Important- Back up the - install-config.yamlfile now, because the installation process consumes the file in the next step.
3.7.4.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.7.4.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.8. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.7.4.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.9. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.7.4.4. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.7.4.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.7.4.6. Applying existing AWS security groups to the cluster
Applying existing AWS security groups to your control plane and compute machines can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
Prerequisites
- You have created the security groups in AWS. For more information, see the AWS documentation about working with security groups.
- The security groups must be associated with the existing VPC that you are deploying the cluster to. The security groups cannot be associated with another VPC.
- 
								You have an existing install-config.yamlfile.
Procedure
- 
								In the install-config.yamlfile, edit thecompute.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your compute machines.
- 
								Edit the controlPlane.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your control plane machines.
- Save the file and reference it when deploying the cluster.
Sample install-config.yaml file that specifies custom security groups
3.7.5. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.7.5.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.7.5.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.7.5.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.7.5.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.7.5.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.7.5.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.7.5.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.7.6. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.7.7. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.7.8. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.7.9. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
3.8. Installing a cluster on AWS into a government region
				In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) into a government region. To configure the region, modify parameters in the install-config.yaml file before you install the cluster.
			
3.8.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.8.2. AWS government regions
OpenShift Container Platform supports deploying a cluster to an AWS GovCloud (US) region.
The following AWS GovCloud partitions are supported:
- 
							us-gov-east-1
- 
							us-gov-west-1
3.8.3. Installation requirements
Before you can install the cluster, you must:
- Provide an existing private AWS VPC and subnets to host the cluster. - Public zones are not supported in Route 53 in AWS GovCloud. As a result, clusters must be private when you deploy to an AWS government region. 
- 
							Manually create the installation configuration file (install-config.yaml).
3.8.4. Private clusters
You can deploy a private OpenShift Container Platform cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet.
Public zones are not supported in Route 53 in an AWS GovCloud Region. Therefore, clusters must be private if they are deployed to an AWS GovCloud Region.
By default, OpenShift Container Platform is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
If the cluster has any public subnets, load balancer services created by administrators might be publicly accessible. To ensure cluster security, verify that these services are explicitly annotated as private.
To deploy a private cluster, you must:
- Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
- Deploy from a machine that has access to: - The API services for the cloud to which you provision.
- The hosts on the network that you provision.
- The internet to obtain installation media.
 
You can use any machine that meets these access requirements and follows your company’s guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
3.8.4.1. Private clusters in AWS
To create a private cluster on Amazon Web Services (AWS), you must provide an existing private VPC and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for access from only the private network.
The cluster still requires access to internet to access the AWS APIs.
The following items are not required or created when you install a private cluster:
- Public subnets
- Public load balancers, which support public ingress
- 
								A public Route 53 zone that matches the baseDomainfor the cluster
						The installation program does use the baseDomain that you specify to create a private Route 53 zone and the required records for the cluster. The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
					
3.8.4.1.1. Limitations
The ability to add public functionality to a private cluster is limited.
- You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VPC for each availability zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from the internet on 6443 (Kubernetes API port).
- 
									If you use a public Service type load balancer, you must tag a public subnet in each availability zone with kubernetes.io/cluster/<cluster-infra-id>: sharedso that AWS can use them to create public load balancers.
3.8.5. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.8.5.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.8.5.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
3.8.5.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.8.5.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.8.5.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.8.5.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.8.5.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.8.5.5. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
						As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
					
For more information, see "Applying existing AWS security groups to the cluster".
3.8.6. Obtaining an AWS Marketplace image
If you are deploying an OpenShift Container Platform cluster using an AWS Marketplace image, you must first subscribe through AWS. Subscribing to the offer provides you with the AMI ID that the installation program uses to deploy compute nodes.
You should only modify the RHCOS image for compute machines to use an AWS Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your AWS bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the AWS Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- You have an AWS account to purchase the offer. This account does not have to be the same account that is used to install the cluster.
Procedure
- Complete the OpenShift Container Platform subscription from the AWS Marketplace.
- Record the AMI ID for your specific AWS Region. As part of the installation process, you must update the - install-config.yamlfile with this value before deploying the cluster.- Sample - install-config.yamlfile with AWS Marketplace compute nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.8.7. Manually creating the installation configuration file
Installing the cluster requires that you manually create the installation configuration file.
Prerequisites
- You have an SSH public key on your local machine for use with the installation program. You can use the key for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, such as bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the provided sample - install-config.yamlfile template and save the file in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.
- Back up the - install-config.yamlfile so that you can use it to install many clusters.Important- Back up the - install-config.yamlfile now, because the installation process consumes the file in the next step.
3.8.7.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.8.7.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.10. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.8.7.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.11. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.8.7.4. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.8.7.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.8.7.6. Applying existing AWS security groups to the cluster
Applying existing AWS security groups to your control plane and compute machines can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
Prerequisites
- You have created the security groups in AWS. For more information, see the AWS documentation about working with security groups.
- The security groups must be associated with the existing VPC that you are deploying the cluster to. The security groups cannot be associated with another VPC.
- 
								You have an existing install-config.yamlfile.
Procedure
- 
								In the install-config.yamlfile, edit thecompute.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your compute machines.
- 
								Edit the controlPlane.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your control plane machines.
- Save the file and reference it when deploying the cluster.
Sample install-config.yaml file that specifies custom security groups
3.8.8. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Incorporating the Cloud Credential Operator utility manifests.
3.8.8.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.8.8.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.8.8.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.8.8.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.8.8.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.8.8.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.8.8.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.8.9. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.8.10. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.8.11. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.8.12. Next steps
- Validating an installation.
- Customize your cluster.
- Remote health reporting
- If necessary, you can remove cloud provider credentials.
3.9. Installing a cluster on AWS into a Secret or Top Secret Region
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) into the following secret regions:
- Secret Commercial Cloud Services (SC2S)
- Commercial Cloud Services (C2S)
				To configure a cluster in either region, you change parameters in the install config.yaml file before you install the cluster.
			
In OpenShift Container Platform 4.18, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on AWS. Installing a cluster on AWS into a secret or top-secret region by using the Cluster API implementation has not been tested as of the release of OpenShift Container Platform 4.18. This document will be updated when installation into a secret region has been tested.
There is a known issue with Network Load Balancers' support for security groups in secret or top secret regions that causes installations in these regions to fail. For more information, see OCPBUGS-33311.
3.9.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multifactor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
3.9.2. AWS secret regions
The following AWS secret partitions are supported:
- 
							us-isob-east-1(SC2S)
- 
							us-iso-east-1(C2S)
The maximum supported MTU in an AWS SC2S and C2S Regions is not the same as AWS commercial. For more information about configuring MTU during installation, see the Cluster Network Operator configuration object section in Installing a cluster on AWS with network customizations
3.9.3. Installation requirements
Red Hat does not publish a Red Hat Enterprise Linux CoreOS (RHCOS) Amzaon Machine Image for the AWS Secret and Top Secret Regions.
Before you can install the cluster, you must:
- Upload a custom RHCOS AMI.
- 
							Manually create the installation configuration file (install-config.yaml).
- Specify the AWS region, and the accompanying custom AMI, in the installation configuration file.
You cannot use the OpenShift Container Platform installation program to create the installation configuration file. The installer does not list an AWS region without native support for an RHCOS AMI.
						You must also define a custom CA certificate in the additionalTrustBundle field of the install-config.yaml file because the AWS API requires a custom CA trust bundle. To allow the installation program to access the AWS API, the CA certificates must also be defined on the machine that runs the installation program. You must add the CA bundle to the trust store on the machine, use the AWS_CA_BUNDLE environment variable, or define the CA bundle in the ca_bundle field of the AWS config file.
					
3.9.4. Private clusters
You can deploy a private OpenShift Container Platform cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet.
Public zones are not supported in Route 53 in an AWS Top Secret Region. Therefore, clusters must be private if they are deployed to an AWS Top Secret Region.
By default, OpenShift Container Platform is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
If the cluster has any public subnets, load balancer services created by administrators might be publicly accessible. To ensure cluster security, verify that these services are explicitly annotated as private.
To deploy a private cluster, you must:
- Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
- Deploy from a machine that has access to: - The API services for the cloud to which you provision.
- The hosts on the network that you provision.
- The internet to obtain installation media.
 
You can use any machine that meets these access requirements and follows your company’s guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
3.9.4.1. Private clusters in AWS
To create a private cluster on Amazon Web Services (AWS), you must provide an existing private VPC and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for access from only the private network.
The cluster still requires access to internet to access the AWS APIs.
The following items are not required or created when you install a private cluster:
- Public subnets
- Public load balancers, which support public ingress
- 
								A public Route 53 zone that matches the baseDomainfor the cluster
						The installation program does use the baseDomain that you specify to create a private Route 53 zone and the required records for the cluster. The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
					
3.9.4.1.1. Limitations
The ability to add public functionality to a private cluster is limited.
- You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VPC for each availability zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from the internet on 6443 (Kubernetes API port).
- 
									If you use a public Service type load balancer, you must tag a public subnet in each availability zone with kubernetes.io/cluster/<cluster-infra-id>: sharedso that AWS can use them to create public load balancers.
3.9.5. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.9.5.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
A cluster in an SC2S or C2S Region is unable to reach the public IP addresses for the EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.9.5.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- SC2S
- 
												elasticloadbalancing.<aws_region>.sc2s.sgov.gov
- 
												ec2.<aws_region>.sc2s.sgov.gov
- 
												s3.<aws_region>.sc2s.sgov.gov
 
- 
												
- C2S
- 
												elasticloadbalancing.<aws_region>.c2s.ic.gov
- 
												ec2.<aws_region>.c2s.ic.gov
- 
												s3.<aws_region>.c2s.ic.gov
 
- 
												
With this option, network traffic remains private between your VPC and the required AWS services.
3.9.5.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.9.5.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- SC2S
- 
												elasticloadbalancing.<aws_region>.sc2s.sgov.gov
- 
												ec2.<aws_region>.sc2s.sgov.gov
- 
												s3.<aws_region>.sc2s.sgov.gov
 
- 
												
- C2S
- 
												elasticloadbalancing.<aws_region>.c2s.ic.gov
- 
												ec2.<aws_region>.c2s.ic.gov
- 
												s3.<aws_region>.c2s.ic.gov
 
- 
												
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.9.5.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.9.5.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.9.5.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.9.5.5. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
						As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
					
For more information, see "Applying existing AWS security groups to the cluster".
3.9.6. Uploading a custom RHCOS AMI in AWS
If you are deploying to a custom Amazon Web Services (AWS) region, you must upload a custom Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) that belongs to that region.
Prerequisites
- You configured an AWS account.
- You created an Amazon S3 bucket with the required IAM service role.
- You uploaded your RHCOS VMDK file to Amazon S3. The RHCOS VMDK file must be the highest version that is less than or equal to the OpenShift Container Platform version you are installing.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer.
Procedure
- Export your AWS profile as an environment variable: - export AWS_PROFILE=<aws_profile> - $ export AWS_PROFILE=<aws_profile>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the region to associate with your custom AMI as an environment variable: - export AWS_DEFAULT_REGION=<aws_region> - $ export AWS_DEFAULT_REGION=<aws_region>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the version of RHCOS you uploaded to Amazon S3 as an environment variable: - export RHCOS_VERSION=<version> - $ export RHCOS_VERSION=<version>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the Amazon S3 bucket name as an environment variable: - export VMIMPORT_BUCKET_NAME=<s3_bucket_name> - $ export VMIMPORT_BUCKET_NAME=<s3_bucket_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - containers.jsonfile and define your RHCOS VMDK file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Import the RHCOS disk as an Amazon EBS snapshot: - aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \ --disk-container "file://<file_path>/containers.json"- $ aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \- 1 - --disk-container "file://<file_path>/containers.json"- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the status of the image import: - watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- $ watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy the - SnapshotIdto register the image.
- Create a custom RHCOS AMI from the RHCOS snapshot: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To learn more about these APIs, see the AWS documentation for importing snapshots and creating EBS-backed AMIs.
3.9.7. Manually creating the installation configuration file
Installing the cluster requires that you manually create the installation configuration file.
Prerequisites
- You have uploaded a custom RHCOS AMI.
- You have an SSH public key on your local machine for use with the installation program. You can use the key for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, such as bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the provided sample - install-config.yamlfile template and save the file in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.
- Back up the - install-config.yamlfile so that you can use it to install many clusters.Important- Back up the - install-config.yamlfile now, because the installation process consumes the file in the next step.
3.9.7.1. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.12. Machine types based on 64-bit x86 architecture for secret regions
- 
									c4.*
- 
									c5.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									r4.*
- 
									r5.*
- 
									t3.*
3.9.7.2. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.9.7.3. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.9.7.4. Applying existing AWS security groups to the cluster
Applying existing AWS security groups to your control plane and compute machines can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
Prerequisites
- You have created the security groups in AWS. For more information, see the AWS documentation about working with security groups.
- The security groups must be associated with the existing VPC that you are deploying the cluster to. The security groups cannot be associated with another VPC.
- 
								You have an existing install-config.yamlfile.
Procedure
- 
								In the install-config.yamlfile, edit thecompute.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your compute machines.
- 
								Edit the controlPlane.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your control plane machines.
- Save the file and reference it when deploying the cluster.
Sample install-config.yaml file that specifies custom security groups
3.9.8. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.9.8.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.9.8.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.9.8.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.9.8.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.9.8.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.9.8.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.9.8.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.9.9. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.9.10. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.9.11. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.9.12. Next steps
- Validating an installation.
- Customize your cluster.
- Remote health reporting
- If necessary, you can remove cloud provider credentials.
3.10. Installing a cluster on AWS China
In OpenShift Container Platform version 4.18, you can install a cluster to the following Amazon Web Services (AWS) China regions:
- 
						cn-north-1(Beijing)
- 
						cn-northwest-1(Ningxia)
3.10.1. Prerequisites
- You have an Internet Content Provider (ICP) license.
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster.
- If you use a firewall, you configured it to allow the sites that your cluster requires access to.
If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program.
3.10.2. Installation requirements
Red Hat does not publish a Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for the AWS China regions.
Before you can install the cluster, you must:
- Upload a custom RHCOS AMI.
- 
							Manually create the installation configuration file (install-config.yaml).
- Specify the AWS region, and the accompanying custom AMI, in the installation configuration file.
You cannot use the OpenShift Container Platform installation program to create the installation configuration file. The installer does not list an AWS region without native support for an RHCOS AMI.
3.10.3. Private clusters
You can deploy a private OpenShift Container Platform cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the internet.
By default, OpenShift Container Platform is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
If the cluster has any public subnets, load balancer services created by administrators might be publicly accessible. To ensure cluster security, verify that these services are explicitly annotated as private.
To deploy a private cluster, you must:
- Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
- Deploy from a machine that has access to: - The API services for the cloud to which you provision.
- The hosts on the network that you provision.
- The internet to obtain installation media.
 
You can use any machine that meets these access requirements and follows your company’s guidelines. For example, this machine can be a bastion host on your cloud network.
AWS China does not support a VPN connection between the VPC and your network. For more information about the Amazon VPC service in the Beijing and Ningxia regions, see Amazon Virtual Private Cloud in the AWS China documentation.
3.10.3.1. Private clusters in AWS
To create a private cluster on Amazon Web Services (AWS), you must provide an existing private VPC and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for access from only the private network.
The cluster still requires access to internet to access the AWS APIs.
The following items are not required or created when you install a private cluster:
- Public subnets
- Public load balancers, which support public ingress
- 
								A public Route 53 zone that matches the baseDomainfor the cluster
						The installation program does use the baseDomain that you specify to create a private Route 53 zone and the required records for the cluster. The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
					
3.10.3.1.1. Limitations
The ability to add public functionality to a private cluster is limited.
- You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VPC for each availability zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from the internet on 6443 (Kubernetes API port).
- 
									If you use a public Service type load balancer, you must tag a public subnet in each availability zone with kubernetes.io/cluster/<cluster-infra-id>: sharedso that AWS can use them to create public load balancers.
3.10.4. About using a custom VPC
In OpenShift Container Platform 4.18, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying OpenShift Container Platform into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company’s guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
3.10.4.1. Requirements for using your VPC
The installation program no longer creates the following components:
- Internet gateways
- NAT gateways
- Subnets
- Route tables
- VPCs
- VPC DHCP options
- VPC endpoints
The installation program requires that you use the cloud-provided DNS server. Using a custom DNS server is not supported and causes the installation to fail.
If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. See Create a VPC in the Amazon Web Services documentation for more information about AWS VPC console wizard configurations and creating and managing an AWS VPC.
The installation program cannot:
- Subdivide network ranges for the cluster to use.
- Set route tables for the subnets.
- Set VPC options like DHCP.
You must complete these tasks before you install the cluster. See VPC networking components and Route tables for your VPC for more information on configuring networking in an AWS VPC.
Your VPC must meet the following characteristics:
- The VPC must not use the - kubernetes.io/cluster/.*: owned,- Name, and- openshift.io/clustertags.- The installation program modifies your subnets to add the - kubernetes.io/cluster/.*: sharedtag, so your subnets must have at least one free tag slot available for it. See Tag Restrictions in the AWS documentation to confirm that the installation program can add a tag to each subnet that you specify. You cannot use a- Nametag, because it overlaps with the EC2- Namefield and the installation fails.
- 
								If you want to extend your OpenShift Container Platform cluster into an AWS Outpost and have an existing Outpost subnet, the existing subnet must use the kubernetes.io/cluster/unmanaged: truetag. If you do not apply this tag, the installation might fail due to the Cloud Controller Manager creating a service load balancer in the Outpost subnet, which is an unsupported configuration.
- You must enable the - enableDnsSupportand- enableDnsHostnamesattributes in your VPC, so that the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See DNS Support in Your VPC in the AWS documentation.- If you prefer to use your own Route 53 hosted private zone, you must associate the existing hosted zone with your VPC prior to installing a cluster. You can define your hosted zone using the - platform.aws.hostedZoneand- platform.aws.hostedZoneRolefields in the- install-config.yamlfile. You can use a private hosted zone from another account by sharing it with the account where you install the cluster. If you use a private hosted zone from another account, you must use the- Passthroughor- Manualcredentials mode.
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
3.10.4.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com.cn
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
3.10.4.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
3.10.4.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com.cn
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
3.10.4.2. VPC validation
To ensure that the subnets that you provide are suitable, the installation program confirms the following data:
- All the subnets that you specify exist.
- You provide private subnets.
- The subnet CIDRs belong to the machine CIDR that you specified.
- You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
- You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
						If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the OpenShift Container Platform cluster from a VPC, the kubernetes.io/cluster/.*: shared tag is removed from the subnets that it used.
					
3.10.4.3. Division of permissions
Starting with OpenShift Container Platform 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnets, or ingress rules.
The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and core networking components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
3.10.4.4. Isolation between clusters
If you deploy OpenShift Container Platform to an existing network, the isolation of cluster services is reduced in the following ways:
- You can install multiple OpenShift Container Platform clusters in the same VPC.
- ICMP ingress is allowed from the entire network.
- TCP 22 ingress (SSH) is allowed to the entire network.
- Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
- Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
3.10.4.5. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
						As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
					
For more information, see "Applying existing AWS security groups to the cluster".
3.10.5. Uploading a custom RHCOS AMI in AWS
If you are deploying to a custom Amazon Web Services (AWS) region, you must upload a custom Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) that belongs to that region.
Prerequisites
- You configured an AWS account.
- You created an Amazon S3 bucket with the required IAM service role.
- You uploaded your RHCOS VMDK file to Amazon S3. The RHCOS VMDK file must be the highest version that is less than or equal to the OpenShift Container Platform version you are installing.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer.
Procedure
- Export your AWS profile as an environment variable: - export AWS_PROFILE=<aws_profile> - $ export AWS_PROFILE=<aws_profile>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The AWS profile name that holds your AWS credentials, likebeijingadmin.
 
- Export the region to associate with your custom AMI as an environment variable: - export AWS_DEFAULT_REGION=<aws_region> - $ export AWS_DEFAULT_REGION=<aws_region>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The AWS region, likecn-north-1.
 
- Export the version of RHCOS you uploaded to Amazon S3 as an environment variable: - export RHCOS_VERSION=<version> - $ export RHCOS_VERSION=<version>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The RHCOS VMDK version, like4.18.0.
 
- Export the Amazon S3 bucket name as an environment variable: - export VMIMPORT_BUCKET_NAME=<s3_bucket_name> - $ export VMIMPORT_BUCKET_NAME=<s3_bucket_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - containers.jsonfile and define your RHCOS VMDK file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Import the RHCOS disk as an Amazon EBS snapshot: - aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \ --disk-container "file://<file_path>/containers.json"- $ aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \- 1 - --disk-container "file://<file_path>/containers.json"- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the status of the image import: - watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- $ watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy the - SnapshotIdto register the image.
- Create a custom RHCOS AMI from the RHCOS snapshot: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To learn more about these APIs, see the AWS documentation for importing snapshots and creating EBS-backed AMIs.
3.10.6. Manually creating the installation configuration file
Installing the cluster requires that you manually create the installation configuration file.
Prerequisites
- You have uploaded a custom RHCOS AMI.
- You have an SSH public key on your local machine for use with the installation program. You can use the key for SSH authentication onto your cluster nodes for debugging and disaster recovery.
- You have obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
Procedure
- Create an installation directory to store your required installation assets in: - mkdir <installation_directory> - $ mkdir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must create a directory. Some installation assets, such as bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- Customize the provided sample - install-config.yamlfile template and save the file in the- <installation_directory>.Note- You must name this configuration file - install-config.yaml.
- Back up the - install-config.yamlfile so that you can use it to install many clusters.Important- Back up the - install-config.yamlfile now, because the installation process consumes the file in the next step.
3.10.6.1. Sample customized install-config.yaml file for AWS
						You can customize the installation configuration file (install-config.yaml) to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.
					
							This sample YAML file is provided for reference only. You must obtain your install-config.yaml file by using the installation program and modify it. For a full list and description of all installation configuration parameters, see Installation configuration parameters for AWS.
						
Sample install-config.yaml file for AWS
- 1
- Parameters at the first level of indentation apply to the cluster globally.
- 2
- ThecontrolPlanestanza applies to control plane machines.
- 3
- Thecomputestanza applies to compute machines.
- 4
- Thenetworkingstanza applies to the cluster networking configuration. If you do not provide networking values, the installation program provides default values.
- 5
- Theplatformstanza applies to the infrastructure platform that hosts the cluster.
3.10.6.2. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.10.6.3. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.13. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
3.10.6.4. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 3.14. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
3.10.6.5. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
3.10.6.6. Applying existing AWS security groups to the cluster
Applying existing AWS security groups to your control plane and compute machines can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
Prerequisites
- You have created the security groups in AWS. For more information, see the AWS documentation about working with security groups.
- The security groups must be associated with the existing VPC that you are deploying the cluster to. The security groups cannot be associated with another VPC.
- 
								You have an existing install-config.yamlfile.
Procedure
- 
								In the install-config.yamlfile, edit thecompute.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your compute machines.
- 
								Edit the controlPlane.platform.aws.additionalSecurityGroupIDsparameter to specify one or more custom security groups for your control plane machines.
- Save the file and reference it when deploying the cluster.
Sample install-config.yaml file that specifies custom security groups
3.10.7. Alternatives to storing administrator-level secrets in the kube-system project
					By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
				
- To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
- To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.
3.10.7.1. Manually creating long-term credentials
						The Cloud Credential Operator (CCO) can be put into manual mode prior to installation in environments where the cloud identity and access management (IAM) APIs are not reachable, or the administrator prefers not to store an administrator-level credential secret in the cluster kube-system namespace.
					
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestcustom resources (CRs) from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 - This command creates a YAML file for each - CredentialsRequestobject.- Sample - CredentialsRequestobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create YAML files for secrets in the - openshift-installmanifests directory that you generated previously. The secrets must be stored using the namespace and secret name defined in the- spec.secretReffor each- CredentialsRequestobject.- Sample - CredentialsRequestobject with secrets- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample - Secretobject- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Before upgrading a cluster that uses manually maintained credentials, you must ensure that the CCO is in an upgradeable state.
3.10.7.2. Configuring an AWS cluster to use short-term credentials
To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.
3.10.7.2.1. Configuring the Cloud Credential Operator utility
							To create and manage cloud credentials from outside of the cluster when the Cloud Credential Operator (CCO) is operating in manual mode, extract and prepare the CCO utility (ccoctl) binary.
						
								The ccoctl utility is a Linux binary that must run in a Linux environment.
							
Prerequisites
- You have access to an OpenShift Container Platform account with cluster administrator access.
- 
									You have installed the OpenShift CLI (oc).
- You have created an AWS account for the - ccoctlutility to use with the following permissions:- Required - iampermissions- 
											iam:CreateOpenIDConnectProvider
- 
											iam:CreateRole
- 
											iam:DeleteOpenIDConnectProvider
- 
											iam:DeleteRole
- 
											iam:DeleteRolePolicy
- 
											iam:GetOpenIDConnectProvider
- 
											iam:GetRole
- 
											iam:GetUser
- 
											iam:ListOpenIDConnectProviders
- 
											iam:ListRolePolicies
- 
											iam:ListRoles
- 
											iam:PutRolePolicy
- 
											iam:TagOpenIDConnectProvider
- 
											iam:TagRole
 - Required - s3permissions- 
											s3:CreateBucket
- 
											s3:DeleteBucket
- 
											s3:DeleteObject
- 
											s3:GetBucketAcl
- 
											s3:GetBucketTagging
- 
											s3:GetObject
- 
											s3:GetObjectAcl
- 
											s3:GetObjectTagging
- 
											s3:ListBucket
- 
											s3:PutBucketAcl
- 
											s3:PutBucketPolicy
- 
											s3:PutBucketPublicAccessBlock
- 
											s3:PutBucketTagging
- 
											s3:PutObject
- 
											s3:PutObjectAcl
- 
											s3:PutObjectTagging
 - Required - cloudfrontpermissions- 
											cloudfront:ListCloudFrontOriginAccessIdentities
- 
											cloudfront:ListDistributions
- 
											cloudfront:ListTagsForResource
 
- 
											
- If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the - ccoctlutility requires the following additional permissions:- 
											cloudfront:CreateCloudFrontOriginAccessIdentity
- 
											cloudfront:CreateDistribution
- 
											cloudfront:DeleteCloudFrontOriginAccessIdentity
- 
											cloudfront:DeleteDistribution
- 
											cloudfront:GetCloudFrontOriginAccessIdentity
- 
											cloudfront:GetCloudFrontOriginAccessIdentityConfig
- 
											cloudfront:GetDistribution
- 
											cloudfront:TagResource
- 
											cloudfront:UpdateDistribution
 Note- These additional permissions support the use of the - --create-private-s3-bucketoption when processing credentials requests with the- ccoctl aws create-allcommand.
- 
											
Procedure
- Set a variable for the OpenShift Container Platform release image by running the following command: - RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain the CCO container image from the OpenShift Container Platform release image by running the following command: - CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret) - $ CCO_IMAGE=$(oc adm release info --image-for='cloud-credential-operator' $RELEASE_IMAGE -a ~/.pull-secret)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Ensure that the architecture of the - $RELEASE_IMAGEmatches the architecture of the environment in which you will use the- ccoctltool.
- Extract the - ccoctlbinary from the CCO container image within the OpenShift Container Platform release image by running the following command:- oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \ -a ~/.pull-secret - $ oc image extract $CCO_IMAGE \ --file="/usr/bin/ccoctl.<rhel_version>" \- 1 - -a ~/.pull-secret- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<rhel_version>, specify the value that corresponds to the version of Red Hat Enterprise Linux (RHEL) that the host uses. If no value is specified,ccoctl.rhel8is used by default. The following values are valid:- 
													rhel8: Specify this value for hosts that use RHEL 8.
- 
													rhel9: Specify this value for hosts that use RHEL 9.
 
- 
													
 
- Change the permissions to make - ccoctlexecutable by running the following command:- chmod 775 ccoctl.<rhel_version> - $ chmod 775 ccoctl.<rhel_version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that - ccoctlis ready to use, display the help file. Use a relative file name when you run the command, for example:- ./ccoctl.rhel9 - $ ./ccoctl.rhel9- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.10.7.2.2. Creating AWS resources with the Cloud Credential Operator utility
You have the following options when creating AWS resources:
- 
									You can use the ccoctl aws create-allcommand to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
- 
									If you need to review the JSON files that the ccoctltool creates before modifying AWS resources, or if the process theccoctltool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.
3.10.7.2.2.1. Creating AWS resources with a single command
								If the process the ccoctl tool uses to create AWS resources automatically meets the requirements of your organization, you can use the ccoctl aws create-all command to automate the creation of AWS resources.
							
Otherwise, you can create the AWS resources individually. For more information, see "Creating AWS resources individually".
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
Prerequisites
You must have:
- 
										Extracted and prepared the ccoctlbinary.
Procedure
- Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 Note- This command might take a few moments to run. 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name used to tag any cloud resources that are created for tracking.
- 2
- Specify the AWS region in which cloud resources will be created.
- 3
- Specify the directory containing the files for the componentCredentialsRequestobjects.
- 4
- Optional: Specify the directory in which you want theccoctlutility to create objects. By default, the utility creates objects in the directory in which the commands are run.
- 5
- Optional: By default, theccoctlutility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the--create-private-s3-bucketparameter.
 Note- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.10.7.2.2.2. Creating AWS resources individually
								You can use the ccoctl tool to create AWS resources individually. This option might be useful for an organization that shares the responsibility for creating these resources among different users or departments.
							
								Otherwise, you can use the ccoctl aws create-all command to create the AWS resources automatically. For more information, see "Creating AWS resources with a single command".
							
									By default, ccoctl creates objects in the directory in which the commands are run. To create the objects in a different directory, use the --output-dir flag. This procedure uses <path_to_ccoctl_output_dir> to refer to this directory.
								
									Some ccoctl commands make AWS API calls to create or modify AWS resources. You can use the --dry-run flag to avoid making API calls. Using this flag creates JSON files on the local file system instead. You can review and modify the JSON files and then apply them with the AWS CLI tool using the --cli-input-json parameters.
								
Prerequisites
- 
										Extract and prepare the ccoctlbinary.
Procedure
- Generate the public and private RSA key files that are used to set up the OpenID Connect provider for the cluster by running the following command: - ccoctl aws create-key-pair - $ ccoctl aws create-key-pair- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer - 2021/04/13 11:01:02 Generating RSA keypair 2021/04/13 11:01:03 Writing private key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.private 2021/04/13 11:01:03 Writing public key to /<path_to_ccoctl_output_dir>/serviceaccount-signer.public 2021/04/13 11:01:03 Copying signing key for use by installer- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - serviceaccount-signer.privateand- serviceaccount-signer.publicare the generated key files.- This command also creates a private key that the cluster requires during installation in - /<path_to_ccoctl_output_dir>/tls/bound-service-account-signing-key.key.
- Create an OpenID Connect identity provider and S3 bucket on AWS by running the following command: - ccoctl aws create-identity-provider \ --name=<name> \ --region=<aws_region> \ --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public - $ ccoctl aws create-identity-provider \ --name=<name> \- 1 - --region=<aws_region> \- 2 - --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - 2021/04/13 11:16:09 Bucket <name>-oidc created 2021/04/13 11:16:10 OpenID Connect discovery document in the S3 bucket <name>-oidc at .well-known/openid-configuration updated 2021/04/13 11:16:10 Reading public key 2021/04/13 11:16:10 JSON web key set (JWKS) in the S3 bucket <name>-oidc at keys.json updated 2021/04/13 11:16:18 Identity Provider created with ARN: arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - openid-configurationis a discovery document and- keys.jsonis a JSON web key set file.- This command also creates a YAML configuration file in - /<path_to_ccoctl_output_dir>/manifests/cluster-authentication-02-config.yaml. This file sets the issuer URL field for the service account tokens that the cluster generates, so that the AWS IAM identity provider trusts the tokens.
- Create IAM roles for each component in the cluster: - Set a - $RELEASE_IMAGEvariable with the release image from your installation file by running the following command:- RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Extract the list of - CredentialsRequestobjects from the OpenShift Container Platform release image:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The--includedparameter includes only the manifests that your specific cluster configuration requires.
- 2
- Specify the location of theinstall-config.yamlfile.
- 3
- Specify the path to the directory where you want to store theCredentialsRequestobjects. If the specified directory does not exist, this command creates it.
 
- Use the - ccoctltool to process all- CredentialsRequestobjects by running the following command:- ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com - $ ccoctl aws create-iam-roles \ --name=<name> \ --region=<aws_region> \ --credentials-requests-dir=<path_to_credentials_requests_directory> \ --identity-provider-arn=arn:aws:iam::<aws_account_id>:oidc-provider/<name>-oidc.s3.<aws_region>.amazonaws.com- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- For AWS environments that use alternative IAM API endpoints, such as GovCloud, you must also specify your region with the - --regionparameter.- If your cluster uses Technology Preview features that are enabled by the - TechPreviewNoUpgradefeature set, you must include the- --enable-tech-previewparameter.- For each - CredentialsRequestobject,- ccoctlcreates an IAM role with a trust policy that is tied to the specified OIDC identity provider, and a permissions policy as defined in each- CredentialsRequestobject from the OpenShift Container Platform release image.
 
Verification
- To verify that the OpenShift Container Platform secrets are created, list the files in the - <path_to_ccoctl_output_dir>/manifestsdirectory:- ls <path_to_ccoctl_output_dir>/manifests - $ ls <path_to_ccoctl_output_dir>/manifests- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can verify that the IAM roles are created by querying AWS. For more information, refer to AWS documentation on listing IAM roles. 
3.10.7.2.3. Incorporating the Cloud Credential Operator utility manifests
							To implement short-term security credentials managed outside the cluster for individual components, you must move the manifest files that the Cloud Credential Operator utility (ccoctl) created to the correct directories for the installation program.
						
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- 
									You have configured the Cloud Credential Operator utility (ccoctl).
- 
									You have created the cloud provider resources that are required for your cluster with the ccoctlutility.
Procedure
- If you did not set the - credentialsModeparameter in the- install-config.yamlconfiguration file to- Manual, modify the value as shown:- Sample configuration file snippet - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ... - apiVersion: v1 baseDomain: example.com credentialsMode: Manual # ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you have not previously created installation manifest files, do so by running the following command: - openshift-install create manifests --dir <installation_directory> - $ openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory in which the installation program creates files.
- Copy the manifests that the - ccoctlutility generated to the- manifestsdirectory that the installation program created by running the following command:- cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/ - $ cp /<path_to_ccoctl_output_dir>/manifests/* ./manifests/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the - tlsdirectory that contains the private key to the installation directory:- cp -a /<path_to_ccoctl_output_dir>/tls . - $ cp -a /<path_to_ccoctl_output_dir>/tls .- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.10.8. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.10.9. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.10.10. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.10.11. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
3.11. Installing a cluster with compute nodes on AWS Local Zones
				You can quickly install an OpenShift Container Platform cluster on Amazon Web Services (AWS) Local Zones by setting the zone names in the edge compute pool of the install-config.yaml file, or install a cluster in an existing Amazon Virtual Private Cloud (VPC) with Local Zone subnets.
			
AWS Local Zones is an infrastructure that place Cloud Resources close to metropolitan regions. For more information, see the AWS Local Zones Documentation.
3.11.1. Infrastructure prerequisites
- You reviewed details about OpenShift Container Platform installation and update processes.
- You are familiar with Selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Warning- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multifactor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX) in the AWS documentation.
- If you use a firewall, you configured it to allow the sites that your cluster must access.
- You noted the region and supported AWS Local Zones locations to create the network resources in.
- You read the AWS Local Zones features in the AWS documentation.
- You added permissions for creating network resources that support AWS Local Zones to the Identity and Access Management (IAM) user or role. The following example enables a zone group that can give a user or role access for creating network resources that support AWS Local Zones. - Example of an additional IAM policy with the - ec2:ModifyAvailabilityZoneGrouppermission attached to an IAM user or role.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.11.2. About AWS Local Zones and edge compute pool
Read the following sections to understand infrastructure behaviors and cluster limitations in an AWS Local Zones environment.
3.11.2.1. Cluster limitations in AWS Local Zones
Some limitations exist when you try to deploy a cluster with a default installation configuration in an Amazon Web Services (AWS) Local Zone.
The following list details limitations when deploying a cluster in a pre-configured AWS zone:
- 
									The maximum transmission unit (MTU) between an Amazon EC2 instance in a zone and an Amazon EC2 instance in the Region is 1300. This causes the cluster-wide network MTU to change according to the network plugin that is used with the deployment.
- Network resources such as Network Load Balancer (NLB), Classic Load Balancer, and Network Address Translation (NAT) Gateways are not globally supported.
- 
									For an OpenShift Container Platform cluster on AWS, the AWS Elastic Block Storage (EBS) gp3type volume is the default for node volumes and the default for the storage class. This volume type is not globally available on zone locations. By default, the nodes running in zones are deployed with thegp2EBS volume. Thegp2-csiStorageClassparameter must be set when creating workloads on zone nodes.
If you want the installation program to automatically create Local Zone subnets for your OpenShift Container Platform cluster, specific configuration limitations apply with this method.
The following configuration limitation applies when you set the installation program to automatically create subnets for your OpenShift Container Platform cluster:
- When the installation program creates private subnets in AWS Local Zones, the program associates each subnet with the route table of its parent zone. This operation ensures that each private subnet can route egress traffic to the internet by way of NAT Gateways in an AWS Region.
- If the parent-zone route table does not exist during cluster installation, the installation program associates any private subnet with the first available private route table in the Amazon Virtual Private Cloud (VPC). This approach is valid only for AWS Local Zones subnets in an OpenShift Container Platform cluster.
3.11.2.2. About edge compute pools
Edge compute nodes are tainted compute nodes that run in AWS Local Zones locations.
When deploying a cluster that uses Local Zones, consider the following points:
- Amazon EC2 instances in the Local Zones are more expensive than Amazon EC2 instances in the Availability Zones.
- The latency is lower between the applications running in AWS Local Zones and the end user. A latency impact exists for some workloads if, for example, ingress traffic is mixed between Local Zones and Availability Zones.
							Generally, the maximum transmission unit (MTU) between an Amazon EC2 instance in a Local Zones and an Amazon EC2 instance in the Region is 1300. The cluster network MTU must be always less than the EC2 MTU to account for the overhead. The specific overhead is determined by the network plugin. For example: OVN-Kubernetes has an overhead of 100 bytes.
						
The network plugin can provide additional features, such as IPsec, that also affect the MTU sizing.
For more information, see How Local Zones work in the AWS documentation.
OpenShift Container Platform 4.12 introduced a new compute pool, edge, that is designed for use in remote zones. The edge compute pool configuration is common between AWS Local Zones locations. Because of the type and size limitations of resources like EC2 and EBS on Local Zones resources, the default instance type can vary from the traditional compute pool.
						The default Elastic Block Store (EBS) for Local Zones locations is gp2, which differs from the non-edge compute pool. The instance type used for each Local Zones on an edge compute pool also might differ from other compute pools, depending on the instance offerings on the zone.
					
The edge compute pool creates new labels that developers can use to deploy applications onto AWS Local Zones nodes. The new labels are:
- 
								node-role.kubernetes.io/edge=''
- 
								machine.openshift.io/zone-type=local-zone
- 
								machine.openshift.io/zone-group=$ZONE_GROUP_NAME
						By default, the machine sets for the edge compute pool define the taint of NoSchedule to prevent other workloads from spreading on Local Zones instances. Users can only run user workloads if they define tolerations in the pod specification.
					
3.11.3. Installation prerequisites
Before you install a cluster in an AWS Local Zones environment, you must configure your infrastructure so that it can adopt Local Zone capabilities.
3.11.3.1. Opting in to an AWS Local Zones
If you plan to create subnets in AWS Local Zones, you must opt in to each zone group separately.
Prerequisites
- You have installed the AWS CLI.
- You have determined an AWS Region for where you want to deploy your OpenShift Container Platform cluster.
- You have attached a permissive IAM policy to a user or role account that opts in to the zone group.
Procedure
- List the zones that are available in your AWS Region by running the following command: - Example command for listing available AWS Local Zones in an AWS Region - aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=local-zone \ --all-availability-zones- $ aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=local-zone \ --all-availability-zones- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the AWS Region, the list of available zones might be long. The command returns the following fields: - ZoneName
- The name of the Local Zones.
- GroupName
- The group that comprises the zone. To opt in to the Region, save the name.
- Status
- 
											The status of the Local Zones group. If the status is not-opted-in, you must opt in theGroupNameas described in the next step.
 
- Opt in to the zone group on your AWS account by running the following command: - aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \ --opt-in-status opted-in- $ aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \- 1 - --opt-in-status opted-in- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<value_of_GroupName>with the name of the group of the Local Zones where you want to create subnets. For example, specifyus-east-1-nyc-1to use the zoneus-east-1-nyc-1a(US East New York).
 
3.11.3.2. Obtaining an AWS Marketplace image
If you are deploying an OpenShift Container Platform cluster using an AWS Marketplace image, you must first subscribe through AWS. Subscribing to the offer provides you with the AMI ID that the installation program uses to deploy compute nodes.
You should only modify the RHCOS image for compute machines to use an AWS Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your AWS bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the AWS Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- You have an AWS account to purchase the offer. This account does not have to be the same account that is used to install the cluster.
Procedure
- Complete the OpenShift Container Platform subscription from the AWS Marketplace.
- Record the AMI ID for your specific AWS Region. As part of the installation process, you must update the - install-config.yamlfile with this value before deploying the cluster.- Sample - install-config.yamlfile with AWS Marketplace compute nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.11.4. Preparing for the installation
Before you extend nodes to Local Zones, you must prepare certain resources for the cluster installation environment.
3.11.4.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.11.4.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform for use with AWS Local Zones.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.15. Machine types based on 64-bit x86 architecture for AWS Local Zones
- 
									c5.*
- 
									c5d.*
- 
									m6i.*
- 
									m5.*
- 
									r5.*
- 
									t3.*
3.11.4.3. Creating the installation configuration file
Generate and customize the installation configuration file that the installation program needs to deploy your cluster.
Prerequisites
- You obtained the OpenShift Container Platform installation program for user-provisioned infrastructure and the pull secret for your cluster.
- 
								You checked that you are deploying your cluster to an AWS Region with an accompanying Red Hat Enterprise Linux CoreOS (RHCOS) AMI published by Red Hat. If you are deploying to an AWS Region that requires a custom AMI, such as an AWS GovCloud Region, you must create the install-config.yamlfile manually.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 Important- Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select aws as the platform to target.
- If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. Note- The AWS access key ID and secret access key are stored in - ~/.aws/credentialsin the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.
- Select the AWS Region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from Red Hat OpenShift Cluster Manager.
 
 
- Optional: Back up the - install-config.yamlfile.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.11.4.4. Examples of installation configuration files with edge compute pools
						The following examples show install-config.yaml files that contain an edge machine pool configuration.
					
Configuration that uses an edge pool with a custom instance type
Instance types differ between locations. To verify availability in the Local Zones in which the cluster runs, see the AWS documentation.
Configuration that uses an edge pool with a custom Amazon Elastic Block Store (EBS) type
Elastic Block Storage (EBS) types differ between locations. Check the AWS documentation to verify availability in the Local Zones in which the cluster runs.
Configuration that uses an edge pool with custom security groups
- 1
- Specify the name of the security group as it is displayed on the Amazon EC2 console. Ensure that you include thesgprefix.
3.11.4.5. Customizing the cluster network MTU
Before you deploy a cluster on AWS, you can customize the cluster network maximum transmission unit (MTU) for your cluster network to meet the needs of your infrastructure.
By default, when you install a cluster with supported Local Zones capabilities, the MTU value for the cluster network is automatically adjusted to the lowest value that the network plugin accepts.
Setting an unsupported MTU value for EC2 instances that operate in the Local Zones infrastructure can cause issues for your OpenShift Container Platform cluster.
If the Local Zone supports higher MTU values in between EC2 instances in the Local Zone and the AWS Region, you can manually configure the higher value to increase the network performance of the cluster network.
						You can customize the MTU for a cluster by specifying the networking.clusterNetworkMTU parameter in the install-config.yaml configuration file.
					
All subnets in Local Zones must support the higher MTU value, so that each node in that zone can successfully communicate with services in the AWS Region and deploy your workloads.
Example of overwriting the default MTU value
3.11.5. Cluster installation options for an AWS Local Zones environment
Choose one of the following installation options to install an OpenShift Container Platform cluster on AWS with edge compute nodes defined in Local Zones:
- Fully automated option: Installing a cluster to quickly extend compute nodes to edge compute pools, where the installation program automatically creates infrastructure resources for the OpenShift Container Platform cluster.
- 
							Existing VPC option: Installing a cluster on AWS into an existing VPC, where you supply Local Zones subnets to the install-config.yamlfile.
Next steps
Choose one of the following options to install an OpenShift Container Platform cluster in an AWS Local Zones environment:
3.11.6. Install a cluster quickly in AWS Local Zones
					For OpenShift Container Platform 4.18, you can quickly install a cluster on Amazon Web Services (AWS) to extend compute nodes to Local Zones locations. By using this installation route, the installation program automatically creates network resources and Local Zones subnets for each zone that you defined in your configuration file. To customize the installation, you must modify parameters in the install-config.yaml file before you deploy the cluster.
				
3.11.6.1. Modifying an installation configuration file to use AWS Local Zones
						Modify an install-config.yaml file to include AWS Local Zones.
					
Prerequisites
- You have configured an AWS account.
- 
								You added your AWS keys and AWS Region to your local AWS profile by running aws configure.
- You are familiar with the configuration limitations that apply when you specify the installation program to automatically create subnets for your OpenShift Container Platform cluster.
- You opted in to the Local Zones group for each zone.
- 
								You created an install-config.yamlfile by using the procedure "Creating the installation configuration file".
Procedure
- Modify the - install-config.yamlfile by specifying Local Zones names in the- platform.aws.zonesproperty of the edge compute pool.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example of a configuration to install a cluster in the - us-west-2AWS Region that extends edge nodes to Local Zones in- Los Angelesand- Las Vegaslocations- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Deploy your cluster.
Next steps
3.11.7. Installing a cluster in an existing VPC that has Local Zone subnets
					You can install a cluster into an existing Amazon Virtual Private Cloud (VPC) on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, change parameters in the install-config.yaml file before you install the cluster.
				
Installing a cluster on AWS into an existing VPC requires extending compute nodes to the edge of the Cloud Infrastructure by using AWS Local Zones.
Local Zone subnets extend regular compute nodes to edge networks. Each edge compute nodes runs a user workload. After you create an Amazon Web Service (AWS) Local Zone environment, and you deploy your cluster, you can use edge compute nodes to create user workloads in Local Zone subnets.
If you want to create private subnets, you must either change the provided CloudFormation template or create your own template.
You can use a provided CloudFormation template to create network resources. Additionally, you can change a template to customize your infrastructure or use the information that they contain to create AWS resources according to your company’s policies.
The documentation provides the steps for performing an installer-provisioned infrastructure installation for example purposes only. Installing a cluster in an existing VPC requires that you have knowledge of the cloud provider and the installation process of OpenShift Container Platform. You can use a CloudFormation template to assist you with completing these steps or to help model your own cluster installation. Instead of using the CloudFormation template to create resources, you can decide to use other methods for generating these resources.
3.11.7.1. Creating a VPC in AWS
You can create a Virtual Private Cloud (VPC), and subnets for all Local Zones locations, in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to extend compute nodes to edge locations. You can further customize your VPC to meet your requirements, including a VPN and route tables. You can also add new Local Zones subnets not included at initial deployment.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the VPC.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and AWS Region to your local AWS profile by running aws configure.
- You opted in to the AWS Local Zones on your AWS account.
Procedure
- Create a JSON file that contains the parameter values that the CloudFormation template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Go to the section of the documentation named "CloudFormation template for the VPC", and then copy the syntax from the provided template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the VPC by running the following command: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> \ --template-body file://<template>.yaml \ --parameters file://<parameters>.json- $ aws cloudformation create-stack --stack-name <name> \- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-vpc. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path and the name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster.- VpcId- The ID of your VPC. - PublicSubnetIds- The IDs of the new public subnets. - PrivateSubnetIds- The IDs of the new private subnets. - PublicRouteTableId- The ID of the new public route table ID. 
3.11.7.2. CloudFormation template for the VPC
You can use the following CloudFormation template to deploy the VPC that you need for your OpenShift Container Platform cluster.
Example 3.16. CloudFormation template for the VPC
3.11.7.3. Creating subnets in Local Zones
Before you configure a machine set for edge compute nodes in your OpenShift Container Platform cluster, you must create the subnets in Local Zones. Complete the following procedure for each Local Zone that you want to deploy compute nodes to.
You can use the provided CloudFormation template and create a CloudFormation stack. You can then use this stack to custom provision a subnet.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and region to your local AWS profile by running aws configure.
- You opted in to the Local Zones group.
Procedure
- Go to the section of the documentation named "CloudFormation template for the VPC subnet", and copy the syntax from the template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- cluster-wl-<local_zone_shortname>. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- ${VPC_ID}is the VPC ID, which is the value- VpcIDin the output of the CloudFormation template for the VPC.
- 4
- ${ZONE_NAME}is the value of Local Zones name to create the subnets.
- 5
- ${CLUSTER_NAME}is the value of ClusterName to be used as a prefix of the new AWS resource names.
- 6
- ${SUBNET_CIDR_PUB}is a valid CIDR block that is used to create the public subnet. This block must be part of the VPC CIDR block- VpcCidr.
- 7
- ${ROUTE_TABLE_PVT}is the PrivateRouteTableId extracted from the output of the VPC’s CloudFormation stack.
- 8
- ${SUBNET_CIDR_PVT}is a valid CIDR block that is used to create the private subnet. This block must be part of the VPC CIDR block- VpcCidr.
 
Example output
arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f
arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849fVerification
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. Ensure that you provide these parameter values to the other CloudFormation templates that you run to create for your cluster.- PublicSubnetId- The IDs of the public subnet created by the CloudFormation stack. - PrivateSubnetId- The IDs of the private subnet created by the CloudFormation stack. 
3.11.7.4. CloudFormation template for the VPC subnet
You can use the following CloudFormation template to deploy the private and public subnets in a zone on Local Zones infrastructure.
Example 3.17. CloudFormation template for VPC subnets
3.11.7.5. Modifying an installation configuration file to use AWS Local Zones subnets
						Modify your install-config.yaml file to include Local Zones subnets.
					
Prerequisites
- You created subnets by using the procedure "Creating subnets in Local Zones".
- 
								You created an install-config.yamlfile by using the procedure "Creating the installation configuration file".
Procedure
- Modify the - install-config.yamlconfiguration file by specifying Local Zones subnets in the- platform.aws.subnetsparameter.- Example installation configuration file with Local Zones subnets - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- List of subnet IDs created in the zones: Availability and Local Zones.
 
Next steps
3.11.8. Optional: AWS security groups
By default, the installation program creates and attaches security groups to control plane and compute machines. The rules associated with the default security groups cannot be modified.
However, you can apply additional existing AWS security groups, which are associated with your existing VPC, to control plane and compute machines. Applying custom security groups can help you meet the security needs of your organization, in such cases where you need to control the incoming or outgoing traffic of these machines.
					As part of the installation process, you apply custom security groups by modifying the install-config.yaml file before deploying the cluster.
				
For more information, see "Edge compute pools and AWS Local Zones".
3.11.9. Optional: Assign public IP addresses to edge compute nodes
If your workload requires deploying the edge compute nodes in public subnets on Local Zones infrastructure, you can configure the machine set manifests when installing a cluster.
AWS Local Zones infrastructure accesses the network traffic in a specified zone, so applications can take advantage of lower latency when serving end users that are closer to that zone.
The default setting that deploys compute nodes in private subnets might not meet your needs, so consider creating edge compute nodes in public subnets when you want to apply more customization to your infrastructure.
By default, OpenShift Container Platform deploy the compute nodes in private subnets. For best performance, consider placing compute nodes in subnets that have their Public IP addresses attached to the subnets.
You must create additional security groups, but ensure that you only open the groups' rules over the internet when you really need to.
Procedure
- Change to the directory that contains the installation program and generate the manifest files. Ensure that the installation manifests get created at the - openshiftand- manifestsdirectory level.- ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the machine set manifest that the installation program generates for the Local Zones, so that the manifest gets deployed in public subnets. Specify - truefor the- spec.template.spec.providerSpec.value.publicIPparameter.- Example machine set manifest configuration for installing a cluster quickly in Local Zones - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set manifest configuration for installing a cluster in an existing VPC that has Local Zones subnets - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.11.10. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.11.11. Verifying the status of the deployed cluster
Verify that your OpenShift Container Platform successfully deployed on AWS Local Zones.
3.11.11.1. Logging in to the cluster by using the CLI
						You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
					
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
								You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.11.11.2. Logging in to the cluster by using the web console
						The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
					
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.11.11.3. Verifying nodes that were created with edge compute pool
After you install a cluster that uses AWS Local Zones infrastructure, check the status of the machine that was created by the machine set manifests created during installation.
- To check the machine sets created from the subnet you added to the - install-config.yamlfile, run the following command:- oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE cluster-7xw5g-edge-us-east-1-nyc-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1b 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1c 1 1 1 1 3h4m - NAME DESIRED CURRENT READY AVAILABLE AGE cluster-7xw5g-edge-us-east-1-nyc-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1b 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1c 1 1 1 1 3h4m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check the machines that were created from the machine sets, run the following command: - oc get machines -n openshift-machine-api - $ oc get machines -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check nodes with edge roles, run the following command: - oc get nodes -l node-role.kubernetes.io/edge - $ oc get nodes -l node-role.kubernetes.io/edge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- Validating an installation.
- If necessary, you can Remote health reporting.
3.12. Installing a cluster with compute nodes on AWS Wavelength Zones
				You can quickly install an OpenShift Container Platform cluster on Amazon Web Services (AWS) Wavelength Zones by setting the zone names in the edge compute pool of the install-config.yaml file, or install a cluster in an existing Amazon Virtual Private Cloud (VPC) with Wavelength Zone subnets.
			
AWS Wavelength Zones is an infrastructure that AWS configured for mobile edge computing (MEC) applications.
A Wavelength Zone embeds AWS compute and storage services within the 5G network of a communication service provider (CSP). By placing application servers in a Wavelength Zone, the application traffic from your 5G devices can stay in the 5G network. The application traffic of the device reaches the target server directly, making latency a non-issue.
3.12.1. Infrastructure prerequisites
- You reviewed details about OpenShift Container Platform installation and update processes.
- You are familiar with Selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Warning- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX) in the AWS documentation.
- If you use a firewall, you configured it to allow the sites that your cluster must access.
- You noted the region and supported AWS Wavelength Zone locations to create the network resources in.
- You read AWS Wavelength features in the AWS documentation.
- You read the Quotas and considerations for Wavelength Zones in the AWS documentation.
- You added permissions for creating network resources that support AWS Wavelength Zones to the Identity and Access Management (IAM) user or role. For example: - Example of an additional IAM policy that attached - ec2:ModifyAvailabilityZoneGroup,- ec2:CreateCarrierGateway, and- ec2:DeleteCarrierGatewaypermissions to a user or role- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.12.2. About AWS Wavelength Zones and edge compute pool
Read the following sections to understand infrastructure behaviors and cluster limitations in an AWS Wavelength Zones environment.
3.12.2.1. Cluster limitations in AWS Wavelength Zones
Some limitations exist when you try to deploy a cluster with a default installation configuration in an Amazon Web Services (AWS) Wavelength Zone.
The following list details limitations when deploying a cluster in a pre-configured AWS zone:
- 
									The maximum transmission unit (MTU) between an Amazon EC2 instance in a zone and an Amazon EC2 instance in the Region is 1300. This causes the cluster-wide network MTU to change according to the network plugin that is used with the deployment.
- Network resources such as Network Load Balancer (NLB), Classic Load Balancer, and Network Address Translation (NAT) Gateways are not globally supported.
- 
									For an OpenShift Container Platform cluster on AWS, the AWS Elastic Block Storage (EBS) gp3type volume is the default for node volumes and the default for the storage class. This volume type is not globally available on zone locations. By default, the nodes running in zones are deployed with thegp2EBS volume. Thegp2-csiStorageClassparameter must be set when creating workloads on zone nodes.
If you want the installation program to automatically create Wavelength Zone subnets for your OpenShift Container Platform cluster, specific configuration limitations apply with this method. The following note details some of these limitations. For other limitations, ensure that you read the "Quotas and considerations for Wavelength Zones" document that Red Hat provides in the "Infrastructure prerequisites" section.
The following configuration limitation applies when you set the installation program to automatically create subnets for your OpenShift Container Platform cluster:
- When the installation program creates private subnets in AWS Wavelength Zones, the program associates each subnet with the route table of its parent zone. This operation ensures that each private subnet can route egress traffic to the internet by way of NAT Gateways in an AWS Region.
- If the parent-zone route table does not exist during cluster installation, the installation program associates any private subnet with the first available private route table in the Amazon Virtual Private Cloud (VPC). This approach is valid only for AWS Wavelength Zones subnets in an OpenShift Container Platform cluster.
3.12.2.2. About edge compute pools
Edge compute nodes are tainted compute nodes that run in AWS Wavelength Zones locations.
When deploying a cluster that uses Wavelength Zones, consider the following points:
- Amazon EC2 instances in the Wavelength Zones are more expensive than Amazon EC2 instances in the Availability Zones.
- The latency is lower between the applications running in AWS Wavelength Zones and the end user. A latency impact exists for some workloads if, for example, ingress traffic is mixed between Wavelength Zones and Availability Zones.
							Generally, the maximum transmission unit (MTU) between an Amazon EC2 instance in a Wavelength Zones and an Amazon EC2 instance in the Region is 1300. The cluster network MTU must be always less than the EC2 MTU to account for the overhead. The specific overhead is determined by the network plugin. For example: OVN-Kubernetes has an overhead of 100 bytes.
						
The network plugin can provide additional features, such as IPsec, that also affect the MTU sizing.
For more information, see How AWS Wavelength work in the AWS documentation.
OpenShift Container Platform 4.12 introduced a new compute pool, edge, that is designed for use in remote zones. The edge compute pool configuration is common between AWS Wavelength Zones locations. Because of the type and size limitations of resources like EC2 and EBS on Wavelength Zones resources, the default instance type can vary from the traditional compute pool.
						The default Elastic Block Store (EBS) for Wavelength Zones locations is gp2, which differs from the non-edge compute pool. The instance type used for each Wavelength Zones on an edge compute pool also might differ from other compute pools, depending on the instance offerings on the zone.
					
The edge compute pool creates new labels that developers can use to deploy applications onto AWS Wavelength Zones nodes. The new labels are:
- 
								node-role.kubernetes.io/edge=''
- 
								machine.openshift.io/zone-type=wavelength-zone
- 
								machine.openshift.io/zone-group=$ZONE_GROUP_NAME
						By default, the machine sets for the edge compute pool define the taint of NoSchedule to prevent other workloads from spreading on Wavelength Zones instances. Users can only run user workloads if they define tolerations in the pod specification.
					
3.12.3. Installation prerequisites
Before you install a cluster in an AWS Wavelength Zones environment, you must configure your infrastructure so that it can adopt Wavelength Zone capabilities.
3.12.3.1. Opting in to an AWS Wavelength Zones
If you plan to create subnets in AWS Wavelength Zones, you must opt in to each zone group separately.
Prerequisites
- You have installed the AWS CLI.
- You have determined an AWS Region for where you want to deploy your OpenShift Container Platform cluster.
- You have attached a permissive IAM policy to a user or role account that opts in to the zone group.
Procedure
- List the zones that are available in your AWS Region by running the following command: - Example command for listing available AWS Wavelength Zones in an AWS Region - aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=wavelength-zone \ --all-availability-zones- $ aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=wavelength-zone \ --all-availability-zones- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the AWS Region, the list of available zones might be long. The command returns the following fields: - ZoneName
- The name of the Wavelength Zones.
- GroupName
- The group that comprises the zone. To opt in to the Region, save the name.
- Status
- 
											The status of the Wavelength Zones group. If the status is not-opted-in, you must opt in theGroupNameas described in the next step.
 
- Opt in to the zone group on your AWS account by running the following command: - aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \ --opt-in-status opted-in- $ aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \- 1 - --opt-in-status opted-in- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<value_of_GroupName>with the name of the group of the Wavelength Zones where you want to create subnets. As an example for Wavelength Zones, specifyus-east-1-wl1to use the zoneus-east-1-wl1-nyc-wlz-1(US East New York).
 
3.12.3.2. Obtaining an AWS Marketplace image
If you are deploying an OpenShift Container Platform cluster using an AWS Marketplace image, you must first subscribe through AWS. Subscribing to the offer provides you with the AMI ID that the installation program uses to deploy compute nodes.
You should only modify the RHCOS image for compute machines to use an AWS Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your AWS bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the AWS Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- You have an AWS account to purchase the offer. This account does not have to be the same account that is used to install the cluster.
Procedure
- Complete the OpenShift Container Platform subscription from the AWS Marketplace.
- Record the AMI ID for your specific AWS Region. As part of the installation process, you must update the - install-config.yamlfile with this value before deploying the cluster.- Sample - install-config.yamlfile with AWS Marketplace compute nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.12.4. Preparing for the installation
Before you extend nodes to Wavelength Zones, you must prepare certain resources for the cluster installation environment.
3.12.4.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
3.12.4.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform for use with AWS Wavelength Zones.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 3.18. Machine types based on 64-bit x86 architecture for AWS Wavelength Zones
- 
									r5.*
- 
									t3.*
3.12.4.3. Creating the installation configuration file
Generate and customize the installation configuration file that the installation program needs to deploy your cluster.
Prerequisites
- You obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
- 
								You checked that you are deploying your cluster to an AWS Region with an accompanying Red Hat Enterprise Linux CoreOS (RHCOS) AMI published by Red Hat. If you are deploying to an AWS Region that requires a custom AMI, such as an AWS GovCloud Region, you must create the install-config.yamlfile manually.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 Important- Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select aws as the platform to target.
- If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. Note- The AWS access key ID and secret access key are stored in - ~/.aws/credentialsin the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.
- Select the AWS Region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from Red Hat OpenShift Cluster Manager.
 
 
- Optional: Back up the - install-config.yamlfile.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
3.12.4.4. Examples of installation configuration files with edge compute pools
						The following examples show install-config.yaml files that contain an edge machine pool configuration.
					
Configuration that uses an edge pool with a custom instance type
Instance types differ between locations. To verify availability in the Wavelength Zones in which the cluster runs, see the AWS documentation.
Configuration that uses an edge pool with custom security groups
- 1
- Specify the name of the security group as it is displayed on the Amazon EC2 console. Ensure that you include thesgprefix.
3.12.5. Cluster installation options for an AWS Wavelength Zones environment
Choose one of the following installation options to install an OpenShift Container Platform cluster on AWS with edge compute nodes defined in Wavelength Zones:
- Fully automated option: Installing a cluster to quickly extend compute nodes to edge compute pools, where the installation program automatically creates infrastructure resources for the OpenShift Container Platform cluster.
- 
							Existing VPC option: Installing a cluster on AWS into an existing VPC, where you supply Wavelength Zones subnets to the install-config.yamlfile.
Next steps
Choose one of the following options to install an OpenShift Container Platform cluster in an AWS Wavelength Zones environment:
3.12.6. Install a cluster quickly in AWS Wavelength Zones
					For OpenShift Container Platform 4.18, you can quickly install a cluster on Amazon Web Services (AWS) to extend compute nodes to Wavelength Zones locations. By using this installation route, the installation program automatically creates network resources and Wavelength Zones subnets for each zone that you defined in your configuration file. To customize the installation, you must modify parameters in the install-config.yaml file before you deploy the cluster.
				
3.12.6.1. Modifying an installation configuration file to use AWS Wavelength Zones
						Modify an install-config.yaml file to include AWS Wavelength Zones.
					
Prerequisites
- You have configured an AWS account.
- 
								You added your AWS keys and AWS Region to your local AWS profile by running aws configure.
- You are familiar with the configuration limitations that apply when you specify the installation program to automatically create subnets for your OpenShift Container Platform cluster.
- You opted in to the Wavelength Zones group for each zone.
- 
								You created an install-config.yamlfile by using the procedure "Creating the installation configuration file".
Procedure
- Modify the - install-config.yamlfile by specifying Wavelength Zones names in the- platform.aws.zonesproperty of the edge compute pool.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example of a configuration to install a cluster in the - us-west-2AWS Region that extends edge nodes to Wavelength Zones in- Los Angelesand- Las Vegaslocations- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Deploy your cluster.
Next steps
3.12.7. Installing a cluster in an existing VPC that has Wavelength Zone subnets
					You can install a cluster into an existing Amazon Virtual Private Cloud (VPC) on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, modify parameters in the install-config.yaml file before you install the cluster.
				
Installing a cluster on AWS into an existing VPC requires extending compute nodes to the edge of the Cloud Infrastructure by using AWS Wavelength Zones.
You can use a provided CloudFormation template to create network resources. Additionally, you can modify a template to customize your infrastructure or use the information that they contain to create AWS resources according to your company’s policies.
The steps for performing an installer-provisioned infrastructure installation are provided for example purposes only. Installing a cluster in an existing VPC requires that you have knowledge of the cloud provider and the installation process of OpenShift Container Platform. You can use a CloudFormation template to assist you with completing these steps or to help model your own cluster installation. Instead of using the CloudFormation template to create resources, you can decide to use other methods for generating these resources.
3.12.7.1. Creating a VPC in AWS
You can create a Virtual Private Cloud (VPC), and subnets for all Wavelength Zones locations, in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to extend compute nodes to edge locations. You can further customize your VPC to meet your requirements, including a VPN and route tables. You can also add new Wavelength Zones subnets not included at initial deployment.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the VPC.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and AWS Region to your local AWS profile by running aws configure.
- You opted in to the AWS Wavelength Zones on your AWS account.
Procedure
- Create a JSON file that contains the parameter values that the CloudFormation template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Go to the section of the documentation named "CloudFormation template for the VPC", and then copy the syntax from the provided template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the VPC by running the following command: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> \ --template-body file://<template>.yaml \ --parameters file://<parameters>.json- $ aws cloudformation create-stack --stack-name <name> \- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-vpc. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path and the name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster.- VpcId- The ID of your VPC. - PublicSubnetIds- The IDs of the new public subnets. - PrivateSubnetIds- The IDs of the new private subnets. - PublicRouteTableId- The ID of the new public route table ID. 
3.12.7.2. CloudFormation template for the VPC
You can use the following CloudFormation template to deploy the VPC that you need for your OpenShift Container Platform cluster.
Example 3.19. CloudFormation template for the VPC
3.12.7.3. Creating a VPC carrier gateway
To use public subnets in your OpenShift Container Platform cluster that runs on Wavelength Zones, you must create the carrier gateway and associate the carrier gateway to the VPC. Subnets are useful for deploying load balancers or edge compute nodes.
To create edge nodes or internet-facing load balancers in Wavelength Zones locations for your OpenShift Container Platform cluster, you must create the following required network components:
- A carrier gateway that associates to the existing VPC.
- A carrier route table that lists route entries.
- A subnet that associates to the carrier route table.
Carrier gateways exist for VPCs that only contain subnets in a Wavelength Zone.
The following list explains the functions of a carrier gateway in the context of an AWS Wavelength Zones location:
- Provides connectivity between your Wavelength Zone and the carrier network, which includes any available devices from the carrier network.
- Performs Network Address Translation (NAT) functions, such as translating IP addresses that are public IP addresses stored in a network border group, from Wavelength Zones to carrier IP addresses. These translation functions apply to inbound and outbound traffic.
- Authorizes inbound traffic from a carrier network that is located in a specific location.
- Authorizes outbound traffic to a carrier network and the internet.
No inbound connection configuration exists from the internet to a Wavelength Zone through the carrier gateway.
You can use the provided CloudFormation template to create a stack of the following AWS resources:
- One carrier gateway that associates to the VPC ID in the template.
- 
								One public route table for the Wavelength Zone named as <ClusterName>-public-carrier.
- Default IPv4 route entry in the new route table that targets the carrier gateway.
- VPC gateway endpoint for an AWS Simple Storage Service (S3).
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and region to your local AWS profile by running aws configure.
Procedure
- Go to the next section of the documentation named "CloudFormation template for the VPC Carrier Gateway", and then copy the syntax from the CloudFormation template for VPC Carrier Gateway template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- clusterName-vpc-carrier-gw. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- <VpcId>is the VPC ID extracted from the CloudFormation stack output created in the section named "Creating a VPC in AWS".
- 4
- <ClusterName>is a custom value that prefixes to resources that the CloudFormation stack creates. You can use the same name that is defined in the- metadata.namesection of the- install-config.yamlconfiguration file.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Confirm that the CloudFormation template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameter. Ensure that you provide the parameter value to the other CloudFormation templates that you run to create for your cluster.- PublicRouteTableId- The ID of the Route Table in the Carrier infrastructure. 
3.12.7.4. CloudFormation template for the VPC Carrier Gateway
You can use the following CloudFormation template to deploy the Carrier Gateway on AWS Wavelength infrastructure.
Example 3.20. CloudFormation template for VPC Carrier Gateway
3.12.7.5. Creating subnets in Wavelength Zones
Before you configure a machine set for edge compute nodes in your OpenShift Container Platform cluster, you must create the subnets in Wavelength Zones. Complete the following procedure for each Wavelength Zone that you want to deploy compute nodes to.
You can use the provided CloudFormation template and create a CloudFormation stack. You can then use this stack to custom provision a subnet.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and region to your local AWS profile by running aws configure.
- You opted in to the Wavelength Zones group.
Procedure
- Go to the section of the documentation named "CloudFormation template for the VPC subnet", and copy the syntax from the template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- cluster-wl-<wavelength_zone_shortname>. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- ${VPC_ID}is the VPC ID, which is the value- VpcIDin the output of the CloudFormation template for the VPC.
- 4
- ${ZONE_NAME}is the value of Wavelength Zones name to create the subnets.
- 5
- ${CLUSTER_NAME}is the value of ClusterName to be used as a prefix of the new AWS resource names.
- 6
- ${ROUTE_TABLE_PUB}is the PublicRouteTableId extracted from the output of the VPC’s carrier gateway CloudFormation stack.
- 7
- ${SUBNET_CIDR_PUB}is a valid CIDR block that is used to create the public subnet. This block must be part of the VPC CIDR block- VpcCidr.
- 8
- ${ROUTE_TABLE_PVT}is the PrivateRouteTableId extracted from the output of the VPC’s CloudFormation stack.
- 9
- ${SUBNET_CIDR_PVT}is a valid CIDR block that is used to create the private subnet. This block must be part of the VPC CIDR block- VpcCidr.
 
Example output
arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f
arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849fVerification
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. Ensure that you provide these parameter values to the other CloudFormation templates that you run to create for your cluster.- PublicSubnetId- The IDs of the public subnet created by the CloudFormation stack. - PrivateSubnetId- The IDs of the private subnet created by the CloudFormation stack. 
3.12.7.6. CloudFormation template for the VPC subnet
You can use the following CloudFormation template to deploy the private and public subnets in a zone on Wavelength Zones infrastructure.
Example 3.21. CloudFormation template for VPC subnets
3.12.7.7. Modifying an installation configuration file to use AWS Wavelength Zones subnets
						Modify your install-config.yaml file to include Wavelength Zones subnets.
					
Prerequisites
- You created subnets by using the procedure "Creating subnets in Wavelength Zones".
- 
								You created an install-config.yamlfile by using the procedure "Creating the installation configuration file".
Procedure
- Modify the - install-config.yamlconfiguration file by specifying Wavelength Zones subnets in the- platform.aws.subnetsparameter.- Example installation configuration file with Wavelength Zones subnets - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- List of subnet IDs created in the zones: Availability and Wavelength Zones.
 
Next steps
3.12.8. Optional: Assign public IP addresses to edge compute nodes
If your workload requires deploying the edge compute nodes in public subnets on Wavelength Zones infrastructure, you can configure the machine set manifests when installing a cluster.
AWS Wavelength Zones infrastructure accesses the network traffic in a specified zone, so applications can take advantage of lower latency when serving end users that are closer to that zone.
The default setting that deploys compute nodes in private subnets might not meet your needs, so consider creating edge compute nodes in public subnets when you want to apply more customization to your infrastructure.
By default, OpenShift Container Platform deploy the compute nodes in private subnets. For best performance, consider placing compute nodes in subnets that have their Public IP addresses attached to the subnets.
You must create additional security groups, but ensure that you only open the groups' rules over the internet when you really need to.
Procedure
- Change to the directory that contains the installation program and generate the manifest files. Ensure that the installation manifests get created at the - openshiftand- manifestsdirectory level.- ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the machine set manifest that the installation program generates for the Wavelength Zones, so that the manifest gets deployed in public subnets. Specify - truefor the- spec.template.spec.providerSpec.value.publicIPparameter.- Example machine set manifest configuration for installing a cluster quickly in Wavelength Zones - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example machine set manifest configuration for installing a cluster in an existing VPC that has Wavelength Zones subnets - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.12.9. Deploying the cluster
You can install OpenShift Container Platform on a compatible cloud platform.
						You can run the create cluster command of the installation program only once, during initial installation.
					
Prerequisites
- You have configured an account with the cloud platform that hosts your cluster.
- You have the OpenShift Container Platform installation program and the pull secret for your cluster.
- You have verified that the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.
Procedure
- In the directory that contains the installation program, initialize the cluster deployment by running the following command: - ./openshift-install create cluster --dir <installation_directory> \ --log-level=info- $ ./openshift-install create cluster --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Remove or disable the - AdministratorAccesspolicy from the IAM account that you used to install the cluster.Note- The elevated permissions provided by the - AdministratorAccesspolicy are required only during installation.
Verification
When the cluster deployment completes successfully:
- 
							The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadminuser.
- 
							Credential information also outputs to <installation_directory>/.openshift_install.log.
Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.
Example output
- 
								The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
3.12.10. Verifying the status of the deployed cluster
Verify that your OpenShift Container Platform successfully deployed on AWS Wavelength Zones.
3.12.10.1. Logging in to the cluster by using the CLI
						You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
					
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
								You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.12.10.2. Logging in to the cluster by using the web console
						The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
					
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
3.12.10.3. Verifying nodes that were created with edge compute pool
After you install a cluster that uses AWS Wavelength Zones infrastructure, check the status of the machine that was created by the machine set manifests created during installation.
- To check the machine sets created from the subnet you added to the - install-config.yamlfile, run the following command:- oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE cluster-7xw5g-edge-us-east-1-wl1-nyc-wlz-1 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1b 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1c 1 1 1 1 3h4m - NAME DESIRED CURRENT READY AVAILABLE AGE cluster-7xw5g-edge-us-east-1-wl1-nyc-wlz-1 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1a 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1b 1 1 1 1 3h4m cluster-7xw5g-worker-us-east-1c 1 1 1 1 3h4m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check the machines that were created from the machine sets, run the following command: - oc get machines -n openshift-machine-api - $ oc get machines -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To check nodes with edge roles, run the following command: - oc get nodes -l node-role.kubernetes.io/edge - $ oc get nodes -l node-role.kubernetes.io/edge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- Validating an installation.
- If necessary, you can Remote health reporting.
3.13. Extending an AWS VPC cluster into an AWS Outpost
In OpenShift Container Platform version 4.14, you could install a cluster on Amazon Web Services (AWS) with compute nodes running in AWS Outposts as a Technology Preview. As of OpenShift Container Platform version 4.15, this installation method is no longer supported. Instead, you can install a cluster on AWS into an existing VPC, and provision compute nodes on AWS Outposts as a postinstallation configuration task.
After installing a cluster on Amazon Web Services (AWS) into an existing Amazon Virtual Private Cloud (VPC), you can create a compute machine set that deploys compute machines in AWS Outposts. AWS Outposts is an AWS edge compute service that enables using many features of a cloud-based AWS deployment with the reduced latency of an on-premise environment. For more information, see the AWS Outposts documentation.
3.13.1. AWS Outposts on OpenShift Container Platform requirements and limitations
You can manage the resources on your AWS Outpost similarly to those on a cloud-based AWS cluster if you configure your OpenShift Container Platform cluster to accommodate the following requirements and limitations:
- To extend an OpenShift Container Platform cluster on AWS into an Outpost, you must have installed the cluster into an existing Amazon Virtual Private Cloud (VPC).
- The infrastructure of an Outpost is tied to an availability zone in an AWS region and uses a dedicated subnet. Edge compute machines deployed into an Outpost must use the Outpost subnet and the availability zone that the Outpost is tied to.
- 
							When the AWS Kubernetes cloud controller manager discovers an Outpost subnet, it attempts to create service load balancers in the Outpost subnet. AWS Outposts do not support running service load balancers. To prevent the cloud controller manager from creating unsupported services in the Outpost subnet, you must include the kubernetes.io/cluster/unmanagedtag in the Outpost subnet configuration. This requirement is a workaround in OpenShift Container Platform version 4.18. For more information, see OCPBUGS-30041.
- 
							OpenShift Container Platform clusters on AWS include the gp3-csiandgp2-csistorage classes. These classes correspond to Amazon Elastic Block Store (EBS) gp3 and gp2 volumes. OpenShift Container Platform clusters use thegp3-csistorage class by default, but AWS Outposts does not support EBS gp3 volumes.
- 
							This implementation uses the node-role.kubernetes.io/outpoststaint to prevent spreading regular cluster workloads to the Outpost nodes. To schedule user workloads in the Outpost, you must specify a corresponding toleration in theDeploymentresource for your application. Reserving the AWS Outpost infrastructure for user workloads avoids additional configuration requirements, such as updating the default CSI togp2-csiso that it is compatible.
- 
							To create a volume in the Outpost, the CSI driver requires the Outpost Amazon Resource Name (ARN). The driver uses the topology keys stored on the CSINodeobjects to determine the Outpost ARN. To ensure that the driver uses the correct topology values, you must set the volume binding mode toWaitForConsumerand avoid setting allowed topologies on any new storage classes that you create.
- When you extend an AWS VPC cluster into an Outpost, you have two types of compute resources. The Outpost has edge compute nodes, while the VPC has cloud-based compute nodes. The cloud-based AWS Elastic Block volume cannot attach to Outpost edge compute nodes, and the Outpost volumes cannot attach to cloud-based compute nodes. - As a result, you cannot use CSI snapshots to migrate applications that use persistent storage from cloud-based compute nodes to edge compute nodes or directly use the original persistent volume. To migrate persistent storage data for applications, you must perform a manual backup and restore operation. 
- AWS Outposts does not support AWS Network Load Balancers or AWS Classic Load Balancers. You must use AWS Application Load Balancers to enable load balancing for edge compute resources in the AWS Outposts environment. - To provision an Application Load Balancer, you must use an Ingress resource and install the AWS Load Balancer Operator. If your cluster contains both edge and cloud-based compute instances that share workloads, additional configuration is required. - For more information, see "Using the AWS Load Balancer Operator in an AWS VPC cluster extended into an Outpost". 
3.13.2. Obtaining information about your environment
To extend an AWS VPC cluster to your Outpost, you must provide information about your OpenShift Container Platform cluster and your Outpost environment. You use this information to complete network configuration tasks and configure a compute machine set that creates compute machines in your Outpost. You can use command-line tools to gather the required details.
3.13.2.1. Obtaining information from your OpenShift Container Platform cluster
						You can use the OpenShift CLI (oc) to obtain information from your OpenShift Container Platform cluster.
					
						You might find it convenient to store some or all of these values as environment variables by using the export command.
					
Prerequisites
- You have installed an OpenShift Container Platform cluster into a custom VPC on AWS.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- List the infrastructure ID for the cluster by running the following command. Retain this value. - oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructures.config.openshift.io cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructures.config.openshift.io cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Obtain details about the compute machine sets that the installation program created by running the following commands: - List the compute machine sets on your cluster: - oc get machinesets.machine.openshift.io -n openshift-machine-api - $ oc get machinesets.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE <compute_machine_set_name_1> 1 1 1 1 55m <compute_machine_set_name_2> 1 1 1 1 55m - NAME DESIRED CURRENT READY AVAILABLE AGE <compute_machine_set_name_1> 1 1 1 1 55m <compute_machine_set_name_2> 1 1 1 1 55m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Display the Amazon Machine Image (AMI) ID for one of the listed compute machine sets. Retain this value. - oc get machinesets.machine.openshift.io <compute_machine_set_name_1> \ -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}'- $ oc get machinesets.machine.openshift.io <compute_machine_set_name_1> \ -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Display the subnet ID for the AWS VPC cluster. Retain this value. - oc get machinesets.machine.openshift.io <compute_machine_set_name_1> \ -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet.id}'- $ oc get machinesets.machine.openshift.io <compute_machine_set_name_1> \ -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet.id}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
3.13.2.2. Obtaining information from your AWS account
						You can use the AWS CLI (aws) to obtain information from your AWS account.
					
						You might find it convenient to store some or all of these values as environment variables by using the export command.
					
Prerequisites
- You have an AWS Outposts site with the required hardware setup complete.
- Your Outpost is connected to your AWS account.
- 
								You have access to your AWS account by using the AWS CLI (aws) as a user with permissions to perform the required tasks.
Procedure
- List the Outposts that are connected to your AWS account by running the following command: - aws outposts list-outposts - $ aws outposts list-outposts- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Retain the following values from the output of the - aws outposts list-outpostscommand:- The Outpost ID.
- The Amazon Resource Name (ARN) for the Outpost.
- The Outpost availability zone. Note- The output of the - aws outposts list-outpostscommand includes two values related to the availability zone:- AvailabilityZoneand- AvailabilityZoneId. You use the- AvailablilityZonevalue to configure a compute machine set that creates compute machines in your Outpost.
 
- Using the value of the Outpost ID, show the instance types that are available in your Outpost by running the following command. Retain the values of the available instance types. - aws outposts get-outpost-instance-types \ --outpost-id <outpost_id_value> - $ aws outposts get-outpost-instance-types \ --outpost-id <outpost_id_value>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Using the value of the Outpost ARN, show the subnet ID for the Outpost by running the following command. Retain this value. - aws ec2 describe-subnets \ --filters Name=outpost-arn,Values=<outpost_arn_value> - $ aws ec2 describe-subnets \ --filters Name=outpost-arn,Values=<outpost_arn_value>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.13.3. Configuring your network for your Outpost
To extend your VPC cluster into an Outpost, you must complete the following network configuration tasks:
- Change the Cluster Network MTU.
- Create a subnet in your Outpost.
3.13.3.1. Changing the cluster network MTU to support AWS Outposts
During installation, the maximum transmission unit (MTU) for the cluster network is detected automatically based on the MTU of the primary network interface of nodes in the cluster. You might need to decrease the MTU value for the cluster network to support an AWS Outposts subnet.
You cannot roll back an MTU value for nodes during the MTU migration process, but you can roll back the value after the MTU migration process completes.
The migration is disruptive and nodes in your cluster might be temporarily unavailable as the MTU update takes effect.
For more details about the migration process, including important service interruption considerations, see "Changing the MTU for the cluster network" in the additional resources for this procedure.
Prerequisites
- 
								You have installed the OpenShift CLI (oc).
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have identified the target MTU for your cluster. The MTU for the OVN-Kubernetes network plugin must be set to 100less than the lowest hardware MTU value in your cluster.
- If your nodes are physical machines, ensure that the cluster network and the connected network switches support jumbo frames.
- If your nodes are virtual machines (VMs), ensure that the hypervisor and the connected network switches support jumbo frames.
3.13.3.1.1. Checking the current cluster MTU value
Use the following procedure to obtain the current maximum transmission unit (MTU) for the cluster network.
Procedure
- To obtain the current MTU for the cluster network, enter the following command: - oc describe network.config cluster - $ oc describe network.config cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.13.3.1.2. Beginning the MTU migration
Use the following procedure to start the MTU migration.
Procedure
- To begin the MTU migration, specify the migration configuration by entering the following command. The Machine Config Operator performs a rolling reboot of the nodes in the cluster in preparation for the MTU change. - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": <overlay_from>, "to": <overlay_to> } , "machine": { "to" : <machine_to> } } } } }'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": <overlay_from>, "to": <overlay_to> } , "machine": { "to" : <machine_to> } } } } }'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <overlay_from>
- Specifies the current cluster network MTU value.
- <overlay_to>
- 
												Specifies the target MTU for the cluster network. This value is set relative to the value of <machine_to>. For OVN-Kubernetes, this value must be100less than the value of<machine_to>.
- <machine_to>
- Specifies the MTU for the primary network interface on the underlying host network.
 - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": 1400, "to": 1000 } , "machine": { "to" : 1100} } } } }'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": 1400, "to": 1000 } , "machine": { "to" : 1100} } } } }'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- As the Machine Config Operator updates machines in each machine config pool, the Operator reboots each node one by one. You must wait until all the nodes are updated. Check the machine config pool status by entering the following command: - oc get machineconfigpools - $ oc get machineconfigpools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - A successfully updated node has the following status: - UPDATED=true,- UPDATING=false,- DEGRADED=false.Note- By default, the Machine Config Operator updates one machine per pool at a time, causing the total time the migration takes to increase with the size of the cluster. 
3.13.3.1.3. Verifying the machine configuration
Use the following procedure to verify the machine configuration.
Procedure
- Confirm the status of the new machine configuration on the hosts: - To list the machine configuration state and the name of the applied machine configuration, enter the following command: - oc describe node | egrep "hostname|machineconfig" - $ oc describe node | egrep "hostname|machineconfig"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - kubernetes.io/hostname=master-0 machineconfiguration.openshift.io/currentConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/desiredConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done - kubernetes.io/hostname=master-0 machineconfiguration.openshift.io/currentConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/desiredConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the following statements are true: - 
													The value of machineconfiguration.openshift.io/statefield isDone.
- 
													The value of the machineconfiguration.openshift.io/currentConfigfield is equal to the value of themachineconfiguration.openshift.io/desiredConfigfield.
 
- 
													The value of 
- To confirm that the machine config is correct, enter the following command: - oc get machineconfig <config_name> -o yaml | grep ExecStart - $ oc get machineconfig <config_name> -o yaml | grep ExecStart- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <config_name>
- 
														Specifies the name of the machine config from the machineconfiguration.openshift.io/currentConfigfield.
 - The machine config must include the following update to the systemd configuration: - ExecStart=/usr/local/bin/mtu-migration.sh - ExecStart=/usr/local/bin/mtu-migration.sh- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
3.13.3.1.4. Finalizing the MTU migration
Use the following procedure to finalize the MTU migration.
Procedure
- To finalize the MTU migration, enter the following command for the OVN-Kubernetes network plugin: - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": null, "defaultNetwork":{ "ovnKubernetesConfig": { "mtu": <mtu> }}}}'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": null, "defaultNetwork":{ "ovnKubernetesConfig": { "mtu": <mtu> }}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <mtu>
- 
												Specifies the new cluster network MTU that you specified with <overlay_to>.
 
- After finalizing the MTU migration, each machine config pool node is rebooted one by one. You must wait until all the nodes are updated. Check the machine config pool status by entering the following command: - oc get machineconfigpools - $ oc get machineconfigpools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - A successfully updated node has the following status: - UPDATED=true,- UPDATING=false,- DEGRADED=false.
Verification
- Verify that the node in your cluster uses the MTU that you specified by entering the following command: - oc describe network.config cluster - $ oc describe network.config cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.13.3.2. Creating subnets for AWS edge compute services
Before you configure a machine set for edge compute nodes in your OpenShift Container Platform cluster, you must create a subnet in AWS Outposts.
You can use the provided CloudFormation template and create a CloudFormation stack. You can then use this stack to custom provision a subnet.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and region to your local AWS profile by running aws configure.
- You have obtained the required information about your environment from your OpenShift Container Platform cluster, Outpost, and AWS account.
Procedure
- Go to the section of the documentation named "CloudFormation template for the VPC subnet", and copy the syntax from the template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- cluster-<outpost_name>.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- ${VPC_ID}is the VPC ID, which is the value- VpcIDin the output of the CloudFormation template for the VPC.
- 4
- ${CLUSTER_NAME}is the value of ClusterName to be used as a prefix of the new AWS resource names.
- 5
- ${ZONE_NAME}is the value of AWS Outposts name to create the subnets.
- 6
- ${ROUTE_TABLE_PUB}is the Public Route Table ID created in the- ${VPC_ID}used to associate the public subnets on Outposts. Specify the public route table to associate the Outpost subnet created by this stack.
- 7
- ${SUBNET_CIDR_PUB}is a valid CIDR block that is used to create the public subnet. This block must be part of the VPC CIDR block- VpcCidr.
- 8
- ${ROUTE_TABLE_PVT}is the Private Route Table ID created in the- ${VPC_ID}used to associate the private subnets on Outposts. Specify the private route table to associate the Outpost subnet created by this stack.
- 9
- ${SUBNET_CIDR_PVT}is a valid CIDR block that is used to create the private subnet. This block must be part of the VPC CIDR block- VpcCidr.
- 10
- ${OUTPOST_ARN}is the Amazon Resource Name (ARN) for the Outpost.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters:- PublicSubnetId- The IDs of the public subnet created by the CloudFormation stack. - PrivateSubnetId- The IDs of the private subnet created by the CloudFormation stack. - Ensure that you provide these parameter values to the other CloudFormation templates that you run to create for your cluster. 
3.13.3.3. CloudFormation template for the VPC subnet
You can use the following CloudFormation template to deploy the Outpost subnet.
Example 3.22. CloudFormation template for VPC subnets
3.13.4. Creating a compute machine set that deploys edge compute machines on an Outpost
To create edge compute machines on AWS Outposts, you must create a new compute machine set with a compatible configuration.
Prerequisites
- You have an AWS Outposts site.
- You have installed an OpenShift Container Platform cluster into a custom VPC on AWS.
- 
							You have access to the cluster using an account with cluster-adminpermissions.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- List the compute machine sets in your cluster by running the following command: - oc get machinesets.machine.openshift.io -n openshift-machine-api - $ oc get machinesets.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE <original_machine_set_name_1> 1 1 1 1 55m <original_machine_set_name_2> 1 1 1 1 55m - NAME DESIRED CURRENT READY AVAILABLE AGE <original_machine_set_name_1> 1 1 1 1 55m <original_machine_set_name_2> 1 1 1 1 55m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Record the names of the existing compute machine sets.
- Create a YAML file that contains the values for a new compute machine set custom resource (CR) by using one of the following methods: - Copy an existing compute machine set configuration into a new file by running the following command: - oc get machinesets.machine.openshift.io <original_machine_set_name_1> \ -n openshift-machine-api -o yaml > <new_machine_set_name_1>.yaml - $ oc get machinesets.machine.openshift.io <original_machine_set_name_1> \ -n openshift-machine-api -o yaml > <new_machine_set_name_1>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can edit this YAML file with your preferred text editor. 
- Create an empty YAML file named - <new_machine_set_name_1>.yamlwith your preferred text editor and include the required values for your new compute machine set.- If you are not sure which value to set for a specific field, you can view values of an existing compute machine set CR by running the following command: - oc get machinesets.machine.openshift.io <original_machine_set_name_1> \ -n openshift-machine-api -o yaml - $ oc get machinesets.machine.openshift.io <original_machine_set_name_1> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Configure the new compute machine set to create edge compute machines in the Outpost by editing the - <new_machine_set_name_1>.yamlfile:- Example compute machine set for AWS Outposts - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the cluster infrastructure ID.
- 2
- Specifies the name of the compute machine set. The name is composed of the cluster infrastructure ID, theoutpostsrole name, and the Outpost availability zone.
- 3
- Specifies the Amazon Machine Image (AMI) ID.
- 4
- Specifies the EBS volume type. AWS Outposts requires gp2 volumes.
- 5
- Specifies the AWS instance type. You must use an instance type that is configured in your Outpost.
- 6
- Specifies the AWS region in which the Outpost availability zone exists.
- 7
- Specifies the dedicated subnet for your Outpost.
- 8
- Specifies a taint to prevent workloads from being scheduled on nodes that have thenode-role.kubernetes.io/outpostslabel. To schedule user workloads in the Outpost, you must specify a corresponding toleration in theDeploymentresource for your application.
 
- Save your changes.
- Create a compute machine set CR by running the following command: - oc create -f <new_machine_set_name_1>.yaml - $ oc create -f <new_machine_set_name_1>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that the compute machine set is created, list the compute machine sets in your cluster by running the following command: - oc get machinesets.machine.openshift.io -n openshift-machine-api - $ oc get machinesets.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE <new_machine_set_name_1> 1 1 1 1 4m12s <original_machine_set_name_1> 1 1 1 1 55m <original_machine_set_name_2> 1 1 1 1 55m - NAME DESIRED CURRENT READY AVAILABLE AGE <new_machine_set_name_1> 1 1 1 1 4m12s <original_machine_set_name_1> 1 1 1 1 55m <original_machine_set_name_2> 1 1 1 1 55m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To list the machines that are managed by the new compute machine set, run the following command: - oc get -n openshift-machine-api machines.machine.openshift.io \ -l machine.openshift.io/cluster-api-machineset=<new_machine_set_name_1> - $ oc get -n openshift-machine-api machines.machine.openshift.io \ -l machine.openshift.io/cluster-api-machineset=<new_machine_set_name_1>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME PHASE TYPE REGION ZONE AGE <machine_from_new_1> Provisioned m5.xlarge us-east-1 us-east-1a 25s <machine_from_new_2> Provisioning m5.xlarge us-east-1 us-east-1a 25s - NAME PHASE TYPE REGION ZONE AGE <machine_from_new_1> Provisioned m5.xlarge us-east-1 us-east-1a 25s <machine_from_new_2> Provisioning m5.xlarge us-east-1 us-east-1a 25s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify that a machine created by the new compute machine set has the correct configuration, examine the relevant fields in the CR for one of the new machines by running the following command: - oc describe machine <machine_from_new_1> -n openshift-machine-api - $ oc describe machine <machine_from_new_1> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.13.5. Creating user workloads in an Outpost
					After you extend an OpenShift Container Platform in an AWS VPC cluster into an Outpost, you can use edge compute nodes with the label node-role.kubernetes.io/outposts to create user workloads in the Outpost.
				
Prerequisites
- You have extended an AWS VPC cluster into an Outpost.
- 
							You have access to the cluster using an account with cluster-adminpermissions.
- 
							You have installed the OpenShift CLI (oc).
- You have created a compute machine set that deploys edge compute machines compatible with the Outpost environment.
Procedure
- Configure a - Deploymentresource file for an application that you want to deploy to the edge compute node in the edge subnet.- Example - Deploymentmanifest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a name for your application.
- 2
- Specify a namespace for your application. The application namespace can be the same as the application name.
- 3
- Specify the storage class name. For an edge compute configuration, you must use thegp2-csistorage class.
- 4
- Specify a label to identify workloads deployed in the Outpost.
- 5
- Specify the node selector label that targets edge compute nodes.
- 6
- Specify tolerations that match thekeyandeffectstaints in the compute machine set for your edge compute machines. Set thevalueandoperatortolerations as shown.
 
- Create the - Deploymentresource by running the following command:- oc create -f <application_deployment>.yaml - $ oc create -f <application_deployment>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure a - Serviceobject that exposes a pod from a targeted edge compute node to services that run inside your edge network.- Example - Servicemanifest- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - ServiceCR by running the following command:- oc create -f <application_service>.yaml - $ oc create -f <application_service>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.13.6. Scheduling workloads on edge and cloud-based AWS compute resources
When you extend an AWS VPC cluster into an Outpost, the Outpost uses edge compute nodes and the VPC uses cloud-based compute nodes. The following load balancer considerations apply to an AWS VPC cluster extended into an Outpost:
- Outposts cannot run AWS Network Load Balancers or AWS Classic Load Balancers, but a Classic Load Balancer for a VPC cluster extended into an Outpost can attach to the Outpost edge compute nodes. For more information, see Using AWS Classic Load Balancers in an AWS VPC cluster extended into an Outpost.
- To run a load balancer on an Outpost instance, you must use an AWS Application Load Balancer. You can use the AWS Load Balancer Operator to deploy an instance of the AWS Load Balancer Controller. The controller provisions AWS Application Load Balancers for Kubernetes Ingress resources. For more information, see Using the AWS Load Balancer Operator in an AWS VPC cluster extended into an Outpost.
3.13.6.1. Using AWS Classic Load Balancers in an AWS VPC cluster extended into an Outpost
AWS Outposts infrastructure cannot run AWS Classic Load Balancers, but Classic Load Balancers in the AWS VPC cluster can target edge compute nodes in the Outpost if edge and cloud-based subnets are in the same availability zone. As a result, Classic Load Balancers on the VPC cluster might schedule pods on either of these node types.
Scheduling the workloads on edge compute nodes and cloud-based compute nodes can introduce latency. If you want to prevent a Classic Load Balancer in the VPC cluster from targeting Outpost edge compute nodes, you can apply labels to the cloud-based compute nodes and configure the Classic Load Balancer to only schedule on nodes with the applied labels.
If you do not need to prevent a Classic Load Balancer in the VPC cluster from targeting Outpost edge compute nodes, you do not need to complete these steps.
Prerequisites
- You have extended an AWS VPC cluster into an Outpost.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
- You have created a user workload in the Outpost with tolerations that match the taints for your edge compute machines.
Procedure
- Optional: Verify that the edge compute nodes have the - location=outpostslabel by running the following command and verifying that the output includes only the edge compute nodes in your Outpost:- oc get nodes -l location=outposts - $ oc get nodes -l location=outposts- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Label the cloud-based compute nodes in the VPC cluster with a key-value pair by running the following command: - for NODE in $(oc get node -l node-role.kubernetes.io/worker --no-headers | grep -v outposts | awk '{print$1}'); do oc label node $NODE <key_name>=<value>; done- $ for NODE in $(oc get node -l node-role.kubernetes.io/worker --no-headers | grep -v outposts | awk '{print$1}'); do oc label node $NODE <key_name>=<value>; done- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <key_name>=<value>is the label you want to use to distinguish cloud-based compute nodes.- Example output - node1.example.com labeled node2.example.com labeled node3.example.com labeled - node1.example.com labeled node2.example.com labeled node3.example.com labeled- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Verify that the cloud-based compute nodes have the specified label by running the following command and confirming that the output includes all cloud-based compute nodes in your VPC cluster: - oc get nodes -l <key_name>=<value> - $ oc get nodes -l <key_name>=<value>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION node1.example.com Ready worker 7h v1.31.3 node2.example.com Ready worker 7h v1.31.3 node3.example.com Ready worker 7h v1.31.3 - NAME STATUS ROLES AGE VERSION node1.example.com Ready worker 7h v1.31.3 node2.example.com Ready worker 7h v1.31.3 node3.example.com Ready worker 7h v1.31.3- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the Classic Load Balancer service by adding the cloud-based subnet information to the - annotationsfield of the- Servicemanifest:- Example service configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - ServiceCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify the status of the - serviceresource to show the host of the provisioned Classic Load Balancer by running the following command:- HOST=$(oc get service <application_name> -n <application_namespace> --template='{{(index .status.loadBalancer.ingress 0).hostname}}')- $ HOST=$(oc get service <application_name> -n <application_namespace> --template='{{(index .status.loadBalancer.ingress 0).hostname}}')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify the status of the provisioned Classic Load Balancer host by running the following command: - curl $HOST - $ curl $HOST- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- In the AWS console, verify that only the labeled instances appear as the targeted instances for the load balancer.
3.13.6.2. Using the AWS Load Balancer Operator in an AWS VPC cluster extended into an Outpost
You can configure the AWS Load Balancer Operator to provision an AWS Application Load Balancer in an AWS VPC cluster extended into an Outpost. AWS Outposts does not support AWS Network Load Balancers. As a result, the AWS Load Balancer Operator cannot provision Network Load Balancers in an Outpost.
You can create an AWS Application Load Balancer either in the cloud subnet or in the Outpost subnet. An Application Load Balancer in the cloud can attach to cloud-based compute nodes and an Application Load Balancer in the Outpost can attach to edge compute nodes. You must annotate Ingress resources with the Outpost subnet or the VPC subnet, but not both.
Prerequisites
- You have extended an AWS VPC cluster into an Outpost.
- 
								You have installed the OpenShift CLI (oc).
- You have installed the AWS Load Balancer Operator and created the AWS Load Balancer Controller.
Procedure
- Configure the - Ingressresource to use a specified subnet:- Example - Ingressresource configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the subnet to use.- To use the Application Load Balancer in an Outpost, specify the Outpost subnet ID.
- To use the Application Load Balancer in the cloud, you must specify at least two subnets in different availability zones.
 
 
3.14. Installing a cluster with the support for configuring multi-architecture compute machines
An OpenShift Container Platform cluster with multi-architecture compute machines supports compute machines with different architectures.
When you have nodes with multiple architectures in your cluster, the architecture of your image must be consistent with the architecture of the node. You must ensure that the pod is assigned to the node with the appropriate architecture and that it matches the image architecture. For more information on assigning pods to nodes, Scheduling workloads on clusters with multi-architecture compute machines.
You can install an Amazon Web Services (AWS) cluster with the support for configuring multi-architecture compute machines. After installing the cluster, you can add multi-architecture compute machines to the cluster in the following ways:
- Adding 64-bit x86 compute machines to a cluster that uses 64-bit ARM control plane machines and already includes 64-bit ARM compute machines. In this case, 64-bit x86 is considered the secondary architecture.
- Adding 64-bit ARM compute machines to a cluster that uses 64-bit x86 control plane machines and already includes 64-bit x86 compute machines. In this case, 64-bit ARM is considered the secondary architecture.
					Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a ClusterPodPlacementConfig custom resource. For more information, see "Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator".
				
3.14.1. Installing a cluster with multi-architecture support
You can install a cluster with the support for configuring multi-architecture compute machines.
Prerequisites
- 
							You installed the OpenShift CLI (oc).
- You have the OpenShift Container Platform installation program.
- You downloaded the pull secret for your cluster.
Procedure
- Check that the - openshift-installbinary is using the- multipayload by running the following command:- ./openshift-install version - $ ./openshift-install version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ./openshift-install 4.18.0 built from commit abc123etc release image quay.io/openshift-release-dev/ocp-release@sha256:abc123wxyzetc release architecture multi default architecture amd64 - ./openshift-install 4.18.0 built from commit abc123etc release image quay.io/openshift-release-dev/ocp-release@sha256:abc123wxyzetc release architecture multi default architecture amd64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output must contain - release architecture multito indicate that the- openshift-installbinary is using the- multipayload.
- Update the - install-config.yamlfile to configure the architecture for the nodes.- Sample - install-config.yamlfile with multi-architecture configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
Chapter 4. User-provisioned infrastructure
4.1. Preparing to install a cluster on AWS
You prepare to install an OpenShift Container Platform cluster on AWS by completing the following steps:
- Verifying internet connectivity for your cluster.
- Configuring an AWS account.
- Downloading the installation program. Note- If you are installing in a disconnected environment, you extract the installation program from the mirrored content. For more information, see Mirroring images for a disconnected installation. 
- Installing the OpenShift CLI ( - oc).Note- If you are installing in a disconnected environment, install - octo the mirror host.
- Generating an SSH key pair. You can use this key pair to authenticate into the OpenShift Container Platform cluster’s nodes after it is deployed.
- Preparing the user-provisioned infrastructure.
- 
						If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-systemnamespace, manually creating long-term credentials for AWS or configuring an AWS cluster to use short-term credentials with Amazon Web Services Security Token Service (AWS STS).
4.1.1. Internet access for OpenShift Container Platform
In OpenShift Container Platform 4.18, you require access to the internet to install your cluster.
You must have internet access to perform the following actions:
- Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
- Access Quay.io to obtain the packages that are required to install your cluster.
- Obtain the packages that are required to perform cluster updates.
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.
4.1.2. Obtaining the installation program
Before you install OpenShift Container Platform, download the installation file on the host you are using for installation.
Prerequisites
- You have a computer that runs Linux or macOS, with 500 MB of local disk space.
Procedure
- Go to the Cluster Type page on the Red Hat Hybrid Cloud Console. If you have a Red Hat account, log in with your credentials. If you do not, create an account. Tip
- Select your infrastructure provider from the Run it yourself section of the page.
- Select your host operating system and architecture from the dropdown menus under OpenShift Installer and click Download Installer.
- Place the downloaded file in the directory where you want to store the installation configuration files. Important- The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both of the files are required to delete the cluster.
- Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider.
 
- Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command: - tar -xvf openshift-install-linux.tar.gz - $ tar -xvf openshift-install-linux.tar.gz- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Download your installation pull secret from Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
Alternatively, you can retrieve the installation program from the Red Hat Customer Portal, where you can specify a version of the installation program to download. However, you must have an active subscription to access this page.
4.1.3. Installing the OpenShift CLI
					You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a command-line interface. You can install oc on Linux, Windows, or macOS.
				
						If you installed an earlier version of oc, you cannot use it to complete all of the commands in OpenShift Container Platform 4.18. Download and install the new version of oc.
					
4.1.3.1. Installing the OpenShift CLI on Linux
						You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the architecture from the Product Variant drop-down list.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Linux Clients entry and save the file.
- Unpack the archive: - tar xvf <file> - $ tar xvf <file>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Place the - ocbinary in a directory that is on your- PATH.- To check your - PATH, execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.1.3.2. Installing the OpenShift CLI on Windows
						You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 Windows Client entry and save the file.
- Unzip the archive with a ZIP program.
- Move the - ocbinary to a directory that is on your- PATH.- To check your - PATH, open the command prompt and execute the following command:- path - C:\> path- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- After you install the OpenShift CLI, it is available using the - occommand:- oc <command> - C:\> oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.1.3.3. Installing the OpenShift CLI on macOS
						You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
					
Procedure
- Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
- Select the appropriate version from the Version drop-down list.
- Click Download Now next to the OpenShift v4.18 macOS Clients entry and save the file. Note- For macOS arm64, choose the OpenShift v4.18 macOS arm64 Client entry. 
- Unpack and unzip the archive.
- Move the - ocbinary to a directory on your PATH.- To check your - PATH, open a terminal and execute the following command:- echo $PATH - $ echo $PATH- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Verify your installation by using an - occommand:- oc <command> - $ oc <command>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.1.4. Generating a key pair for cluster node SSH access
					During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
				
					After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
				
					If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
				
Do not skip this procedure in production environments, where disaster recovery and debugging is required.
You must use a local key, not one that you configured with platform-specific approaches.
Procedure
- If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command: - ssh-keygen -t ed25519 -N '' -f <path>/<file_name> - $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name, such as~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your~/.sshdirectory.
 Note- If you plan to install an OpenShift Container Platform cluster that uses the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the - x86_64,- ppc64le, and- s390xarchitectures, do not create a key that uses the- ed25519algorithm. Instead, create a key that uses the- rsaor- ecdsaalgorithm.
- View the public SSH key: - cat <path>/<file_name>.pub - $ cat <path>/<file_name>.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example, run the following to view the - ~/.ssh/id_ed25519.pubpublic key:- cat ~/.ssh/id_ed25519.pub - $ cat ~/.ssh/id_ed25519.pub- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the - ./openshift-install gathercommand.Note- On some distributions, default SSH private key identities such as - ~/.ssh/id_rsaand- ~/.ssh/id_dsaare managed automatically.- If the - ssh-agentprocess is not already running for your local user, start it as a background task:- eval "$(ssh-agent -s)" - $ eval "$(ssh-agent -s)"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Agent pid 31874 - Agent pid 31874- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. 
 
- Add your SSH private key to the - ssh-agent:- ssh-add <path>/<file_name> - $ ssh-add <path>/<file_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the path and file name for your SSH private key, such as~/.ssh/id_ed25519
 - Example output - Identity added: /home/<you>/<path>/<file_name> (<computer_name>) - Identity added: /home/<you>/<path>/<file_name> (<computer_name>)- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- When you install OpenShift Container Platform, provide the SSH public key to the installation program.
4.1.5. Telemetry access for OpenShift Container Platform
In OpenShift Container Platform 4.18, the Telemetry service, which runs by default to provide metrics about cluster health and the success of updates, requires internet access. If your cluster is connected to the internet, Telemetry runs automatically, and your cluster is registered to OpenShift Cluster Manager.
After you confirm that your OpenShift Cluster Manager inventory is correct, either maintained automatically by Telemetry or manually by using OpenShift Cluster Manager, use subscription watch to track your OpenShift Container Platform subscriptions at the account or multi-cluster level.
4.2. Installation requirements for user-provisioned infrastructure on AWS
Before you begin an installation on infrastructure that you provision, be sure that your AWS environment meets the following installation requirements.
For a cluster that contains user-provisioned infrastructure, you must deploy all of the required machines.
4.2.1. Required machines for cluster installation
The smallest OpenShift Container Platform clusters require the following hosts:
| Hosts | Description | 
|---|---|
| One temporary bootstrap machine | The cluster requires the bootstrap machine to deploy the OpenShift Container Platform cluster on the three control plane machines. You can remove the bootstrap machine after you install the cluster. | 
| Three control plane machines | The control plane machines run the Kubernetes and OpenShift Container Platform services that form the control plane. | 
| At least two compute machines, which are also known as worker machines. | The workloads requested by OpenShift Container Platform users run on the compute machines. | 
To maintain high availability of your cluster, use separate physical hosts for these cluster machines.
The bootstrap and control plane machines must use Red Hat Enterprise Linux CoreOS (RHCOS) as the operating system. However, the compute machines can choose between Red Hat Enterprise Linux CoreOS (RHCOS), Red Hat Enterprise Linux (RHEL) 8.6 and later.
Note that RHCOS is based on Red Hat Enterprise Linux (RHEL) 9.2 and inherits all of its hardware certifications and requirements. See Red Hat Enterprise Linux technology capabilities and limits.
4.2.1.1. Minimum resource requirements for cluster installation
Each cluster machine must meet the following minimum requirements:
| Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] | 
|---|---|---|---|---|---|
| Bootstrap | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Control plane | RHCOS | 4 | 16 GB | 100 GB | 300 | 
| Compute | RHCOS, RHEL 8.6 and later [3] | 2 | 8 GB | 100 GB | 300 | 
- One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
- OpenShift Container Platform and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
- As with all user-provisioned installations, if you choose to use RHEL compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of RHEL 7 compute machines is deprecated and has been removed in OpenShift Container Platform 4.10 and later.
For OpenShift Container Platform version 4.18, RHCOS is based on RHEL version 9.4, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
- x86-64 architecture requires x86-64-v2 ISA
- ARM64 architecture requires ARMv8.0-A ISA
- IBM Power architecture requires Power 9 ISA
- s390x architecture requires z14 ISA
For more information, see Architectures (RHEL documentation).
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OpenShift Container Platform.
4.2.1.2. Tested instance types for AWS
The following Amazon Web Services (AWS) instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in the section named "Minimum resource requirements for cluster installation".
Example 4.1. Machine types based on 64-bit x86 architecture
- 
									c4.*
- 
									c5.*
- 
									c5a.*
- 
									i3.*
- 
									m4.*
- 
									m5.*
- 
									m5a.*
- 
									m6a.*
- 
									m6i.*
- 
									r4.*
- 
									r5.*
- 
									r5a.*
- 
									r6i.*
- 
									t3.*
- 
									t3a.*
4.2.1.3. Tested instance types for AWS on 64-bit ARM infrastructures
The following Amazon Web Services (AWS) 64-bit ARM instance types have been tested with OpenShift Container Platform.
Use the machine types included in the following charts for your AWS ARM instances. If you use an instance type that is not listed in the chart, ensure that the instance size you use matches the minimum resource requirements that are listed in "Minimum resource requirements for cluster installation".
Example 4.2. Machine types based on 64-bit ARM architecture
- 
									c6g.*
- 
									c7g.*
- 
									m6g.*
- 
									m7g.*
- 
									r8g.*
4.2.2. Certificate signing requests management
					Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager only approves the kubelet client CSRs. The machine-approver cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.
				
4.2.3. Required AWS infrastructure components
To install OpenShift Container Platform on user-provisioned infrastructure in Amazon Web Services (AWS), you must manually create both the machines and their supporting infrastructure.
For more information about the integration testing for different platforms, see the OpenShift Container Platform 4.x Tested Integrations page.
By using the provided CloudFormation templates, you can create stacks of AWS resources that represent the following components:
- An AWS Virtual Private Cloud (VPC)
- Networking and load balancing components
- Security groups and roles
- An OpenShift Container Platform bootstrap node
- OpenShift Container Platform control plane nodes
- An OpenShift Container Platform compute node
Alternatively, you can manually create the components or you can reuse existing infrastructure that meets the cluster requirements. Review the CloudFormation templates for more details about how the components interrelate.
4.2.3.1. Other infrastructure components
- A VPC
- DNS entries
- Load balancers (classic or network) and listeners
- A public and a private Route 53 zone
- Security groups
- IAM roles
- S3 buckets
If you are working in a disconnected environment, you are unable to reach the public IP addresses for EC2, ELB, and S3 endpoints. Depending on the level to which you want to restrict internet traffic during the installation, the following configuration options are available:
4.2.3.1.1. Option 1: Create VPC endpoints
Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
With this option, network traffic remains private between your VPC and the required AWS services.
4.2.3.1.2. Option 2: Create a proxy without VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy. With this option, internet traffic goes through the proxy to reach the required AWS services.
4.2.3.1.3. Option 3: Create a proxy with VPC endpoints
As part of the installation process, you can configure an HTTP or HTTPS proxy with VPC endpoints. Create a VPC endpoint and attach it to the subnets that the clusters are using. Name the endpoints as follows:
- 
									ec2.<aws_region>.amazonaws.com
- 
									elasticloadbalancing.<aws_region>.amazonaws.com
- 
									s3.<aws_region>.amazonaws.com
							When configuring the proxy in the install-config.yaml file, add these endpoints to the noProxy field. With this option, the proxy prevents the cluster from accessing the internet directly. However, network traffic remains private between your VPC and the required AWS services.
						
Required VPC components
You must provide a suitable VPC and subnets that allow communication to your machines.
| Component | AWS type | Description | |
|---|---|---|---|
| VPC | 
 | You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3. | |
| Public subnets | 
 | Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules. | |
| Internet gateway | 
 | You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios. | |
| Network access control | 
 | You must allow the VPC to access the following ports: | |
| Port | Reason | ||
| 
											 | Inbound HTTP traffic | ||
| 
											 | Inbound HTTPS traffic | ||
| 
											 | Inbound SSH traffic | ||
| 
											 | Inbound ephemeral traffic | ||
| 
											 | Outbound ephemeral traffic | ||
| Private subnets | 
 | Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them. | |
Required DNS and load balancing components
								Your DNS and load balancer configuration needs to use a public hosted zone and can use a private hosted zone similar to the one that the installation program uses if it provisions the cluster’s infrastructure. You must create a DNS entry that resolves to your load balancer. An entry for api.<cluster_name>.<domain> must point to the external load balancer, and an entry for api-int.<cluster_name>.<domain> must point to the internal load balancer.
							
The cluster also requires load balancers and listeners for port 6443, which are required for the Kubernetes API and its extensions, and port 22623, which are required for the Ignition config files for new machines. The targets will be the control plane nodes. Port 6443 must be accessible to both clients external to the cluster and nodes within the cluster. Port 22623 must be accessible to nodes within the cluster.
| Component | AWS type | Description | 
|---|---|---|
| DNS | 
											 | The hosted zone for your internal DNS. | 
| Public load balancer | 
											 | The load balancer for your public subnets. | 
| External API server record | 
											 | Alias records for the external API server. | 
| External listener | 
											 | A listener on port 6443 for the external load balancer. | 
| External target group | 
											 | The target group for the external load balancer. | 
| Private load balancer | 
											 | The load balancer for your private subnets. | 
| Internal API server record | 
											 | Alias records for the internal API server. | 
| Internal listener | 
											 | A listener on port 22623 for the internal load balancer. | 
| Internal target group | 
											 | The target group for the internal load balancer. | 
| Internal listener | 
											 | A listener on port 6443 for the internal load balancer. | 
| Internal target group | 
											 | The target group for the internal load balancer. | 
Security groups
The control plane and worker machines require access to the following ports:
| Group | Type | IP Protocol | Port range | 
|---|---|---|---|
| 
											 | 
											 | 
											 | 
											 | 
| 
											 | 
											 | ||
| 
											 | 
											 | ||
| 
											 | 
											 | ||
| 
											 | 
											 | 
											 | 
											 | 
| 
											 | 
											 | ||
| 
											 | 
											 | 
											 | 
											 | 
| 
											 | 
											 | 
Control plane Ingress
								The control plane machines require the following Ingress groups. Each Ingress group is a AWS::EC2::SecurityGroupIngress resource.
							
| Ingress group | Description | IP protocol | Port range | 
|---|---|---|---|
| 
											 | etcd | 
											 | 
											 | 
| 
											 | Vxlan packets | 
											 | 
											 | 
| 
											 | Vxlan packets | 
											 | 
											 | 
| 
											 | Internal cluster communication and Kubernetes proxy metrics | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Kubernetes kubelet, scheduler and controller manager | 
											 | 
											 | 
| 
											 | Kubernetes kubelet, scheduler and controller manager | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Geneve packets | 
											 | 
											 | 
| 
											 | Geneve packets | 
											 | 
											 | 
| 
											 | IPsec IKE packets | 
											 | 
											 | 
| 
											 | IPsec IKE packets | 
											 | 
											 | 
| 
											 | IPsec NAT-T packets | 
											 | 
											 | 
| 
											 | IPsec NAT-T packets | 
											 | 
											 | 
| 
											 | IPsec ESP packets | 
											 | 
											 | 
| 
											 | IPsec ESP packets | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
Worker Ingress
								The worker machines require the following Ingress groups. Each Ingress group is a AWS::EC2::SecurityGroupIngress resource.
							
| Ingress group | Description | IP protocol | Port range | 
|---|---|---|---|
| 
											 | Vxlan packets | 
											 | 
											 | 
| 
											 | Vxlan packets | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Kubernetes kubelet, scheduler, and controller manager | 
											 | 
											 | 
| 
											 | Kubernetes kubelet, scheduler, and controller manager | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Geneve packets | 
											 | 
											 | 
| 
											 | Geneve packets | 
											 | 
											 | 
| 
											 | IPsec IKE packets | 
											 | 
											 | 
| 
											 | IPsec IKE packets | 
											 | 
											 | 
| 
											 | IPsec NAT-T packets | 
											 | 
											 | 
| 
											 | IPsec NAT-T packets | 
											 | 
											 | 
| 
											 | IPsec ESP packets | 
											 | 
											 | 
| 
											 | IPsec ESP packets | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Internal cluster communication | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
| 
											 | Kubernetes Ingress services | 
											 | 
											 | 
Roles and instance profiles
								You must grant the machines permissions in AWS. The provided CloudFormation templates grant the machines Allow permissions for the following AWS::IAM::Role objects and provide a AWS::IAM::InstanceProfile for each set of roles. If you do not use the templates, you can grant the machines the following broad permissions or the following individual permissions.
							
| Role | Effect | Action | Resource | 
|---|---|---|---|
| Master | 
											 | 
											 | 
											 | 
| 
											 | 
											 | 
											 | |
| 
											 | 
											 | 
											 | |
| 
											 | 
											 | 
											 | |
| Worker | 
											 | 
											 | 
											 | 
| Bootstrap | 
											 | 
											 | 
											 | 
| 
											 | 
											 | 
											 | |
| 
											 | 
											 | 
											 | 
4.2.3.2. Cluster machines
						You need AWS::EC2::Instance objects for the following machines:
					
- A bootstrap machine. This machine is required during installation, but you can remove it after your cluster deploys.
- Three control plane machines. The control plane machines are not governed by a control plane machine set.
- Compute machines. You must create at least two compute machines, which are also known as worker machines, during installation. These machines are not governed by a compute machine set.
4.2.4. Required AWS permissions for the IAM user
						Your IAM user must have the permission tag:GetResources in the region us-east-1 to delete the base cluster resources. As part of the AWS API requirement, the OpenShift Container Platform installation program performs various actions in this region.
					
					When you attach the AdministratorAccess policy to the IAM user that you create in Amazon Web Services (AWS), you grant that user all of the required permissions. To deploy all components of an OpenShift Container Platform cluster, the IAM user requires the following permissions:
				
Example 4.3. Required EC2 permissions for installation
- 
								ec2:AttachNetworkInterface
- 
								ec2:AuthorizeSecurityGroupEgress
- 
								ec2:AuthorizeSecurityGroupIngress
- 
								ec2:CopyImage
- 
								ec2:CreateNetworkInterface
- 
								ec2:CreateSecurityGroup
- 
								ec2:CreateTags
- 
								ec2:CreateVolume
- 
								ec2:DeleteSecurityGroup
- 
								ec2:DeleteSnapshot
- 
								ec2:DeleteTags
- 
								ec2:DeregisterImage
- 
								ec2:DescribeAccountAttributes
- 
								ec2:DescribeAddresses
- 
								ec2:DescribeAvailabilityZones
- 
								ec2:DescribeDhcpOptions
- 
								ec2:DescribeImages
- 
								ec2:DescribeInstanceAttribute
- 
								ec2:DescribeInstanceCreditSpecifications
- 
								ec2:DescribeInstances
- 
								ec2:DescribeInstanceTypes
- 
								ec2:DescribeInternetGateways
- 
								ec2:DescribeKeyPairs
- 
								ec2:DescribeNatGateways
- 
								ec2:DescribeNetworkAcls
- 
								ec2:DescribeNetworkInterfaces
- 
								ec2:DescribePrefixLists
- 
								ec2:DescribePublicIpv4Pools(only required ifpublicIpv4Poolis specified ininstall-config.yaml)
- 
								ec2:DescribeRegions
- 
								ec2:DescribeRouteTables
- 
								ec2:DescribeSecurityGroupRules
- 
								ec2:DescribeSecurityGroups
- 
								ec2:DescribeSubnets
- 
								ec2:DescribeTags
- 
								ec2:DescribeVolumes
- 
								ec2:DescribeVpcAttribute
- 
								ec2:DescribeVpcClassicLink
- 
								ec2:DescribeVpcClassicLinkDnsSupport
- 
								ec2:DescribeVpcEndpoints
- 
								ec2:DescribeVpcs
- 
								ec2:DisassociateAddress(only required ifpublicIpv4Poolis specified ininstall-config.yaml)
- 
								ec2:GetEbsDefaultKmsKeyId
- 
								ec2:ModifyInstanceAttribute
- 
								ec2:ModifyNetworkInterfaceAttribute
- 
								ec2:RevokeSecurityGroupEgress
- 
								ec2:RevokeSecurityGroupIngress
- 
								ec2:RunInstances
- 
								ec2:TerminateInstances
Example 4.4. Required permissions for creating network resources during installation
- 
								ec2:AllocateAddress
- 
								ec2:AssociateAddress
- 
								ec2:AssociateDhcpOptions
- 
								ec2:AssociateRouteTable
- 
								ec2:AttachInternetGateway
- 
								ec2:CreateDhcpOptions
- 
								ec2:CreateInternetGateway
- 
								ec2:CreateNatGateway
- 
								ec2:CreateRoute
- 
								ec2:CreateRouteTable
- 
								ec2:CreateSubnet
- 
								ec2:CreateVpc
- 
								ec2:CreateVpcEndpoint
- 
								ec2:ModifySubnetAttribute
- 
								ec2:ModifyVpcAttribute
If you use an existing Virtual Private Cloud (VPC), your account does not require these permissions for creating network resources.
Example 4.5. Required Elastic Load Balancing permissions (ELB) for installation
- 
								elasticloadbalancing:AddTags
- 
								elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- 
								elasticloadbalancing:AttachLoadBalancerToSubnets
- 
								elasticloadbalancing:ConfigureHealthCheck
- 
								elasticloadbalancing:CreateListener
- 
								elasticloadbalancing:CreateLoadBalancer
- 
								elasticloadbalancing:CreateLoadBalancerListeners
- 
								elasticloadbalancing:CreateTargetGroup
- 
								elasticloadbalancing:DeleteLoadBalancer
- 
								elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- 
								elasticloadbalancing:DeregisterTargets
- 
								elasticloadbalancing:DescribeInstanceHealth
- 
								elasticloadbalancing:DescribeListeners
- 
								elasticloadbalancing:DescribeLoadBalancerAttributes
- 
								elasticloadbalancing:DescribeLoadBalancers
- 
								elasticloadbalancing:DescribeTags
- 
								elasticloadbalancing:DescribeTargetGroupAttributes
- 
								elasticloadbalancing:DescribeTargetHealth
- 
								elasticloadbalancing:ModifyLoadBalancerAttributes
- 
								elasticloadbalancing:ModifyTargetGroup
- 
								elasticloadbalancing:ModifyTargetGroupAttributes
- 
								elasticloadbalancing:RegisterInstancesWithLoadBalancer
- 
								elasticloadbalancing:RegisterTargets
- 
								elasticloadbalancing:SetLoadBalancerPoliciesOfListener
- 
								elasticloadbalancing:SetSecurityGroups
							OpenShift Container Platform uses both the ELB and ELBv2 API services to provision load balancers. The permission list shows permissions required by both services. A known issue exists in the AWS web console where both services use the same elasticloadbalancing action prefix but do not recognize the same actions. You can ignore the warnings about the service not recognizing certain elasticloadbalancing actions.
						
Example 4.6. Required IAM permissions for installation
- 
								iam:AddRoleToInstanceProfile
- 
								iam:CreateInstanceProfile
- 
								iam:CreateRole
- 
								iam:DeleteInstanceProfile
- 
								iam:DeleteRole
- 
								iam:DeleteRolePolicy
- 
								iam:GetInstanceProfile
- 
								iam:GetRole
- 
								iam:GetRolePolicy
- 
								iam:GetUser
- 
								iam:ListInstanceProfilesForRole
- 
								iam:ListRoles
- 
								iam:ListUsers
- 
								iam:PassRole
- 
								iam:PutRolePolicy
- 
								iam:RemoveRoleFromInstanceProfile
- 
								iam:SimulatePrincipalPolicy
- 
								iam:TagInstanceProfile
- 
								iam:TagRole
- 
									If you specify an existing IAM role in the install-config.yamlfile, the following IAM permissions are not required:iam:CreateRole,iam:DeleteRole,iam:DeleteRolePolicy, andiam:PutRolePolicy.
- 
									If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRolepermission.
Example 4.7. Required Route 53 permissions for installation
- 
								route53:ChangeResourceRecordSets
- 
								route53:ChangeTagsForResource
- 
								route53:CreateHostedZone
- 
								route53:DeleteHostedZone
- 
								route53:GetChange
- 
								route53:GetHostedZone
- 
								route53:ListHostedZones
- 
								route53:ListHostedZonesByName
- 
								route53:ListResourceRecordSets
- 
								route53:ListTagsForResource
- 
								route53:UpdateHostedZoneComment
Example 4.8. Required Amazon Simple Storage Service (S3) permissions for installation
- 
								s3:CreateBucket
- 
								s3:DeleteBucket
- 
								s3:GetAccelerateConfiguration
- 
								s3:GetBucketAcl
- 
								s3:GetBucketCors
- 
								s3:GetBucketLocation
- 
								s3:GetBucketLogging
- 
								s3:GetBucketObjectLockConfiguration
- 
								s3:GetBucketPolicy
- 
								s3:GetBucketRequestPayment
- 
								s3:GetBucketTagging
- 
								s3:GetBucketVersioning
- 
								s3:GetBucketWebsite
- 
								s3:GetEncryptionConfiguration
- 
								s3:GetLifecycleConfiguration
- 
								s3:GetReplicationConfiguration
- 
								s3:ListBucket
- 
								s3:PutBucketAcl
- 
								s3:PutBucketPolicy
- 
								s3:PutBucketTagging
- 
								s3:PutEncryptionConfiguration
Example 4.9. S3 permissions that cluster Operators require
- 
								s3:DeleteObject
- 
								s3:GetObject
- 
								s3:GetObjectAcl
- 
								s3:GetObjectTagging
- 
								s3:GetObjectVersion
- 
								s3:PutObject
- 
								s3:PutObjectAcl
- 
								s3:PutObjectTagging
Example 4.10. Required permissions to delete base cluster resources
- 
								autoscaling:DescribeAutoScalingGroups
- 
								ec2:DeleteNetworkInterface
- 
								ec2:DeletePlacementGroup
- 
								ec2:DeleteVolume
- 
								elasticloadbalancing:DeleteTargetGroup
- 
								elasticloadbalancing:DescribeTargetGroups
- 
								iam:DeleteAccessKey
- 
								iam:DeleteUser
- 
								iam:DeleteUserPolicy
- 
								iam:ListAttachedRolePolicies
- 
								iam:ListInstanceProfiles
- 
								iam:ListRolePolicies
- 
								iam:ListUserPolicies
- 
								s3:DeleteObject
- 
								s3:ListBucketVersions
- 
								tag:GetResources
Example 4.11. Required permissions to delete network resources
- 
								ec2:DeleteDhcpOptions
- 
								ec2:DeleteInternetGateway
- 
								ec2:DeleteNatGateway
- 
								ec2:DeleteRoute
- 
								ec2:DeleteRouteTable
- 
								ec2:DeleteSubnet
- 
								ec2:DeleteVpc
- 
								ec2:DeleteVpcEndpoints
- 
								ec2:DetachInternetGateway
- 
								ec2:DisassociateRouteTable
- 
								ec2:ReleaseAddress
- 
								ec2:ReplaceRouteTableAssociation
							If you use an existing VPC, your account does not require these permissions to delete network resources. Instead, your account only requires the tag:UntagResources permission to delete network resources.
						
Example 4.12. Optional permissions for installing a cluster with a custom Key Management Service (KMS) key
- 
								kms:CreateGrant
- 
								kms:Decrypt
- 
								kms:DescribeKey
- 
								kms:Encrypt
- 
								kms:GenerateDataKey
- 
								kms:GenerateDataKeyWithoutPlainText
- 
								kms:ListGrants
- 
								kms:RevokeGrant
Example 4.13. Required permissions to delete a cluster with shared instance roles
- 
								iam:UntagRole
Example 4.14. Required permissions to delete a cluster with shared instance profiles
- 
								tag:UntagResources
Example 4.15. Additional IAM and S3 permissions that are required to create manifests
- 
								iam:GetUserPolicy
- 
								iam:ListAccessKeys
- 
								iam:PutUserPolicy
- 
								iam:TagUser
- 
								s3:AbortMultipartUpload
- 
								s3:GetBucketPublicAccessBlock
- 
								s3:ListBucket
- 
								s3:ListBucketMultipartUploads
- 
								s3:PutBucketPublicAccessBlock
- 
								s3:PutLifecycleConfiguration
							If you are managing your cloud provider credentials with mint mode, the IAM user also requires the iam:CreateAccessKey and iam:CreateUser permissions.
						
Example 4.16. Optional permissions for instance and quota checks for installation
- 
								ec2:DescribeInstanceTypeOfferings
- 
								servicequotas:ListAWSDefaultServiceQuotas
Example 4.17. Optional permissions for the cluster owner account when installing a cluster on a shared VPC
- 
								sts:AssumeRole
Example 4.18. Required permissions for enabling Bring your own public IPv4 addresses (BYOIP) feature for installation
- 
								ec2:DescribePublicIpv4Pools
- 
								ec2:DisassociateAddress
4.2.5. Obtaining an AWS Marketplace image
If you are deploying an OpenShift Container Platform cluster using an AWS Marketplace image, you must first subscribe through AWS. Subscribing to the offer provides you with the AMI ID that the installation program uses to deploy compute nodes.
You should only modify the RHCOS image for compute machines to use an AWS Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your AWS bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the AWS Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- You have an AWS account to purchase the offer. This account does not have to be the same account that is used to install the cluster.
Procedure
- Complete the OpenShift Container Platform subscription from the AWS Marketplace.
4.3. Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) that uses infrastructure that you provide.
One way to create this infrastructure is to use the provided CloudFormation templates. You can modify the templates to customize your infrastructure or use the information that they contain to create AWS objects according to your company’s policies.
The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OpenShift Container Platform. Several CloudFormation templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods; the templates are just an example.
4.3.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- You prepared the user-provisioned infrastructure.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX) in the AWS documentation.
- If you use a firewall, you configured it to allow the sites that your cluster requires access to. Note- Be sure to also review this site list if you are configuring a proxy. 
- 
							If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-systemnamespace, you can manually create and maintain long-term credentials.
4.3.2. Creating the installation files for AWS
					To install OpenShift Container Platform on Amazon Web Services (AWS) using user-provisioned infrastructure, you must generate the files that the installation program needs to deploy your cluster and modify them so that the cluster creates only the machines that it will use. You generate and customize the install-config.yaml file, Kubernetes manifests, and Ignition config files. You also have the option to first set up a separate var partition during the preparation phases of installation.
				
4.3.2.1. Optional: Creating a separate /var partition
It is recommended that disk partitioning for OpenShift Container Platform be left to the installer. However, there are cases where you might want to create separate partitions in a part of the filesystem that you expect to grow.
						OpenShift Container Platform supports the addition of a single partition to attach storage to either the /var partition or a subdirectory of /var. For example:
					
- 
								/var/lib/containers: Holds container-related content that can grow as more images and containers are added to a system.
- 
								/var/lib/etcd: Holds data that you might want to keep separate for purposes such as performance optimization of etcd storage.
- 
								/var: Holds data that you might want to keep separate for purposes such as auditing.
						Storing the contents of a /var directory separately makes it easier to grow storage for those areas as needed and reinstall OpenShift Container Platform at a later date and keep that data intact. With this method, you will not have to pull all your containers again, nor will you have to copy massive log files when you update systems.
					
						Because /var must be in place before a fresh installation of Red Hat Enterprise Linux CoreOS (RHCOS), the following procedure sets up the separate /var partition by creating a machine config manifest that is inserted during the openshift-install preparation phases of an OpenShift Container Platform installation.
					
							If you follow the steps to create a separate /var partition in this procedure, it is not necessary to create the Kubernetes manifest and Ignition config files again as described later in this section.
						
Procedure
- Create a directory to hold the OpenShift Container Platform installation files: - mkdir $HOME/clusterconfig - $ mkdir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installto create a set of files in the- manifestand- openshiftsubdirectories. Answer the system questions as you are prompted:- openshift-install create manifests --dir $HOME/clusterconfig - $ openshift-install create manifests --dir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Confirm that the installation program created manifests in the - clusterconfig/openshiftdirectory:- ls $HOME/clusterconfig/openshift/ - $ ls $HOME/clusterconfig/openshift/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ... - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a Butane config that configures the additional partition. For example, name the file - $HOME/clusterconfig/98-var-partition.bu, change the disk device name to the name of the storage device on the- workersystems, and set the storage size as appropriate. This example places the- /vardirectory on a separate partition:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The storage device name of the disk that you want to partition.
- 2
- When adding a data partition to the boot disk, a minimum value of 25000 MiB (Mebibytes) is recommended. The root file system is automatically resized to fill all available space up to the specified offset. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of RHCOS might overwrite the beginning of the data partition.
- 3
- The size of the data partition in mebibytes.
- 4
- Theprjquotamount option must be enabled for filesystems used for container storage.
 Note- When creating a separate - /varpartition, you cannot use different instance types for worker nodes, if the different instance types do not have the same device name.
- Create a manifest from the Butane config and save it to the - clusterconfig/openshiftdirectory. For example, run the following command:- butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml - $ butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installagain to create Ignition configs from a set of files in the- manifestand- openshiftsubdirectories:- openshift-install create ignition-configs --dir $HOME/clusterconfig ls $HOME/clusterconfig/ - $ openshift-install create ignition-configs --dir $HOME/clusterconfig $ ls $HOME/clusterconfig/ auth bootstrap.ign master.ign metadata.json worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Now you can use the Ignition config files as input to the installation procedures to install Red Hat Enterprise Linux CoreOS (RHCOS) systems.
4.3.2.2. Creating the installation configuration file
Generate and customize the installation configuration file that the installation program needs to deploy your cluster.
Prerequisites
- You obtained the OpenShift Container Platform installation program for user-provisioned infrastructure and the pull secret for your cluster.
- 
								You checked that you are deploying your cluster to an AWS Region with an accompanying Red Hat Enterprise Linux CoreOS (RHCOS) AMI published by Red Hat. If you are deploying to an AWS Region that requires a custom AMI, such as an AWS GovCloud Region, you must create the install-config.yamlfile manually.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 Important- Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select aws as the platform to target.
- If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. Note- The AWS access key ID and secret access key are stored in - ~/.aws/credentialsin the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.
- Select the AWS Region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from Red Hat OpenShift Cluster Manager.
 
 
- 
								If you are installing a three-node cluster, modify the install-config.yamlfile by setting thecompute.replicasparameter to0. This ensures that the cluster’s control planes are schedulable. For more information, see "Installing a three-node cluster on AWS".
- Optional: Back up the - install-config.yamlfile.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
4.3.2.3. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
4.3.2.4. Creating the Kubernetes manifest and Ignition config files
Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
The installation configuration file transforms into the Kubernetes manifests. The manifests wrap into the Ignition configuration files, which are later used to configure the cluster machines.
- 
									The Ignition config files that the OpenShift Container Platform installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
Prerequisites
- You obtained the OpenShift Container Platform installation program.
- 
								You created the install-config.yamlinstallation configuration file.
Procedure
- Change to the directory that contains the OpenShift Container Platform installation program and generate the Kubernetes manifests for the cluster: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the installation directory that contains theinstall-config.yamlfile you created.
 
- Remove the Kubernetes manifest files that define the control plane machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By removing these files, you prevent the cluster from automatically generating control plane machines. 
- Remove the Kubernetes manifest files that define the control plane machine set: - rm -f <installation_directory>/openshift/99_openshift-machine-api_master-control-plane-machine-set.yaml - $ rm -f <installation_directory>/openshift/99_openshift-machine-api_master-control-plane-machine-set.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove the Kubernetes manifest files that define the worker machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- If you disabled the - MachineAPIcapability when installing a cluster on user-provisioned infrastructure, you must remove the Kubernetes manifest files that define the worker machines. Otherwise, your cluster fails to install.- Because you create and manage the worker machines yourself, you do not need to initialize these machines. Warning- If you are installing a three-node cluster, skip the following step to allow the control plane nodes to be schedulable. Important- When you configure control plane nodes from the default unschedulable to schedulable, additional subscriptions are required. This is because control plane nodes then become compute nodes. 
- Check that the - mastersSchedulableparameter in the- <installation_directory>/manifests/cluster-scheduler-02-config.ymlKubernetes manifest file is set to- false. This setting prevents pods from being scheduled on the control plane machines:- 
										Open the <installation_directory>/manifests/cluster-scheduler-02-config.ymlfile.
- 
										Locate the mastersSchedulableparameter and ensure that it is set tofalse.
- Save and exit the file.
 
- 
										Open the 
- Optional: If you do not want the Ingress Operator to create DNS records on your behalf, remove the - privateZoneand- publicZonesections from the- <installation_directory>/manifests/cluster-dns-02-config.ymlDNS configuration file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you do so, you must add ingress DNS records manually in a later step. 
- To create the Ignition configuration files, run the following command from the directory that contains the installation program: - ./openshift-install create ignition-configs --dir <installation_directory> - $ ./openshift-install create ignition-configs --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the same installation directory.
 - Ignition config files are created for the bootstrap, control plane, and compute nodes in the installation directory. The - kubeadmin-passwordand- kubeconfigfiles are created in the- ./<installation_directory>/authdirectory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.3.3. Extracting the infrastructure name
The Ignition config files contain a unique cluster identifier that you can use to uniquely identify your cluster in Amazon Web Services (AWS). The infrastructure name is also used to locate the appropriate AWS resources during an OpenShift Container Platform installation. The provided CloudFormation templates contain references to this infrastructure name, so you must extract it.
Prerequisites
- You obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
- You generated the Ignition config files for your cluster.
- 
							You installed the jqpackage.
Procedure
- To extract and view the infrastructure name from the Ignition config file metadata, run the following command: - jq -r .infraID <installation_directory>/metadata.json - $ jq -r .infraID <installation_directory>/metadata.json- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 - Example output - openshift-vw9j6 - openshift-vw9j6- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The output of this command is your cluster name and a random string.
 
4.3.4. Creating a VPC in AWS
You must create a Virtual Private Cloud (VPC) in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to use. You can customize the VPC to meet your requirements, including VPN and route tables.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the VPC.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the template from the CloudFormation template for the VPC section of this topic and save it as a YAML file on your computer. This template describes the VPC that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the VPC: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-vpc. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- VpcId- The ID of your VPC. - PublicSubnetIds- The IDs of the new public subnets. - PrivateSubnetIds- The IDs of the new private subnets. 
4.3.4.1. CloudFormation template for the VPC
You can use the following CloudFormation template to deploy the VPC that you need for your OpenShift Container Platform cluster.
Example 4.19. CloudFormation template for the VPC
4.3.5. Creating networking and load balancing components in AWS
You must configure networking and classic or network load balancing in Amazon Web Services (AWS) that your OpenShift Container Platform cluster can use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the networking and load balancing components that your OpenShift Container Platform cluster requires. The template also creates a hosted zone and subnet tags.
You can run the template multiple times within a single Virtual Private Cloud (VPC).
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
Procedure
- Obtain the hosted zone ID for the Route 53 base domain that you specified in the - install-config.yamlfile for your cluster. You can obtain details about your hosted zone by running the following command:- aws route53 list-hosted-zones-by-name --dns-name <route53_domain> - $ aws route53 list-hosted-zones-by-name --dns-name <route53_domain>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For the<route53_domain>, specify the Route 53 base domain that you used when you generated theinstall-config.yamlfile for the cluster.
 - Example output - mycluster.example.com. False 100 HOSTEDZONES 65F8F38E-2268-B835-E15C-AB55336FCBFA /hostedzone/Z21IXYZABCZ2A4 mycluster.example.com. 10 - mycluster.example.com. False 100 HOSTEDZONES 65F8F38E-2268-B835-E15C-AB55336FCBFA /hostedzone/Z21IXYZABCZ2A4 mycluster.example.com. 10- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the example output, the hosted zone ID is - Z21IXYZABCZ2A4.
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A short, representative cluster name to use for hostnames, etc.
- 2
- Specify the cluster name that you used when you generated theinstall-config.yamlfile for the cluster.
- 3
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 4
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 5
- The Route 53 public zone ID to register the targets with.
- 6
- Specify the Route 53 public zone ID, which as a format similar toZ21IXYZABCZ2A4. You can obtain this value from the AWS console.
- 7
- The Route 53 zone to register the targets with.
- 8
- Specify the Route 53 base domain that you used when you generated theinstall-config.yamlfile for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
- 9
- The public subnets that you created for your VPC.
- 10
- Specify thePublicSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 11
- The private subnets that you created for your VPC.
- 12
- Specify thePrivateSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 13
- The VPC that you created for the cluster.
- 14
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
 
- Copy the template from the CloudFormation template for the network and load balancers section of this topic and save it as a YAML file on your computer. This template describes the networking and load balancing objects that your cluster requires. Important- If you are deploying your cluster to an AWS government or secret region, you must update the - InternalApiServerRecordin the CloudFormation template to use- CNAMErecords. Records of type- ALIASare not supported for AWS government regions.
- Launch the CloudFormation template to create a stack of AWS resources that provide the networking and load balancing components: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-dns. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::Roleresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-dns/cd3e5de0-2fd4-11eb-5cf0-12be5c33a183 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-dns/cd3e5de0-2fd4-11eb-5cf0-12be5c33a183- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- PrivateHostedZoneId- Hosted zone ID for the private DNS. - ExternalApiLoadBalancerName- Full name of the external API load balancer. - InternalApiLoadBalancerName- Full name of the internal API load balancer. - ApiServerDnsName- Full hostname of the API server. - RegisterNlbIpTargetsLambda- Lambda ARN useful to help register/deregister IP targets for these load balancers. - ExternalApiTargetGroupArn- ARN of external API target group. - InternalApiTargetGroupArn- ARN of internal API target group. - InternalServiceTargetGroupArn- ARN of internal service target group. 
4.3.5.1. CloudFormation template for the network and load balancers
You can use the following CloudFormation template to deploy the networking objects and load balancers that you need for your OpenShift Container Platform cluster.
Example 4.20. CloudFormation template for the network and load balancers
							If you are deploying your cluster to an AWS government or secret region, you must update the InternalApiServerRecord to use CNAME records. Records of type ALIAS are not supported for AWS government regions. For example:
						
Type: CNAME TTL: 10 ResourceRecords: - !GetAtt IntApiElb.DNSName
Type: CNAME
TTL: 10
ResourceRecords:
- !GetAtt IntApiElb.DNSName4.3.6. Creating security group and roles in AWS
You must create security groups and roles in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the security groups and roles that your OpenShift Container Platform cluster requires.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- The CIDR block for the VPC.
- 4
- Specify the CIDR block parameter that you used for the VPC that you defined in the formx.x.x.x/16-24.
- 5
- The private subnets that you created for your VPC.
- 6
- Specify thePrivateSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 7
- The VPC that you created for the cluster.
- 8
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
 
- Copy the template from the CloudFormation template for security objects section of this topic and save it as a YAML file on your computer. This template describes the security groups and roles that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the security groups and roles: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-sec. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::RoleandAWS::IAM::InstanceProfileresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- MasterSecurityGroupId- Master Security Group ID - WorkerSecurityGroupId- Worker Security Group ID - MasterInstanceProfile- Master IAM Instance Profile - WorkerInstanceProfile- Worker IAM Instance Profile 
4.3.6.1. CloudFormation template for security objects
You can use the following CloudFormation template to deploy the security objects that you need for your OpenShift Container Platform cluster.
Example 4.21. CloudFormation template for security objects
4.3.7. Accessing RHCOS AMIs with stream metadata
In OpenShift Container Platform, stream metadata provides standardized metadata about RHCOS in the JSON format and injects the metadata into the cluster. Stream metadata is a stable format that supports multiple architectures and is intended to be self-documenting for maintaining automation.
					You can use the coreos print-stream-json sub-command of openshift-install to access information about the boot images in the stream metadata format. This command provides a method for printing stream metadata in a scriptable, machine-readable format.
				
					For user-provisioned installations, the openshift-install binary contains references to the version of RHCOS boot images that are tested for use with OpenShift Container Platform, such as the AWS AMI.
				
Procedure
To parse the stream metadata, use one of the following methods:
- 
							From a Go program, use the official stream-metadata-golibrary at https://github.com/coreos/stream-metadata-go. You can also view example code in the library.
- From another programming language, such as Python or Ruby, use the JSON library of your preferred programming language.
- From a command-line utility that handles JSON data, such as - jq:- Print the current - x86_64or- aarch64AMI for an AWS region, such as- us-west-1:- For x86_64 - openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-west-1"].image' - $ openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-west-1"].image'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ami-0d3e625f84626bbda - ami-0d3e625f84626bbda- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For aarch64 - openshift-install coreos print-stream-json | jq -r '.architectures.aarch64.images.aws.regions["us-west-1"].image' - $ openshift-install coreos print-stream-json | jq -r '.architectures.aarch64.images.aws.regions["us-west-1"].image'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ami-0af1d3b7fa5be2131 - ami-0af1d3b7fa5be2131- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output of this command is the AWS AMI ID for your designated architecture and the - us-west-1region. The AMI must belong to the same region as the cluster.
 
4.3.8. RHCOS AMIs for the AWS infrastructure
Red Hat provides Red Hat Enterprise Linux CoreOS (RHCOS) AMIs that are valid for the various AWS regions and instance architectures that you can manually specify for your OpenShift Container Platform nodes.
By importing your own AMI, you can also install to regions that do not have a published RHCOS AMI.
| AWS zone | AWS AMI | 
|---|---|
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| AWS zone | AWS AMI | 
|---|---|
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
4.3.8.1. AWS regions without a published RHCOS AMI
You can deploy an OpenShift Container Platform cluster to Amazon Web Services (AWS) regions without native support for a Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) or the AWS software development kit (SDK). If a published AMI is not available for an AWS region, you can upload a custom AMI prior to installing the cluster.
						If you are deploying to a region not supported by the AWS SDK and you do not specify a custom AMI, the installation program copies the us-east-1 AMI to the user account automatically. Then the installation program creates the control plane machines with encrypted EBS volumes using the default or user-specified Key Management Service (KMS) key. This allows the AMI to follow the same process workflow as published RHCOS AMIs.
					
						A region without native support for an RHCOS AMI is not available to select from the terminal during cluster creation because it is not published. However, you can install to this region by configuring the custom AMI in the install-config.yaml file.
					
4.3.8.2. Uploading a custom RHCOS AMI in AWS
If you are deploying to a custom Amazon Web Services (AWS) region, you must upload a custom Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) that belongs to that region.
Prerequisites
- You configured an AWS account.
- You created an Amazon S3 bucket with the required IAM service role.
- You uploaded your RHCOS VMDK file to Amazon S3. The RHCOS VMDK file must be the highest version that is less than or equal to the OpenShift Container Platform version you are installing.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer.
Procedure
- Export your AWS profile as an environment variable: - export AWS_PROFILE=<aws_profile> - $ export AWS_PROFILE=<aws_profile>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the region to associate with your custom AMI as an environment variable: - export AWS_DEFAULT_REGION=<aws_region> - $ export AWS_DEFAULT_REGION=<aws_region>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the version of RHCOS you uploaded to Amazon S3 as an environment variable: - export RHCOS_VERSION=<version> - $ export RHCOS_VERSION=<version>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Export the Amazon S3 bucket name as an environment variable: - export VMIMPORT_BUCKET_NAME=<s3_bucket_name> - $ export VMIMPORT_BUCKET_NAME=<s3_bucket_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the - containers.jsonfile and define your RHCOS VMDK file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Import the RHCOS disk as an Amazon EBS snapshot: - aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \ --disk-container "file://<file_path>/containers.json"- $ aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \ --description "<description>" \- 1 - --disk-container "file://<file_path>/containers.json"- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the status of the image import: - watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- $ watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy the - SnapshotIdto register the image.
- Create a custom RHCOS AMI from the RHCOS snapshot: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To learn more about these APIs, see the AWS documentation for importing snapshots and creating EBS-backed AMIs.
4.3.9. Creating the bootstrap node in AWS
You must create the bootstrap node in Amazon Web Services (AWS) to use during OpenShift Container Platform cluster initialization. You do this by:
- 
							Providing a location to serve the bootstrap.ignIgnition config file to your cluster. This file is located in your installation directory. The provided CloudFormation Template assumes that the Ignition config files for your cluster are served from an S3 bucket. If you choose to serve the files from another location, you must modify the templates.
- Using the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the bootstrap node that your OpenShift Container Platform installation requires.
If you do not use the provided CloudFormation template to create your bootstrap node, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
Procedure
- Create the bucket by running the following command: - aws s3 mb s3://<cluster-name>-infra - $ aws s3 mb s3://<cluster-name>-infra- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <cluster-name>-infrais the bucket name. When creating the- install-config.yamlfile, replace- <cluster-name>with the name specified for the cluster.
 - You must use a presigned URL for your S3 bucket, instead of the - s3://schema, if you are:- Deploying to a region that has endpoints that differ from the AWS SDK.
- Deploying a proxy.
- Providing your own custom endpoints.
 
- Upload the - bootstrap.ignIgnition config file to the bucket by running the following command:- aws s3 cp <installation_directory>/bootstrap.ign s3://<cluster-name>-infra/bootstrap.ign - $ aws s3 cp <installation_directory>/bootstrap.ign s3://<cluster-name>-infra/bootstrap.ign- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify that the file uploaded by running the following command: - aws s3 ls s3://<cluster-name>-infra/ - $ aws s3 ls s3://<cluster-name>-infra/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2019-04-03 16:15:16 314878 bootstrap.ign - 2019-04-03 16:15:16 314878 bootstrap.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The bootstrap Ignition config file does contain secrets, like X.509 keys. The following steps provide basic security for the S3 bucket. To provide additional security, you can enable an S3 bucket policy to allow only certain users, such as the OpenShift IAM user, to access objects that the bucket contains. You can avoid S3 entirely and serve your bootstrap Ignition config file from any address that the bootstrap machine can reach. 
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the bootstrap node based on your selected architecture.
- 4
- Specify a validAWS::EC2::Image::Idvalue.
- 5
- CIDR block to allow SSH access to the bootstrap node.
- 6
- Specify a CIDR block in the formatx.x.x.x/16-24.
- 7
- The public subnet that is associated with your VPC to launch the bootstrap node into.
- 8
- Specify thePublicSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 9
- The master security group ID (for registering temporary rules)
- 10
- Specify theMasterSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 11
- The VPC created resources will belong to.
- 12
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
- 13
- Location to fetch bootstrap Ignition config file from.
- 14
- Specify the S3 bucket and file name in the forms3://<bucket_name>/bootstrap.ign.
- 15
- Whether or not to register a network load balancer (NLB).
- 16
- Specifyyesorno. If you specifyyes, you must provide a Lambda Amazon Resource Name (ARN) value.
- 17
- The ARN for NLB IP target registration lambda group.
- 18
- Specify theRegisterNlbIpTargetsLambdavalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 19
- The ARN for external API load balancer target group.
- 20
- Specify theExternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 21
- The ARN for internal API load balancer target group.
- 22
- Specify theInternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 23
- The ARN for internal service load balancer target group.
- 24
- Specify theInternalServiceTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
 
- Copy the template from the CloudFormation template for the bootstrap machine section of this topic and save it as a YAML file on your computer. This template describes the bootstrap machine that your cluster requires.
- 
							Optional: If you are deploying the cluster with a proxy, you must update the ignition in the template to add the ignition.config.proxyfields. Additionally, If you have added the Amazon EC2, Elastic Load Balancing, and S3 VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- Launch the CloudFormation template to create a stack of AWS resources that represent the bootstrap node: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-bootstrap. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::RoleandAWS::IAM::InstanceProfileresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-bootstrap/12944486-2add-11eb-9dee-12dace8e3a83 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-bootstrap/12944486-2add-11eb-9dee-12dace8e3a83- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- BootstrapInstanceId- The bootstrap Instance ID. - BootstrapPublicIp- The bootstrap node public IP address. - BootstrapPrivateIp- The bootstrap node private IP address. 
4.3.9.1. CloudFormation template for the bootstrap machine
You can use the following CloudFormation template to deploy the bootstrap machine that you need for your OpenShift Container Platform cluster.
Example 4.22. CloudFormation template for the bootstrap machine
4.3.10. Creating the control plane machines in AWS
You must create the control plane machines in Amazon Web Services (AWS) that your cluster will use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the control plane nodes.
The CloudFormation template creates a stack that represents three control plane nodes.
If you do not use the provided CloudFormation template to create your control plane nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the control plane machines based on your selected architecture.
- 4
- Specify anAWS::EC2::Image::Idvalue.
- 5
- Whether or not to perform DNS etcd registration.
- 6
- Specifyyesorno. If you specifyyes, you must provide hosted zone information.
- 7
- The Route 53 private zone ID to register the etcd targets with.
- 8
- Specify thePrivateHostedZoneIdvalue from the output of the CloudFormation template for DNS and load balancing.
- 9
- The Route 53 zone to register the targets with.
- 10
- Specify<cluster_name>.<domain_name>where<domain_name>is the Route 53 base domain that you used when you generatedinstall-config.yamlfile for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
- 11 13 15
- A subnet, preferably private, to launch the control plane machines on.
- 12 14 16
- Specify a subnet from thePrivateSubnetsvalue from the output of the CloudFormation template for DNS and load balancing.
- 17
- The master security group ID to associate with control plane nodes.
- 18
- Specify theMasterSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 19
- The location to fetch control plane Ignition config file from.
- 20
- Specify the generated Ignition config file location,https://api-int.<cluster_name>.<domain_name>:22623/config/master.
- 21
- The base64 encoded certificate authority string to use.
- 22
- Specify the value from themaster.ignfile that is in the installation directory. This value is the long string with the formatdata:text/plain;charset=utf-8;base64,ABC…xYz==.
- 23
- The IAM profile to associate with control plane nodes.
- 24
- Specify theMasterInstanceProfileparameter value from the output of the CloudFormation template for the security group and roles.
- 25
- The type of AWS instance to use for the control plane machines based on your selected architecture.
- 26
- The instance type value corresponds to the minimum resource requirements for control plane machines. For examplem6i.xlargeis a type for AMD64 andm6g.xlargeis a type for ARM64.
- 27
- Whether or not to register a network load balancer (NLB).
- 28
- Specifyyesorno. If you specifyyes, you must provide a Lambda Amazon Resource Name (ARN) value.
- 29
- The ARN for NLB IP target registration lambda group.
- 30
- Specify theRegisterNlbIpTargetsLambdavalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 31
- The ARN for external API load balancer target group.
- 32
- Specify theExternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 33
- The ARN for internal API load balancer target group.
- 34
- Specify theInternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 35
- The ARN for internal service load balancer target group.
- 36
- Specify theInternalServiceTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
 
- Copy the template from the CloudFormation template for control plane machines section of this topic and save it as a YAML file on your computer. This template describes the control plane machines that your cluster requires.
- 
							If you specified an m5instance type as the value forMasterInstanceType, add that instance type to theMasterInstanceType.AllowedValuesparameter in the CloudFormation template.
- Launch the CloudFormation template to create a stack of AWS resources that represent the control plane nodes: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-control-plane. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-control-plane/21c7e2b0-2ee2-11eb-c6f6-0aa34627df4b - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-control-plane/21c7e2b0-2ee2-11eb-c6f6-0aa34627df4b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The CloudFormation template creates a stack that represents three control plane nodes. 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.3.10.1. CloudFormation template for control plane machines
You can use the following CloudFormation template to deploy the control plane machines that you need for your OpenShift Container Platform cluster.
Example 4.23. CloudFormation template for control plane machines
4.3.11. Creating the worker nodes in AWS
You can create worker nodes in Amazon Web Services (AWS) for your cluster to use.
If you are installing a three-node cluster, skip this step. A three-node cluster consists of three control plane machines, which also act as compute machines.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent a worker node.
The CloudFormation template creates a stack that represents one worker node. You must create a stack for each worker node.
If you do not use the provided CloudFormation template to create your worker nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
- You created the control plane machines.
Procedure
- Create a JSON file that contains the parameter values that the CloudFormation template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the worker nodes based on your selected architecture.
- 4
- Specify anAWS::EC2::Image::Idvalue.
- 5
- A subnet, preferably private, to start the worker nodes on.
- 6
- Specify a subnet from thePrivateSubnetsvalue from the output of the CloudFormation template for DNS and load balancing.
- 7
- The worker security group ID to associate with worker nodes.
- 8
- Specify theWorkerSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 9
- The location to fetch the bootstrap Ignition config file from.
- 10
- Specify the generated Ignition config location,https://api-int.<cluster_name>.<domain_name>:22623/config/worker.
- 11
- Base64 encoded certificate authority string to use.
- 12
- Specify the value from theworker.ignfile that is in the installation directory. This value is the long string with the formatdata:text/plain;charset=utf-8;base64,ABC…xYz==.
- 13
- The IAM profile to associate with worker nodes.
- 14
- Specify theWorkerInstanceProfileparameter value from the output of the CloudFormation template for the security group and roles.
- 15
- The type of AWS instance to use for the compute machines based on your selected architecture.
- 16
- The instance type value corresponds to the minimum resource requirements for compute machines. For examplem6i.largeis a type for AMD64 andm6g.largeis a type for ARM64.
 
- Copy the template from the CloudFormation template for worker machines section of this topic and save it as a YAML file on your computer. This template describes the networking objects and load balancers that your cluster requires.
- 
							Optional: If you specified an m5instance type as the value forWorkerInstanceType, add that instance type to theWorkerInstanceType.AllowedValuesparameter in the CloudFormation template.
- 
							Optional: If you are deploying with an AWS Marketplace image, update the Worker0.type.properties.ImageIDparameter with the AMI ID that you obtained from your subscription.
- Use the CloudFormation template to create a stack of AWS resources that represent a worker node: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-worker-1. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The CloudFormation template creates a stack that represents one worker node. 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Continue to create worker stacks until you have created enough worker machines for your cluster. You can create additional worker stacks by referencing the same template and parameter files and specifying a different stack name. Important- You must create at least two worker machines, so you must create at least two stacks that use this CloudFormation template. 
4.3.11.1. CloudFormation template for compute machines
You can deploy the compute machines that you need for your OpenShift Container Platform cluster by using the following CloudFormation template.
Example 4.24. CloudFormation template for compute machines
4.3.11.2. Creating the CloudFormation stack for compute machines
You can create a stack of AWS resources for the compute machines by using the CloudFormation template that was previously shared.
							When you use the CloudFormation template for the control plane machines, the template provisions all three control plane machines with a single stack; however, when you use the CloudFormation template to deploy the compute machines, you must create the number of stacks based on the number that you defined in the install-config.yaml file. Each stack is provisioned once for each machine. To provision a new compute machine, you must change the stack name.
						
Procedure
- To create the CloudFormation stack for compute machines, run the following command: - aws cloudformation create-stack --stack-name <name> \ --template-body file://<template>.yaml \ --parameters file://<parameters>.json- $ aws cloudformation create-stack --stack-name <name> \- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the<name>with the name for the CloudFormation stack, such ascluster-worker-1. You need the name of this stack if you remove the cluster.
- 2
- Specify the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- Specify the relative path and the name of the JSON file for the CloudFormation parameters.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.3.12. Initializing the bootstrap sequence on AWS with user-provisioned infrastructure
After you create all of the required infrastructure in Amazon Web Services (AWS), you can start the bootstrap sequence that initializes the OpenShift Container Platform control plane.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
- You created the control plane machines.
- You created the worker nodes.
Procedure
- Change to the directory that contains the installation program and start the bootstrap process that initializes the OpenShift Container Platform control plane: - ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \ --log-level=info- $ ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443... INFO API v1.31.3 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO It is now safe to remove the bootstrap resources INFO Time elapsed: 1s - INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443... INFO API v1.31.3 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO It is now safe to remove the bootstrap resources INFO Time elapsed: 1s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the command exits without a - FATALwarning, your OpenShift Container Platform control plane has initialized.Note- After the control plane initializes, it sets up the compute nodes and installs additional services in the form of Operators. 
4.3.13. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.3.14. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.31.3 master-1 Ready master 63m v1.31.3 master-2 Ready master 64m v1.31.3 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.31.3 master-1 Ready master 63m v1.31.3 master-2 Ready master 64m v1.31.3- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
4.3.15. Initial Operator configuration
After the control plane initializes, you must immediately configure some Operators so that they all become available.
Prerequisites
- Your control plane has initialized.
Procedure
- Watch the cluster components come online: - watch -n5 oc get clusteroperators - $ watch -n5 oc get clusteroperators- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the Operators that are not available.
4.3.15.1. Image registry storage configuration
Amazon Web Services provides default storage, which means the Image Registry Operator is available after installation. However, if the Registry Operator cannot create an S3 bucket and automatically configure storage, you must manually configure registry storage.
Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.
						Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.
					
You can configure registry storage for user-provisioned infrastructure in AWS to deploy OpenShift Container Platform to hidden regions. See Configuring the registry for AWS user-provisioned infrastructure for more information.
4.3.15.1.1. Configuring registry storage for AWS with user-provisioned infrastructure
During installation, your cloud credentials are sufficient to create an Amazon S3 bucket and the Registry Operator will automatically configure storage.
If the Registry Operator cannot create an S3 bucket and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.
Prerequisites
- You have a cluster on AWS with user-provisioned infrastructure.
- For Amazon S3 storage, the secret is expected to contain two keys: - 
											REGISTRY_STORAGE_S3_ACCESSKEY
- 
											REGISTRY_STORAGE_S3_SECRETKEY
 
- 
											
Procedure
Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.
- Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.
- Fill in the storage configuration in - configs.imageregistry.operator.openshift.io/cluster:- oc edit configs.imageregistry.operator.openshift.io/cluster - $ oc edit configs.imageregistry.operator.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example configuration - storage: s3: bucket: <bucket-name> region: <region-name>- storage: s3: bucket: <bucket-name> region: <region-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To secure your registry images in AWS, block public access to the S3 bucket.
4.3.15.1.2. Configuring storage for the image registry in non-production clusters
You must configure storage for the Image Registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.
Procedure
- To set the image registry storage to an empty directory: - oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'- $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Warning- Configure this option for only non-production clusters. - If you run this command before the Image Registry Operator initializes its components, the - oc patchcommand fails with the following error:- Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found - Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Wait a few minutes and run the command again. 
4.3.16. Deleting the bootstrap resources
After you complete the initial Operator configuration for the cluster, remove the bootstrap resources from Amazon Web Services (AWS).
Prerequisites
- You completed the initial Operator configuration for your cluster.
Procedure
- Delete the bootstrap resources. If you used the CloudFormation template, delete its stack: - Delete the stack by using the AWS CLI: - aws cloudformation delete-stack --stack-name <name> - $ aws cloudformation delete-stack --stack-name <name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name of your bootstrap stack.
 
- Delete the stack by using the AWS CloudFormation console.
 
4.3.17. Creating the Ingress DNS Records
If you removed the DNS Zone configuration, manually create DNS records that point to the Ingress load balancer. You can create either a wildcard record or specific records. While the following procedure uses A records, you can use other record types that you require, such as CNAME or alias.
Prerequisites
- You deployed an OpenShift Container Platform cluster on Amazon Web Services (AWS) that uses infrastructure that you provisioned.
- 
							You installed the OpenShift CLI (oc).
- 
							You installed the jqpackage.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix).
Procedure
- Determine the routes to create. - 
									To create a wildcard record, use *.apps.<cluster_name>.<domain_name>, where<cluster_name>is your cluster name, and<domain_name>is the Route 53 base domain for your OpenShift Container Platform cluster.
- To create specific records, you must create a record for each route that your cluster uses, as shown in the output of the following command: - oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes- $ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - oauth-openshift.apps.<cluster_name>.<domain_name> console-openshift-console.apps.<cluster_name>.<domain_name> downloads-openshift-console.apps.<cluster_name>.<domain_name> alertmanager-main-openshift-monitoring.apps.<cluster_name>.<domain_name> prometheus-k8s-openshift-monitoring.apps.<cluster_name>.<domain_name> - oauth-openshift.apps.<cluster_name>.<domain_name> console-openshift-console.apps.<cluster_name>.<domain_name> downloads-openshift-console.apps.<cluster_name>.<domain_name> alertmanager-main-openshift-monitoring.apps.<cluster_name>.<domain_name> prometheus-k8s-openshift-monitoring.apps.<cluster_name>.<domain_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									To create a wildcard record, use 
- Retrieve the Ingress Operator load balancer status and note the value of the external IP address that it uses, which is shown in the - EXTERNAL-IPcolumn:- oc -n openshift-ingress get service router-default - $ oc -n openshift-ingress get service router-default- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.62.215 ab3...28.us-east-2.elb.amazonaws.com 80:31499/TCP,443:30693/TCP 5m - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.62.215 ab3...28.us-east-2.elb.amazonaws.com 80:31499/TCP,443:30693/TCP 5m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate the hosted zone ID for the load balancer: - aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.DNSName == "<external_ip>").CanonicalHostedZoneNameID' - $ aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.DNSName == "<external_ip>").CanonicalHostedZoneNameID'- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer that you obtained.
 - Example output - Z3AADJGX6KTTL2 - Z3AADJGX6KTTL2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output of this command is the load balancer hosted zone ID. 
- Obtain the public hosted zone ID for your cluster’s domain: - aws route53 list-hosted-zones-by-name \ --dns-name "<domain_name>" \ --query 'HostedZones[? Config.PrivateZone != `true` && Name == `<domain_name>.`].Id'- $ aws route53 list-hosted-zones-by-name \ --dns-name "<domain_name>" \- 1 - --query 'HostedZones[? Config.PrivateZone != `true` && Name == `<domain_name>.`].Id'- 2 - --output text- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - /hostedzone/Z3URY6TWQ91KVV - /hostedzone/Z3URY6TWQ91KVV- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The public hosted zone ID for your domain is shown in the command output. In this example, it is - Z3URY6TWQ91KVV.
- Add the alias records to your private zone: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<private_hosted_zone_id>, specify the value from the output of the CloudFormation template for DNS and load balancing.
- 2
- For<cluster_domain>, specify the domain or subdomain that you use with your OpenShift Container Platform cluster.
- 3
- For<hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
- 4
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.
 
- Add the records to your public zone: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<public_hosted_zone_id>, specify the public hosted zone for your domain.
- 2
- For<cluster_domain>, specify the domain or subdomain that you use with your OpenShift Container Platform cluster.
- 3
- For<hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
- 4
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.
 
4.3.18. Completing an AWS installation on user-provisioned infrastructure
After you start the OpenShift Container Platform installation on Amazon Web Service (AWS) user-provisioned infrastructure, monitor the deployment to completion.
Prerequisites
- You removed the bootstrap node for an OpenShift Container Platform cluster on user-provisioned AWS infrastructure.
- 
							You installed the ocCLI.
Procedure
- From the directory that contains the installation program, complete the cluster installation: - ./openshift-install --dir <installation_directory> wait-for install-complete - $ ./openshift-install --dir <installation_directory> wait-for install-complete- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 
4.3.19. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
4.3.21. Next steps
- Validating an installation.
- Customize your cluster.
- If necessary, you can Remote health reporting.
- If necessary, you can remove cloud provider credentials.
4.4. Installing a cluster on AWS in a disconnected environment with user-provisioned infrastructure
In OpenShift Container Platform version 4.18, you can install a cluster on Amazon Web Services (AWS) using infrastructure that you provide and an internal mirror of the installation release content.
While you can install an OpenShift Container Platform cluster by using mirrored installation release content, your cluster still requires internet access to use the AWS APIs.
One way to create this infrastructure is to use the provided CloudFormation templates. You can modify the templates to customize your infrastructure or use the information that they contain to create AWS objects according to your company’s policies.
The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OpenShift Container Platform. Several CloudFormation templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods; the templates are just an example.
4.4.1. Prerequisites
- You reviewed details about the OpenShift Container Platform installation and update processes.
- You read the documentation on selecting a cluster installation method and preparing it for users.
- You created a mirror registry on your mirror host and obtained the - imageContentSourcesdata for your version of OpenShift Container Platform.Important- Because the installation media is on the mirror host, you can use that computer to complete all installation steps. 
- You configured an AWS account to host the cluster. Important- If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program. 
- You prepared the user-provisioned infrastructure.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX) in the AWS documentation.
- If you use a firewall and plan to use the Telemetry service, you configured the firewall to allow the sites that your cluster requires access to. Note- Be sure to also review this site list if you are configuring a proxy. 
- 
							If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-systemnamespace, you can manually create and maintain long-term credentials.
4.4.2. About installations in restricted networks
In OpenShift Container Platform 4.18, you can perform an installation that does not require an active connection to the internet to obtain software components. Restricted network installations can be completed using installer-provisioned infrastructure or user-provisioned infrastructure, depending on the cloud platform to which you are installing the cluster.
If you choose to perform a restricted network installation on a cloud platform, you still require access to its cloud APIs. Some cloud functions, like Amazon Web Service’s Route 53 DNS and IAM services, require internet access. Depending on your network, you might require less internet access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
To complete a restricted network installation, you must create a registry that mirrors the contents of the OpenShift image registry and contains the installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.
Because of the complexity of the configuration for user-provisioned installations, consider completing a standard user-provisioned infrastructure installation before you attempt a restricted network installation using user-provisioned infrastructure. Completing this test installation might make it easier to isolate and troubleshoot any issues that might arise during your installation in a restricted network.
4.4.2.1. Additional limits
Clusters in restricted networks have the following additional limitations and restrictions:
- 
								The ClusterVersionstatus includes anUnable to retrieve available updateserror.
- By default, you cannot use the contents of the Developer Catalog because you cannot access the required image stream tags.
4.4.3. Creating the installation files for AWS
					To install OpenShift Container Platform on Amazon Web Services (AWS) using user-provisioned infrastructure, you must generate the files that the installation program needs to deploy your cluster and modify them so that the cluster creates only the machines that it will use. You generate and customize the install-config.yaml file, Kubernetes manifests, and Ignition config files. You also have the option to first set up a separate var partition during the preparation phases of installation.
				
4.4.3.1. Optional: Creating a separate /var partition
It is recommended that disk partitioning for OpenShift Container Platform be left to the installer. However, there are cases where you might want to create separate partitions in a part of the filesystem that you expect to grow.
						OpenShift Container Platform supports the addition of a single partition to attach storage to either the /var partition or a subdirectory of /var. For example:
					
- 
								/var/lib/containers: Holds container-related content that can grow as more images and containers are added to a system.
- 
								/var/lib/etcd: Holds data that you might want to keep separate for purposes such as performance optimization of etcd storage.
- 
								/var: Holds data that you might want to keep separate for purposes such as auditing.
						Storing the contents of a /var directory separately makes it easier to grow storage for those areas as needed and reinstall OpenShift Container Platform at a later date and keep that data intact. With this method, you will not have to pull all your containers again, nor will you have to copy massive log files when you update systems.
					
						Because /var must be in place before a fresh installation of Red Hat Enterprise Linux CoreOS (RHCOS), the following procedure sets up the separate /var partition by creating a machine config manifest that is inserted during the openshift-install preparation phases of an OpenShift Container Platform installation.
					
							If you follow the steps to create a separate /var partition in this procedure, it is not necessary to create the Kubernetes manifest and Ignition config files again as described later in this section.
						
Procedure
- Create a directory to hold the OpenShift Container Platform installation files: - mkdir $HOME/clusterconfig - $ mkdir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installto create a set of files in the- manifestand- openshiftsubdirectories. Answer the system questions as you are prompted:- openshift-install create manifests --dir $HOME/clusterconfig - $ openshift-install create manifests --dir $HOME/clusterconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift - ? SSH Public Key ... INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials" INFO Consuming Install Config from target directory INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Confirm that the installation program created manifests in the - clusterconfig/openshiftdirectory:- ls $HOME/clusterconfig/openshift/ - $ ls $HOME/clusterconfig/openshift/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ... - 99_kubeadmin-password-secret.yaml 99_openshift-cluster-api_master-machines-0.yaml 99_openshift-cluster-api_master-machines-1.yaml 99_openshift-cluster-api_master-machines-2.yaml ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a Butane config that configures the additional partition. For example, name the file - $HOME/clusterconfig/98-var-partition.bu, change the disk device name to the name of the storage device on the- workersystems, and set the storage size as appropriate. This example places the- /vardirectory on a separate partition:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The storage device name of the disk that you want to partition.
- 2
- When adding a data partition to the boot disk, a minimum value of 25000 MiB (Mebibytes) is recommended. The root file system is automatically resized to fill all available space up to the specified offset. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of RHCOS might overwrite the beginning of the data partition.
- 3
- The size of the data partition in mebibytes.
- 4
- Theprjquotamount option must be enabled for filesystems used for container storage.
 Note- When creating a separate - /varpartition, you cannot use different instance types for worker nodes, if the different instance types do not have the same device name.
- Create a manifest from the Butane config and save it to the - clusterconfig/openshiftdirectory. For example, run the following command:- butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml - $ butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run - openshift-installagain to create Ignition configs from a set of files in the- manifestand- openshiftsubdirectories:- openshift-install create ignition-configs --dir $HOME/clusterconfig ls $HOME/clusterconfig/ - $ openshift-install create ignition-configs --dir $HOME/clusterconfig $ ls $HOME/clusterconfig/ auth bootstrap.ign master.ign metadata.json worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Now you can use the Ignition config files as input to the installation procedures to install Red Hat Enterprise Linux CoreOS (RHCOS) systems.
4.4.3.2. Creating the installation configuration file
Generate and customize the installation configuration file that the installation program needs to deploy your cluster.
Prerequisites
- You obtained the OpenShift Container Platform installation program for user-provisioned infrastructure and the pull secret for your cluster. For a restricted network installation, these files are on your mirror host.
- 
								You checked that you are deploying your cluster to an AWS Region with an accompanying Red Hat Enterprise Linux CoreOS (RHCOS) AMI published by Red Hat. If you are deploying to an AWS Region that requires a custom AMI, such as an AWS GovCloud Region, you must create the install-config.yamlfile manually.
Procedure
- Create the - install-config.yamlfile.- Change to the directory that contains the installation program and run the following command: - ./openshift-install create install-config --dir <installation_directory> - $ ./openshift-install create install-config --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the directory name to store the files that the installation program creates.
 Important- Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. 
- At the prompts, provide the configuration details for your cloud: - Optional: Select an SSH key to use to access your cluster machines. Note- For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your - ssh-agentprocess uses.
- Select aws as the platform to target.
- If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program. Note- The AWS access key ID and secret access key are stored in - ~/.aws/credentialsin the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.
- Select the AWS Region to deploy the cluster to.
- Select the base domain for the Route 53 service that you configured for your cluster.
- Enter a descriptive name for your cluster.
- Paste the pull secret from Red Hat OpenShift Cluster Manager.
 
 
- Edit the - install-config.yamlfile to give the additional information that is required for an installation in a restricted network.- Update the - pullSecretvalue to contain the authentication information for your registry:- pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}'- pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For - <local_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example- registry.example.comor- registry.example.com:5000. For- <credentials>, specify the base64-encoded user name and password for your mirror registry.
- Add the - additionalTrustBundleparameter and value. The value must be the contents of the certificate file that you used for your mirror registry. The certificate file can be an existing, trusted certificate authority or the self-signed certificate that you generated for the mirror registry.- additionalTrustBundle: | -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE----- - additionalTrustBundle: | -----BEGIN CERTIFICATE----- ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ -----END CERTIFICATE------ Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the image content resources: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Use the - imageContentSourcessection from the output of the command to mirror the repository or the values that you used when you mirrored the content from the media that you brought into your restricted network.
- Optional: Set the publishing strategy to - Internal:- publish: Internal - publish: Internal- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By setting this option, you create an internal Ingress Controller and a private load balancer. 
 
- Optional: Back up the - install-config.yamlfile.Important- The - install-config.yamlfile is consumed during the installation process. If you want to reuse the file, you must back it up now.
4.4.3.3. Configuring the cluster-wide proxy during installation
						Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.
					
Prerequisites
- 
								You have an existing install-config.yamlfile.
- You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the - Proxyobject’s- spec.noProxyfield to bypass the proxy if necessary.Note- The - Proxyobject- status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
Procedure
- Edit your - install-config.yamlfile and add the proxy settings. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster.
- 3
- A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with.to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass the proxy for all destinations. If you have added the AmazonEC2,Elastic Load Balancing, andS3VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- 4
- If provided, the installation program generates a config map that is nameduser-ca-bundlein theopenshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates atrusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in thetrustedCAfield of theProxyobject. TheadditionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
- 5
- Optional: The policy to determine the configuration of theProxyobject to reference theuser-ca-bundleconfig map in thetrustedCAfield. The allowed values areProxyonlyandAlways. UseProxyonlyto reference theuser-ca-bundleconfig map only whenhttp/httpsproxy is configured. UseAlwaysto always reference theuser-ca-bundleconfig map. The default value isProxyonly.
 Note- The installation program does not support the proxy - readinessEndpointsfield.Note- If the installer times out, restart and then complete the deployment by using the - wait-forcommand of the installer. For example:- ./openshift-install wait-for install-complete --log-level debug - $ ./openshift-install wait-for install-complete --log-level debug- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file and reference it when installing OpenShift Container Platform.
						The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.
					
							Only the Proxy object named cluster is supported, and no additional proxies can be created.
						
4.4.3.4. Creating the Kubernetes manifest and Ignition config files
Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
The installation configuration file transforms into the Kubernetes manifests. The manifests wrap into the Ignition configuration files, which are later used to configure the cluster machines.
- 
									The Ignition config files that the OpenShift Container Platform installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
Prerequisites
- You obtained the OpenShift Container Platform installation program. For a restricted network installation, these files are on your mirror host.
- 
								You created the install-config.yamlinstallation configuration file.
Procedure
- Change to the directory that contains the OpenShift Container Platform installation program and generate the Kubernetes manifests for the cluster: - ./openshift-install create manifests --dir <installation_directory> - $ ./openshift-install create manifests --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the installation directory that contains theinstall-config.yamlfile you created.
 
- Remove the Kubernetes manifest files that define the control plane machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - By removing these files, you prevent the cluster from automatically generating control plane machines. 
- Remove the Kubernetes manifest files that define the control plane machine set: - rm -f <installation_directory>/openshift/99_openshift-machine-api_master-control-plane-machine-set.yaml - $ rm -f <installation_directory>/openshift/99_openshift-machine-api_master-control-plane-machine-set.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove the Kubernetes manifest files that define the worker machines: - rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml - $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- If you disabled the - MachineAPIcapability when installing a cluster on user-provisioned infrastructure, you must remove the Kubernetes manifest files that define the worker machines. Otherwise, your cluster fails to install.- Because you create and manage the worker machines yourself, you do not need to initialize these machines. 
- Check that the - mastersSchedulableparameter in the- <installation_directory>/manifests/cluster-scheduler-02-config.ymlKubernetes manifest file is set to- false. This setting prevents pods from being scheduled on the control plane machines:- 
										Open the <installation_directory>/manifests/cluster-scheduler-02-config.ymlfile.
- 
										Locate the mastersSchedulableparameter and ensure that it is set tofalse.
- Save and exit the file.
 
- 
										Open the 
- Optional: If you do not want the Ingress Operator to create DNS records on your behalf, remove the - privateZoneand- publicZonesections from the- <installation_directory>/manifests/cluster-dns-02-config.ymlDNS configuration file:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If you do so, you must add ingress DNS records manually in a later step. 
- To create the Ignition configuration files, run the following command from the directory that contains the installation program: - ./openshift-install create ignition-configs --dir <installation_directory> - $ ./openshift-install create ignition-configs --dir <installation_directory>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the same installation directory.
 - Ignition config files are created for the bootstrap, control plane, and compute nodes in the installation directory. The - kubeadmin-passwordand- kubeconfigfiles are created in the- ./<installation_directory>/authdirectory:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.4.4. Extracting the infrastructure name
The Ignition config files contain a unique cluster identifier that you can use to uniquely identify your cluster in Amazon Web Services (AWS). The infrastructure name is also used to locate the appropriate AWS resources during an OpenShift Container Platform installation. The provided CloudFormation templates contain references to this infrastructure name, so you must extract it.
Prerequisites
- You obtained the OpenShift Container Platform installation program and the pull secret for your cluster.
- You generated the Ignition config files for your cluster.
- 
							You installed the jqpackage.
Procedure
- To extract and view the infrastructure name from the Ignition config file metadata, run the following command: - jq -r .infraID <installation_directory>/metadata.json - $ jq -r .infraID <installation_directory>/metadata.json- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 - Example output - openshift-vw9j6 - openshift-vw9j6- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The output of this command is your cluster name and a random string.
 
4.4.5. Creating a VPC in AWS
You must create a Virtual Private Cloud (VPC) in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to use. You can customize the VPC to meet your requirements, including VPN and route tables.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the VPC.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Copy the template from the CloudFormation template for the VPC section of this topic and save it as a YAML file on your computer. This template describes the VPC that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the VPC: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-vpc. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- VpcId- The ID of your VPC. - PublicSubnetIds- The IDs of the new public subnets. - PrivateSubnetIds- The IDs of the new private subnets. 
4.4.5.1. CloudFormation template for the VPC
You can use the following CloudFormation template to deploy the VPC that you need for your OpenShift Container Platform cluster.
Example 4.25. CloudFormation template for the VPC
4.4.6. Creating networking and load balancing components in AWS
You must configure networking and classic or network load balancing in Amazon Web Services (AWS) that your OpenShift Container Platform cluster can use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the networking and load balancing components that your OpenShift Container Platform cluster requires. The template also creates a hosted zone and subnet tags.
You can run the template multiple times within a single Virtual Private Cloud (VPC).
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
Procedure
- Obtain the hosted zone ID for the Route 53 base domain that you specified in the - install-config.yamlfile for your cluster. You can obtain details about your hosted zone by running the following command:- aws route53 list-hosted-zones-by-name --dns-name <route53_domain> - $ aws route53 list-hosted-zones-by-name --dns-name <route53_domain>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For the<route53_domain>, specify the Route 53 base domain that you used when you generated theinstall-config.yamlfile for the cluster.
 - Example output - mycluster.example.com. False 100 HOSTEDZONES 65F8F38E-2268-B835-E15C-AB55336FCBFA /hostedzone/Z21IXYZABCZ2A4 mycluster.example.com. 10 - mycluster.example.com. False 100 HOSTEDZONES 65F8F38E-2268-B835-E15C-AB55336FCBFA /hostedzone/Z21IXYZABCZ2A4 mycluster.example.com. 10- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the example output, the hosted zone ID is - Z21IXYZABCZ2A4.
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A short, representative cluster name to use for hostnames, etc.
- 2
- Specify the cluster name that you used when you generated theinstall-config.yamlfile for the cluster.
- 3
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 4
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 5
- The Route 53 public zone ID to register the targets with.
- 6
- Specify the Route 53 public zone ID, which as a format similar toZ21IXYZABCZ2A4. You can obtain this value from the AWS console.
- 7
- The Route 53 zone to register the targets with.
- 8
- Specify the Route 53 base domain that you used when you generated theinstall-config.yamlfile for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
- 9
- The public subnets that you created for your VPC.
- 10
- Specify thePublicSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 11
- The private subnets that you created for your VPC.
- 12
- Specify thePrivateSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 13
- The VPC that you created for the cluster.
- 14
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
 
- Copy the template from the CloudFormation template for the network and load balancers section of this topic and save it as a YAML file on your computer. This template describes the networking and load balancing objects that your cluster requires. Important- If you are deploying your cluster to an AWS government or secret region, you must update the - InternalApiServerRecordin the CloudFormation template to use- CNAMErecords. Records of type- ALIASare not supported for AWS government regions.
- Launch the CloudFormation template to create a stack of AWS resources that provide the networking and load balancing components: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-dns. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::Roleresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-dns/cd3e5de0-2fd4-11eb-5cf0-12be5c33a183 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-dns/cd3e5de0-2fd4-11eb-5cf0-12be5c33a183- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- PrivateHostedZoneId- Hosted zone ID for the private DNS. - ExternalApiLoadBalancerName- Full name of the external API load balancer. - InternalApiLoadBalancerName- Full name of the internal API load balancer. - ApiServerDnsName- Full hostname of the API server. - RegisterNlbIpTargetsLambda- Lambda ARN useful to help register/deregister IP targets for these load balancers. - ExternalApiTargetGroupArn- ARN of external API target group. - InternalApiTargetGroupArn- ARN of internal API target group. - InternalServiceTargetGroupArn- ARN of internal service target group. 
4.4.6.1. CloudFormation template for the network and load balancers
You can use the following CloudFormation template to deploy the networking objects and load balancers that you need for your OpenShift Container Platform cluster.
Example 4.26. CloudFormation template for the network and load balancers
							If you are deploying your cluster to an AWS government or secret region, you must update the InternalApiServerRecord to use CNAME records. Records of type ALIAS are not supported for AWS government regions. For example:
						
Type: CNAME TTL: 10 ResourceRecords: - !GetAtt IntApiElb.DNSName
Type: CNAME
TTL: 10
ResourceRecords:
- !GetAtt IntApiElb.DNSName4.4.7. Creating security group and roles in AWS
You must create security groups and roles in Amazon Web Services (AWS) for your OpenShift Container Platform cluster to use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the security groups and roles that your OpenShift Container Platform cluster requires.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- The CIDR block for the VPC.
- 4
- Specify the CIDR block parameter that you used for the VPC that you defined in the formx.x.x.x/16-24.
- 5
- The private subnets that you created for your VPC.
- 6
- Specify thePrivateSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 7
- The VPC that you created for the cluster.
- 8
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
 
- Copy the template from the CloudFormation template for security objects section of this topic and save it as a YAML file on your computer. This template describes the security groups and roles that your cluster requires.
- Launch the CloudFormation template to create a stack of AWS resources that represent the security groups and roles: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-sec. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::RoleandAWS::IAM::InstanceProfileresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- MasterSecurityGroupId- Master Security Group ID - WorkerSecurityGroupId- Worker Security Group ID - MasterInstanceProfile- Master IAM Instance Profile - WorkerInstanceProfile- Worker IAM Instance Profile 
4.4.7.1. CloudFormation template for security objects
You can use the following CloudFormation template to deploy the security objects that you need for your OpenShift Container Platform cluster.
Example 4.27. CloudFormation template for security objects
4.4.8. Accessing RHCOS AMIs with stream metadata
In OpenShift Container Platform, stream metadata provides standardized metadata about RHCOS in the JSON format and injects the metadata into the cluster. Stream metadata is a stable format that supports multiple architectures and is intended to be self-documenting for maintaining automation.
					You can use the coreos print-stream-json sub-command of openshift-install to access information about the boot images in the stream metadata format. This command provides a method for printing stream metadata in a scriptable, machine-readable format.
				
					For user-provisioned installations, the openshift-install binary contains references to the version of RHCOS boot images that are tested for use with OpenShift Container Platform, such as the AWS AMI.
				
Procedure
To parse the stream metadata, use one of the following methods:
- 
							From a Go program, use the official stream-metadata-golibrary at https://github.com/coreos/stream-metadata-go. You can also view example code in the library.
- From another programming language, such as Python or Ruby, use the JSON library of your preferred programming language.
- From a command-line utility that handles JSON data, such as - jq:- Print the current - x86_64or- aarch64AMI for an AWS region, such as- us-west-1:- For x86_64 - openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-west-1"].image' - $ openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-west-1"].image'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ami-0d3e625f84626bbda - ami-0d3e625f84626bbda- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For aarch64 - openshift-install coreos print-stream-json | jq -r '.architectures.aarch64.images.aws.regions["us-west-1"].image' - $ openshift-install coreos print-stream-json | jq -r '.architectures.aarch64.images.aws.regions["us-west-1"].image'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ami-0af1d3b7fa5be2131 - ami-0af1d3b7fa5be2131- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output of this command is the AWS AMI ID for your designated architecture and the - us-west-1region. The AMI must belong to the same region as the cluster.
 
4.4.9. RHCOS AMIs for the AWS infrastructure
Red Hat provides Red Hat Enterprise Linux CoreOS (RHCOS) AMIs that are valid for the various AWS regions and instance architectures that you can manually specify for your OpenShift Container Platform nodes.
By importing your own AMI, you can also install to regions that do not have a published RHCOS AMI.
| AWS zone | AWS AMI | 
|---|---|
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| AWS zone | AWS AMI | 
|---|---|
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
| 
									 | 
									 | 
4.4.10. Creating the bootstrap node in AWS
You must create the bootstrap node in Amazon Web Services (AWS) to use during OpenShift Container Platform cluster initialization. You do this by:
- 
							Providing a location to serve the bootstrap.ignIgnition config file to your cluster. This file is located in your installation directory. The provided CloudFormation Template assumes that the Ignition config files for your cluster are served from an S3 bucket. If you choose to serve the files from another location, you must modify the templates.
- Using the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the bootstrap node that your OpenShift Container Platform installation requires.
If you do not use the provided CloudFormation template to create your bootstrap node, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
Procedure
- Create the bucket by running the following command: - aws s3 mb s3://<cluster-name>-infra - $ aws s3 mb s3://<cluster-name>-infra- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <cluster-name>-infrais the bucket name. When creating the- install-config.yamlfile, replace- <cluster-name>with the name specified for the cluster.
 - You must use a presigned URL for your S3 bucket, instead of the - s3://schema, if you are:- Deploying to a region that has endpoints that differ from the AWS SDK.
- Deploying a proxy.
- Providing your own custom endpoints.
 
- Upload the - bootstrap.ignIgnition config file to the bucket by running the following command:- aws s3 cp <installation_directory>/bootstrap.ign s3://<cluster-name>-infra/bootstrap.ign - $ aws s3 cp <installation_directory>/bootstrap.ign s3://<cluster-name>-infra/bootstrap.ign- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify that the file uploaded by running the following command: - aws s3 ls s3://<cluster-name>-infra/ - $ aws s3 ls s3://<cluster-name>-infra/- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - 2019-04-03 16:15:16 314878 bootstrap.ign - 2019-04-03 16:15:16 314878 bootstrap.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The bootstrap Ignition config file does contain secrets, like X.509 keys. The following steps provide basic security for the S3 bucket. To provide additional security, you can enable an S3 bucket policy to allow only certain users, such as the OpenShift IAM user, to access objects that the bucket contains. You can avoid S3 entirely and serve your bootstrap Ignition config file from any address that the bootstrap machine can reach. 
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the bootstrap node based on your selected architecture.
- 4
- Specify a validAWS::EC2::Image::Idvalue.
- 5
- CIDR block to allow SSH access to the bootstrap node.
- 6
- Specify a CIDR block in the formatx.x.x.x/16-24.
- 7
- The public subnet that is associated with your VPC to launch the bootstrap node into.
- 8
- Specify thePublicSubnetIdsvalue from the output of the CloudFormation template for the VPC.
- 9
- The master security group ID (for registering temporary rules)
- 10
- Specify theMasterSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 11
- The VPC created resources will belong to.
- 12
- Specify theVpcIdvalue from the output of the CloudFormation template for the VPC.
- 13
- Location to fetch bootstrap Ignition config file from.
- 14
- Specify the S3 bucket and file name in the forms3://<bucket_name>/bootstrap.ign.
- 15
- Whether or not to register a network load balancer (NLB).
- 16
- Specifyyesorno. If you specifyyes, you must provide a Lambda Amazon Resource Name (ARN) value.
- 17
- The ARN for NLB IP target registration lambda group.
- 18
- Specify theRegisterNlbIpTargetsLambdavalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 19
- The ARN for external API load balancer target group.
- 20
- Specify theExternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 21
- The ARN for internal API load balancer target group.
- 22
- Specify theInternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 23
- The ARN for internal service load balancer target group.
- 24
- Specify theInternalServiceTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
 
- Copy the template from the CloudFormation template for the bootstrap machine section of this topic and save it as a YAML file on your computer. This template describes the bootstrap machine that your cluster requires.
- 
							Optional: If you are deploying the cluster with a proxy, you must update the ignition in the template to add the ignition.config.proxyfields. Additionally, If you have added the Amazon EC2, Elastic Load Balancing, and S3 VPC endpoints to your VPC, you must add these endpoints to thenoProxyfield.
- Launch the CloudFormation template to create a stack of AWS resources that represent the bootstrap node: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - --capabilities CAPABILITY_NAMED_IAM- 4 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-bootstrap. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
- 4
- You must explicitly declare theCAPABILITY_NAMED_IAMcapability because the provided template creates someAWS::IAM::RoleandAWS::IAM::InstanceProfileresources.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-bootstrap/12944486-2add-11eb-9dee-12dace8e3a83 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-bootstrap/12944486-2add-11eb-9dee-12dace8e3a83- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:- BootstrapInstanceId- The bootstrap Instance ID. - BootstrapPublicIp- The bootstrap node public IP address. - BootstrapPrivateIp- The bootstrap node private IP address. 
4.4.10.1. CloudFormation template for the bootstrap machine
You can use the following CloudFormation template to deploy the bootstrap machine that you need for your OpenShift Container Platform cluster.
Example 4.28. CloudFormation template for the bootstrap machine
4.4.10.2. Creating the control plane machines in AWS
You must create the control plane machines in Amazon Web Services (AWS) that your cluster will use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the control plane nodes.
The CloudFormation template creates a stack that represents three control plane nodes.
If you do not use the provided CloudFormation template to create your control plane nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
								You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
Procedure
- Create a JSON file that contains the parameter values that the template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the control plane machines based on your selected architecture.
- 4
- Specify anAWS::EC2::Image::Idvalue.
- 5
- Whether or not to perform DNS etcd registration.
- 6
- Specifyyesorno. If you specifyyes, you must provide hosted zone information.
- 7
- The Route 53 private zone ID to register the etcd targets with.
- 8
- Specify thePrivateHostedZoneIdvalue from the output of the CloudFormation template for DNS and load balancing.
- 9
- The Route 53 zone to register the targets with.
- 10
- Specify<cluster_name>.<domain_name>where<domain_name>is the Route 53 base domain that you used when you generatedinstall-config.yamlfile for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
- 11 13 15
- A subnet, preferably private, to launch the control plane machines on.
- 12 14 16
- Specify a subnet from thePrivateSubnetsvalue from the output of the CloudFormation template for DNS and load balancing.
- 17
- The master security group ID to associate with control plane nodes.
- 18
- Specify theMasterSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 19
- The location to fetch control plane Ignition config file from.
- 20
- Specify the generated Ignition config file location,https://api-int.<cluster_name>.<domain_name>:22623/config/master.
- 21
- The base64 encoded certificate authority string to use.
- 22
- Specify the value from themaster.ignfile that is in the installation directory. This value is the long string with the formatdata:text/plain;charset=utf-8;base64,ABC…xYz==.
- 23
- The IAM profile to associate with control plane nodes.
- 24
- Specify theMasterInstanceProfileparameter value from the output of the CloudFormation template for the security group and roles.
- 25
- The type of AWS instance to use for the control plane machines based on your selected architecture.
- 26
- The instance type value corresponds to the minimum resource requirements for control plane machines. For examplem6i.xlargeis a type for AMD64 andm6g.xlargeis a type for ARM64.
- 27
- Whether or not to register a network load balancer (NLB).
- 28
- Specifyyesorno. If you specifyyes, you must provide a Lambda Amazon Resource Name (ARN) value.
- 29
- The ARN for NLB IP target registration lambda group.
- 30
- Specify theRegisterNlbIpTargetsLambdavalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 31
- The ARN for external API load balancer target group.
- 32
- Specify theExternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 33
- The ARN for internal API load balancer target group.
- 34
- Specify theInternalApiTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
- 35
- The ARN for internal service load balancer target group.
- 36
- Specify theInternalServiceTargetGroupArnvalue from the output of the CloudFormation template for DNS and load balancing. Usearn:aws-us-govif deploying the cluster to an AWS GovCloud region.
 
- Copy the template from the CloudFormation template for control plane machines section of this topic and save it as a YAML file on your computer. This template describes the control plane machines that your cluster requires.
- 
								If you specified an m5instance type as the value forMasterInstanceType, add that instance type to theMasterInstanceType.AllowedValuesparameter in the CloudFormation template.
- Launch the CloudFormation template to create a stack of AWS resources that represent the control plane nodes: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-control-plane. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-control-plane/21c7e2b0-2ee2-11eb-c6f6-0aa34627df4b - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-control-plane/21c7e2b0-2ee2-11eb-c6f6-0aa34627df4b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The CloudFormation template creates a stack that represents three control plane nodes. 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.4.10.3. CloudFormation template for control plane machines
You can use the following CloudFormation template to deploy the control plane machines that you need for your OpenShift Container Platform cluster.
Example 4.29. CloudFormation template for control plane machines
4.4.11. Creating the worker nodes in AWS
You can create worker nodes in Amazon Web Services (AWS) for your cluster to use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent a worker node.
The CloudFormation template creates a stack that represents one worker node. You must create a stack for each worker node.
If you do not use the provided CloudFormation template to create your worker nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
- You created the control plane machines.
Procedure
- Create a JSON file that contains the parameter values that the CloudFormation template requires: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
- 2
- Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format<cluster-name>-<random-string>.
- 3
- Current Red Hat Enterprise Linux CoreOS (RHCOS) AMI to use for the worker nodes based on your selected architecture.
- 4
- Specify anAWS::EC2::Image::Idvalue.
- 5
- A subnet, preferably private, to start the worker nodes on.
- 6
- Specify a subnet from thePrivateSubnetsvalue from the output of the CloudFormation template for DNS and load balancing.
- 7
- The worker security group ID to associate with worker nodes.
- 8
- Specify theWorkerSecurityGroupIdvalue from the output of the CloudFormation template for the security group and roles.
- 9
- The location to fetch the bootstrap Ignition config file from.
- 10
- Specify the generated Ignition config location,https://api-int.<cluster_name>.<domain_name>:22623/config/worker.
- 11
- Base64 encoded certificate authority string to use.
- 12
- Specify the value from theworker.ignfile that is in the installation directory. This value is the long string with the formatdata:text/plain;charset=utf-8;base64,ABC…xYz==.
- 13
- The IAM profile to associate with worker nodes.
- 14
- Specify theWorkerInstanceProfileparameter value from the output of the CloudFormation template for the security group and roles.
- 15
- The type of AWS instance to use for the compute machines based on your selected architecture.
- 16
- The instance type value corresponds to the minimum resource requirements for compute machines. For examplem6i.largeis a type for AMD64 andm6g.largeis a type for ARM64.
 
- Copy the template from the CloudFormation template for worker machines section of this topic and save it as a YAML file on your computer. This template describes the networking objects and load balancers that your cluster requires.
- 
							Optional: If you specified an m5instance type as the value forWorkerInstanceType, add that instance type to theWorkerInstanceType.AllowedValuesparameter in the CloudFormation template.
- 
							Optional: If you are deploying with an AWS Marketplace image, update the Worker0.type.properties.ImageIDparameter with the AMI ID that you obtained from your subscription.
- Use the CloudFormation template to create a stack of AWS resources that represent a worker node: Important- You must enter the command on a single line. - aws cloudformation create-stack --stack-name <name> - $ aws cloudformation create-stack --stack-name <name>- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-worker-1. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The CloudFormation template creates a stack that represents one worker node. 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Continue to create worker stacks until you have created enough worker machines for your cluster. You can create additional worker stacks by referencing the same template and parameter files and specifying a different stack name. Important- You must create at least two worker machines, so you must create at least two stacks that use this CloudFormation template. 
4.4.11.1. CloudFormation template for compute machines
You can deploy the compute machines that you need for your OpenShift Container Platform cluster by using the following CloudFormation template.
Example 4.30. CloudFormation template for compute machines
4.4.11.2. Creating the CloudFormation stack for compute machines
You can create a stack of AWS resources for the compute machines by using the CloudFormation template that was previously shared.
							When you use the CloudFormation template for the control plane machines, the template provisions all three control plane machines with a single stack; however, when you use the CloudFormation template to deploy the compute machines, you must create the number of stacks based on the number that you defined in the install-config.yaml file. Each stack is provisioned once for each machine. To provision a new compute machine, you must change the stack name.
						
Procedure
- To create the CloudFormation stack for compute machines, run the following command: - aws cloudformation create-stack --stack-name <name> \ --template-body file://<template>.yaml \ --parameters file://<parameters>.json- $ aws cloudformation create-stack --stack-name <name> \- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the<name>with the name for the CloudFormation stack, such ascluster-worker-1. You need the name of this stack if you remove the cluster.
- 2
- Specify the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- Specify the relative path and the name of the JSON file for the CloudFormation parameters.
 - Example output - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59 - arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.4.12. Initializing the bootstrap sequence on AWS with user-provisioned infrastructure
After you create all of the required infrastructure in Amazon Web Services (AWS), you can start the bootstrap sequence that initializes the OpenShift Container Platform control plane.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You generated the Ignition config files for your cluster.
- You created and configured a VPC and associated subnets in AWS.
- You created and configured DNS, load balancers, and listeners in AWS.
- You created the security groups and roles required for your cluster in AWS.
- You created the bootstrap machine.
- You created the control plane machines.
- You created the worker nodes.
Procedure
- Change to the directory that contains the installation program and start the bootstrap process that initializes the OpenShift Container Platform control plane: - ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \ --log-level=info- $ ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \- 1 - --log-level=info- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443... INFO API v1.31.3 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO It is now safe to remove the bootstrap resources INFO Time elapsed: 1s - INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443... INFO API v1.31.3 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO It is now safe to remove the bootstrap resources INFO Time elapsed: 1s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the command exits without a - FATALwarning, your OpenShift Container Platform control plane has initialized.Note- After the control plane initializes, it sets up the compute nodes and installs additional services in the form of Operators. 
4.4.13. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.31.3 master-1 Ready master 63m v1.31.3 master-2 Ready master 64m v1.31.3 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.31.3 master-1 Ready master 63m v1.31.3 master-2 Ready master 64m v1.31.3- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
4.4.14. Initial Operator configuration
After the control plane initializes, you must immediately configure some Operators so that they all become available.
Prerequisites
- Your control plane has initialized.
Procedure
- Watch the cluster components come online: - watch -n5 oc get clusteroperators - $ watch -n5 oc get clusteroperators- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the Operators that are not available.
4.4.14.1. Disabling the default OperatorHub catalog sources
Operator catalogs that source content provided by Red Hat and community projects are configured for OperatorHub by default during an OpenShift Container Platform installation. In a restricted network environment, you must disable the default catalogs as a cluster administrator.
Procedure
- Disable the sources for the default catalogs by adding - disableAllDefaultSources: trueto the- OperatorHubobject:- oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- $ oc patch OperatorHub cluster --type json \ -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create, update, delete, disable, and enable individual sources.
4.4.14.2. Image registry storage configuration
Amazon Web Services provides default storage, which means the Image Registry Operator is available after installation. However, if the Registry Operator cannot create an S3 bucket and automatically configure storage, you must manually configure registry storage.
Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.
						Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.
					
4.4.14.2.1. Configuring registry storage for AWS with user-provisioned infrastructure
During installation, your cloud credentials are sufficient to create an Amazon S3 bucket and the Registry Operator will automatically configure storage.
If the Registry Operator cannot create an S3 bucket and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.
Prerequisites
- You have a cluster on AWS with user-provisioned infrastructure.
- For Amazon S3 storage, the secret is expected to contain two keys: - 
											REGISTRY_STORAGE_S3_ACCESSKEY
- 
											REGISTRY_STORAGE_S3_SECRETKEY
 
- 
											
Procedure
Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.
- Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.
- Fill in the storage configuration in - configs.imageregistry.operator.openshift.io/cluster:- oc edit configs.imageregistry.operator.openshift.io/cluster - $ oc edit configs.imageregistry.operator.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example configuration - storage: s3: bucket: <bucket-name> region: <region-name>- storage: s3: bucket: <bucket-name> region: <region-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
To secure your registry images in AWS, block public access to the S3 bucket.
4.4.14.2.2. Configuring storage for the image registry in non-production clusters
You must configure storage for the Image Registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.
Procedure
- To set the image registry storage to an empty directory: - oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'- $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Warning- Configure this option for only non-production clusters. - If you run this command before the Image Registry Operator initializes its components, the - oc patchcommand fails with the following error:- Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found - Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Wait a few minutes and run the command again. 
4.4.15. Deleting the bootstrap resources
After you complete the initial Operator configuration for the cluster, remove the bootstrap resources from Amazon Web Services (AWS).
Prerequisites
- You completed the initial Operator configuration for your cluster.
Procedure
- Delete the bootstrap resources. If you used the CloudFormation template, delete its stack: - Delete the stack by using the AWS CLI: - aws cloudformation delete-stack --stack-name <name> - $ aws cloudformation delete-stack --stack-name <name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name of your bootstrap stack.
 
- Delete the stack by using the AWS CloudFormation console.
 
4.4.16. Creating the Ingress DNS Records
If you removed the DNS Zone configuration, manually create DNS records that point to the Ingress load balancer. You can create either a wildcard record or specific records. While the following procedure uses A records, you can use other record types that you require, such as CNAME or alias.
Prerequisites
- You deployed an OpenShift Container Platform cluster on Amazon Web Services (AWS) that uses infrastructure that you provisioned.
- 
							You installed the OpenShift CLI (oc).
- 
							You installed the jqpackage.
- You downloaded the AWS CLI and installed it on your computer. See Install the AWS CLI Using the Bundled Installer (Linux, macOS, or Unix).
Procedure
- Determine the routes to create. - 
									To create a wildcard record, use *.apps.<cluster_name>.<domain_name>, where<cluster_name>is your cluster name, and<domain_name>is the Route 53 base domain for your OpenShift Container Platform cluster.
- To create specific records, you must create a record for each route that your cluster uses, as shown in the output of the following command: - oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes- $ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - oauth-openshift.apps.<cluster_name>.<domain_name> console-openshift-console.apps.<cluster_name>.<domain_name> downloads-openshift-console.apps.<cluster_name>.<domain_name> alertmanager-main-openshift-monitoring.apps.<cluster_name>.<domain_name> prometheus-k8s-openshift-monitoring.apps.<cluster_name>.<domain_name> - oauth-openshift.apps.<cluster_name>.<domain_name> console-openshift-console.apps.<cluster_name>.<domain_name> downloads-openshift-console.apps.<cluster_name>.<domain_name> alertmanager-main-openshift-monitoring.apps.<cluster_name>.<domain_name> prometheus-k8s-openshift-monitoring.apps.<cluster_name>.<domain_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									To create a wildcard record, use 
- Retrieve the Ingress Operator load balancer status and note the value of the external IP address that it uses, which is shown in the - EXTERNAL-IPcolumn:- oc -n openshift-ingress get service router-default - $ oc -n openshift-ingress get service router-default- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.62.215 ab3...28.us-east-2.elb.amazonaws.com 80:31499/TCP,443:30693/TCP 5m - NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE router-default LoadBalancer 172.30.62.215 ab3...28.us-east-2.elb.amazonaws.com 80:31499/TCP,443:30693/TCP 5m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Locate the hosted zone ID for the load balancer: - aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.DNSName == "<external_ip>").CanonicalHostedZoneNameID' - $ aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.DNSName == "<external_ip>").CanonicalHostedZoneNameID'- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer that you obtained.
 - Example output - Z3AADJGX6KTTL2 - Z3AADJGX6KTTL2- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output of this command is the load balancer hosted zone ID. 
- Obtain the public hosted zone ID for your cluster’s domain: - aws route53 list-hosted-zones-by-name \ --dns-name "<domain_name>" \ --query 'HostedZones[? Config.PrivateZone != `true` && Name == `<domain_name>.`].Id'- $ aws route53 list-hosted-zones-by-name \ --dns-name "<domain_name>" \- 1 - --query 'HostedZones[? Config.PrivateZone != `true` && Name == `<domain_name>.`].Id'- 2 - --output text- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - /hostedzone/Z3URY6TWQ91KVV - /hostedzone/Z3URY6TWQ91KVV- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The public hosted zone ID for your domain is shown in the command output. In this example, it is - Z3URY6TWQ91KVV.
- Add the alias records to your private zone: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<private_hosted_zone_id>, specify the value from the output of the CloudFormation template for DNS and load balancing.
- 2
- For<cluster_domain>, specify the domain or subdomain that you use with your OpenShift Container Platform cluster.
- 3
- For<hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
- 4
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.
 
- Add the records to your public zone: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<public_hosted_zone_id>, specify the public hosted zone for your domain.
- 2
- For<cluster_domain>, specify the domain or subdomain that you use with your OpenShift Container Platform cluster.
- 3
- For<hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
- 4
- For<external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.
 
4.4.17. Completing an AWS installation on user-provisioned infrastructure
After you start the OpenShift Container Platform installation on Amazon Web Service (AWS) user-provisioned infrastructure, monitor the deployment to completion.
Prerequisites
- You removed the bootstrap node for an OpenShift Container Platform cluster on user-provisioned AWS infrastructure.
- 
							You installed the ocCLI.
Procedure
- From the directory that contains the installation program, complete the cluster installation: - ./openshift-install --dir <installation_directory> wait-for install-complete - $ ./openshift-install --dir <installation_directory> wait-for install-complete- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- 
										The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrappercertificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
- It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.
 
- Register your cluster on the Cluster registration page.
4.4.18. Logging in to the cluster by using the CLI
					You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.
				
Prerequisites
- You deployed an OpenShift Container Platform cluster.
- 
							You installed the OpenShift CLI (oc).
Procedure
- Export the - kubeadmincredentials by running the following command:- export KUBECONFIG=<installation_directory>/auth/kubeconfig - $ export KUBECONFIG=<installation_directory>/auth/kubeconfig- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<installation_directory>, specify the path to the directory that you stored the installation files in.
 
- Verify you can run - occommands successfully using the exported configuration by running the following command:- oc whoami - $ oc whoami- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - system:admin - system:admin- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
4.4.19. Logging in to the cluster by using the web console
					The kubeadmin user exists by default after an OpenShift Container Platform installation. You can log in to your cluster as the kubeadmin user by using the OpenShift Container Platform web console.
				
Prerequisites
- You have access to the installation host.
- You completed a cluster installation and all cluster Operators are available.
Procedure
- Obtain the password for the - kubeadminuser from the- kubeadmin-passwordfile on the installation host:- cat <installation_directory>/auth/kubeadmin-password - $ cat <installation_directory>/auth/kubeadmin-password- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the - kubeadminpassword from the- <installation_directory>/.openshift_install.loglog file on the installation host.
- List the OpenShift Container Platform web console route: - oc get routes -n openshift-console | grep 'console-openshift' - $ oc get routes -n openshift-console | grep 'console-openshift'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Alternatively, you can obtain the OpenShift Container Platform route from the - <installation_directory>/.openshift_install.loglog file on the installation host.- Example output - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None - console console-openshift-console.apps.<cluster_name>.<base_domain> console https reencrypt/Redirect None- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadminuser.
4.4.21. Next steps
- Validate an installation.
- Customize your cluster.
- 
							Configure image streams for the Cluster Samples Operator and the must-gathertool.
- Learn how to use Operator Lifecycle Manager in disconnected environments.
- If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by configuring additional trust stores.
- If necessary, you can Remote health reporting.
- If necessary, see Registering your disconnected cluster
- If necessary, you can remove cloud provider credentials.
4.5. Installing a cluster with the support for configuring multi-architecture compute machines
An OpenShift Container Platform cluster with multi-architecture compute machines supports compute machines with different architectures.
When you have nodes with multiple architectures in your cluster, the architecture of your image must be consistent with the architecture of the node. You must ensure that the pod is assigned to the node with the appropriate architecture and that it matches the image architecture. For more information on assigning pods to nodes, see Scheduling workloads on clusters with multi-architecture compute machines.
You can install an AWS cluster with the support for configuring multi-architecture compute machines. After installing the AWS cluster, you can add multi-architecture compute machines to the cluster in the following ways:
- Adding 64-bit x86 compute machines to a cluster that uses 64-bit ARM control plane machines and already includes 64-bit ARM compute machines. In this case, 64-bit x86 is considered the secondary architecture.
- Adding 64-bit ARM compute machines to a cluster that uses 64-bit x86 control plane machines and already includes 64-bit x86 compute machines. In this case, 64-bit ARM is considered the secondary architecture.
					Before adding a secondary architecture node to your cluster, it is recommended to install the Multiarch Tuning Operator, and deploy a ClusterPodPlacementConfig custom resource. For more information, see "Managing workloads on multi-architecture clusters by using the Multiarch Tuning Operator".
				
4.5.1. Installing a cluster with multi-architecture support
You can install a cluster with the support for configuring multi-architecture compute machines.
Prerequisites
- 
							You installed the OpenShift CLI (oc).
- You have the OpenShift Container Platform installation program.
- You downloaded the pull secret for your cluster.
Procedure
- Check that the - openshift-installbinary is using the- multipayload by running the following command:- ./openshift-install version - $ ./openshift-install version- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - ./openshift-install 4.18.0 built from commit abc123etc release image quay.io/openshift-release-dev/ocp-release@sha256:abc123wxyzetc release architecture multi default architecture amd64 - ./openshift-install 4.18.0 built from commit abc123etc release image quay.io/openshift-release-dev/ocp-release@sha256:abc123wxyzetc release architecture multi default architecture amd64- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output must contain - release architecture multito indicate that the- openshift-installbinary is using the- multipayload.
- Update the - install-config.yamlfile to configure the architecture for the nodes.- Sample - install-config.yamlfile with multi-architecture configuration- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
Chapter 5. Installing a three-node cluster on AWS
In OpenShift Container Platform version 4.18, you can install a three-node cluster on Amazon Web Services (AWS). A three-node cluster consists of three control plane machines, which also act as compute machines. This type of cluster provides a smaller, more resource efficient cluster, for cluster administrators and developers to use for testing, development, and production.
You can install a three-node cluster using either installer-provisioned or user-provisioned infrastructure.
Deploying a three-node cluster using an AWS Marketplace image is not supported.
5.1. Configuring a three-node cluster
				You configure a three-node cluster by setting the number of worker nodes to 0 in the install-config.yaml file before deploying the cluster. Setting the number of worker nodes to 0 ensures that the control plane machines are schedulable. This allows application workloads to be scheduled to run from the control plane nodes.
			
Because application workloads run from control plane nodes, additional subscriptions are required, as the control plane nodes are considered to be compute nodes.
Prerequisites
- 
						You have an existing install-config.yamlfile.
Procedure
- Set the number of compute replicas to - 0in your- install-config.yamlfile, as shown in the following- computestanza:- Example - install-config.yamlfile for a three-node cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you are deploying a cluster with user-provisioned infrastructure: - 
								After you create the Kubernetes manifest files, make sure that the spec.mastersSchedulableparameter is set totrueincluster-scheduler-02-config.ymlfile. You can locate this file in<installation_directory>/manifests. For more information, see "Creating the Kubernetes manifest and Ignition config files" in "Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates".
- Do not create additional worker nodes.
 
- 
								After you create the Kubernetes manifest files, make sure that the 
Example cluster-scheduler-02-config.yml file for a three-node cluster
5.2. Next steps
Chapter 6. Uninstalling a cluster on AWS
You can remove a cluster that you deployed to Amazon Web Services (AWS).
6.1. Removing a cluster that uses installer-provisioned infrastructure
You can remove a cluster that uses installer-provisioned infrastructure that you provisioned from your cloud platform.
After uninstallation, check your cloud provider for any resources that were not removed properly, especially with user-provisioned infrastructure clusters. Some resources might exist because either the installation program did not create the resource or could not access the resource.
Prerequisites
- You have a copy of the installation program that you used to deploy the cluster.
- You have the files that the installation program generated when you created your cluster.
Procedure
- From the directory that has the installation program on the computer that you used to install the cluster, run the following command: - ./openshift-install destroy cluster \ --dir <installation_directory> --log-level info - $ ./openshift-install destroy cluster \ --dir <installation_directory> --log-level info- 1 - 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- You must specify the directory that includes the cluster definition files for your cluster. The installation program requires the - metadata.jsonfile in this directory to delete the cluster.
- 
						Optional: Delete the <installation_directory>directory and the OpenShift Container Platform installation program.
6.2. Deleting Amazon Web Services resources with the Cloud Credential Operator utility
				After uninstalling an OpenShift Container Platform cluster that uses short-term credentials managed outside the cluster, you can use the CCO utility (ccoctl) to remove the Amazon Web Services (AWS) resources that ccoctl created during installation.
			
Prerequisites
- 
						Extract and prepare the ccoctlbinary.
- Uninstall an OpenShift Container Platform cluster on AWS that uses short-term credentials.
Procedure
- Delete the AWS resources that - ccoctlcreated by running the following command:- ccoctl aws delete \ --name=<name> \ --region=<aws_region> - $ ccoctl aws delete \ --name=<name> \- 1 - --region=<aws_region>- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that the resources are deleted, query AWS. For more information, refer to AWS documentation.
6.3. Deleting a cluster with a configured AWS Local Zone infrastructure
After you install a cluster on Amazon Web Services (AWS) into an existing Virtual Private Cloud (VPC), and you set subnets for each Local Zone location, you can delete the cluster and any AWS resources associated with it.
The example in the procedure assumes that you created a VPC and its subnets by using a CloudFormation template.
Prerequisites
- 
						You know the name of the CloudFormation stacks, <local_zone_stack_name>and<vpc_stack_name>, that were used during the creation of the network. You need the name of the stack to delete the cluster.
- You have access rights to the directory that contains the installation files that were created by the installation program.
- Your account includes a policy that provides you with permissions to delete the CloudFormation stack.
Procedure
- Change to the directory that contains the stored installation program, and delete the cluster by using the - destroy clustercommand:- ./openshift-install destroy cluster --dir <installation_directory> \ --log-level=debug - $ ./openshift-install destroy cluster --dir <installation_directory> \- 1 - --log-level=debug- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the CloudFormation stack for the Local Zone subnet: - aws cloudformation delete-stack --stack-name <local_zone_stack_name> - $ aws cloudformation delete-stack --stack-name <local_zone_stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the stack of resources that represent the VPC: - aws cloudformation delete-stack --stack-name <vpc_stack_name> - $ aws cloudformation delete-stack --stack-name <vpc_stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Check that you removed the stack resources by issuing the following commands in the AWS CLI. The AWS CLI outputs that no template component exists. - aws cloudformation describe-stacks --stack-name <local_zone_stack_name> - $ aws cloudformation describe-stacks --stack-name <local_zone_stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - aws cloudformation describe-stacks --stack-name <vpc_stack_name> - $ aws cloudformation describe-stacks --stack-name <vpc_stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 7. Installation configuration parameters for AWS
			Before you deploy an OpenShift Container Platform cluster on AWS, you provide parameters to customize your cluster and the platform that hosts it. When you create the install-config.yaml file, you provide values for the required parameters through the command line. You can then modify the install-config.yaml file to customize your cluster further.
		
7.1. Available installation configuration parameters for AWS
The following tables specify the required, optional, and AWS-specific installation configuration parameters that you can set as part of the installation process.
					After installation, you cannot change these parameters in the install-config.yaml file.
				
7.1.1. Required configuration parameters
Required installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| apiVersion:  | 
									The API version for the  | String | 
| baseDomain:  | 
									The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the  | 
									A fully-qualified domain or subdomain name, such as  | 
| metadata:  | 
									Kubernetes resource  | Object | 
| metadata: name:  | 
									The name of the cluster. DNS records for the cluster are all subdomains of  | 
									String of lowercase letters, hyphens ( | 
| platform:  | 
									The configuration for the specific platform upon which to perform the installation:  | Object | 
| pullSecret:  | Get a pull secret from Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io. |  | 
7.1.2. Network configuration parameters
You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or configure different IP address blocks than the defaults.
Only IPv4 addresses are supported.
| Parameter | Description | Values | 
|---|---|---|
| networking:  | The configuration for the cluster network. | Object Note 
										You cannot change parameters specified by the  | 
| networking: networkType:  | The Red Hat OpenShift Networking network plugin to install. | 
									 | 
| networking: clusterNetwork:  | The IP address blocks for pods. 
									The default value is  If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23 | 
| networking:
  clusterNetwork:
    cidr: | 
									Required if you use  An IPv4 network. | 
									An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between  | 
| networking:
  clusterNetwork:
    hostPrefix: | 
									The subnet prefix length to assign to each individual node. For example, if  | A subnet prefix. 
									The default value is  | 
| networking: serviceNetwork:  | 
									The IP address block for services. The default value is  The OVN-Kubernetes network plugins supports only a single IP address block for the service network. | An array with an IP address block in CIDR format. For example: networking: serviceNetwork: - 172.30.0.0/16  | 
| networking: machineNetwork:  | The IP address blocks for machines. If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking: machineNetwork: - cidr: 10.0.0.0/16  | 
| networking:
  machineNetwork:
    cidr: | 
									Required if you use  | An IP network block in CIDR notation. 
									For example,  Note 
										Set the  | 
| networking:
  ovnKubernetesConfig:
    ipv4:
      internalJoinSubnet: | 
									Configures the IPv4 join subnet that is used internally by  | 
									An IP network block in CIDR notation. The default value is  | 
7.1.3. Optional configuration parameters
Optional installation configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| additionalTrustBundle:  | A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle might also be used when a proxy has been configured. | String | 
| capabilities:  | Controls the installation of optional core cluster components. You can reduce the footprint of your OpenShift Container Platform cluster by disabling optional components. For more information, see the "Cluster capabilities" page in Installing. | String array | 
| capabilities: baselineCapabilitySet:  | 
									Selects an initial set of optional capabilities to enable. Valid values are  | String | 
| capabilities: additionalEnabledCapabilities:  | 
									Extends the set of optional capabilities beyond what you specify in  | String array | 
| cpuPartitioningMode:  | Enables workload partitioning, which isolates OpenShift Container Platform services, cluster management workloads, and infrastructure pods to run on a reserved set of CPUs. You can only enable workload partitioning during installation. You cannot disable it after installation. While this field enables workload partitioning, it does not configure workloads to use specific CPUs. For more information, see the Workload partitioning page in the Scalability and Performance section. | 
									 | 
| compute:  | The configuration for the machines that comprise the compute nodes. | 
									Array of  | 
| compute: architecture:  | 
									Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| compute: hyperthreading:  | 
									Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
									 | 
| compute: name:  | 
									Required if you use  | 
									 | 
| compute: platform:  | 
									Required if you use  | 
									 | 
| compute: replicas:  | The number of compute machines, which are also known as worker machines, to provision. | 
									A positive integer greater than or equal to  | 
| featureSet:  | Enables the cluster for a feature set. A feature set is a collection of OpenShift Container Platform features that are not enabled by default. For more information about enabling a feature set during installation, see "Enabling features using feature gates". | 
									String. The name of the feature set to enable, such as  | 
| controlPlane:  | The configuration for the machines that form the control plane. | 
									Array of  | 
| controlPlane: architecture:  | 
									Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are  | String | 
| controlPlane: hyperthreading:  | 
									Whether to enable or disable simultaneous multithreading, or  Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. | 
									 | 
| controlPlane: name:  | 
									Required if you use  | 
									 | 
| controlPlane: platform:  | 
									Required if you use  | 
									 | 
| controlPlane: replicas:  | The number of control plane machines to provision. | 
									Supported values are  | 
| credentialsMode:  | The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported. Note Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the "Managing cloud provider credentials" entry in the Authentication and authorization content. | 
									 | 
| fips:  | 
									Enable or disable FIPS mode. The default is  Important To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures. Important If you are using Azure File storage, you cannot enable FIPS mode. | 
									 | 
| imageContentSources:  | Sources and repositories for the release-image content. | 
									Array of objects. Includes a  | 
| imageContentSources: source:  | 
									Required if you use  | String | 
| imageContentSources: mirrors:  | Specify one or more repositories that might also contain the same images. | Array of strings | 
| platform:
  aws:
    lbType: | 
									Required to set the NLB load balancer type in AWS. Valid values are  | 
									 | 
| publish:  | How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes. | 
									 | 
| sshKey:  | The SSH key to authenticate access to your cluster machines. Note 
										For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your  | 
									For example,  | 
						If your AWS account has service control policies (SCP) enabled, you must configure the credentialsMode parameter to Mint, Passthrough, or Manual.
					
						Setting this parameter to Manual enables alternatives to storing administrator-level secrets in the kube-system project, which require additional configuration steps. For more information, see "Alternatives to storing administrator-level secrets in the kube-system project".
					
7.1.4. Optional AWS configuration parameters
Optional AWS configuration parameters are described in the following table:
| Parameter | Description | Values | 
|---|---|---|
| compute:
  platform:
    aws:
      amiID: | The AWS AMI used to boot compute machines for the cluster. This is required for regions that require a custom RHCOS AMI. | Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs. | 
| compute:
  platform:
    aws:
      iamProfile: | 
									The name of the IAM instance profile that you use for the machine. If you want the installation program to create the IAM instance profile for you, do not use the  | String | 
| compute:
  platform:
    aws:
      iamRole: | 
									The name of the IAM instance role that you use for the machine. When you specify an IAM role, the installation program creates an instance profile. If you want the installation program to create the IAM instance role for you, do not select the  | String | 
| compute:
  platform:
    aws:
      rootVolume:
        iops: | The Input/Output Operations Per Second (IOPS) that is reserved for the root volume. | 
									Integer, for example  | 
| compute:
  platform:
    aws:
      rootVolume:
        size: | The size in GiB of the root volume. | 
									Integer, for example  | 
| compute:
  platform:
    aws:
      rootVolume:
        type: | The type of the root volume. | 
									Valid AWS EBS volume type, such as  | 
| compute:
  platform:
    aws:
      rootVolume:
        kmsKeyARN: | The Amazon Resource Name (key ARN) of a KMS key. This is required to encrypt operating system volumes of worker nodes with a specific KMS key. | Valid key ID or the key ARN. | 
| compute:
  platform:
    aws:
      type: | The EC2 instance type for the compute machines. | 
									Valid AWS instance type, such as  | 
| compute:
  platform:
    aws:
      zones: | The availability zones where the installation program creates machines for the compute machine pool. If you provide your own VPC, you must provide a subnet in that availability zone. | 
									A list of valid AWS availability zones, such as  | 
| controlPlane:
  platform:
    aws:
      amiID: | The AWS AMI used to boot control plane machines for the cluster. This is required for regions that require a custom RHCOS AMI. | Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs. | 
| controlPlane:
  platform:
    aws:
      iamProfile: | 
									The name of the IAM instance profile that you use for the machine. If you want the installation program to create the IAM instance profile for you, do not use the  | String | 
| controlPlane:
  platform:
    aws:
      iamRole: | 
									The name of the IAM instance role that you use for the machine. When you specify an IAM role, the installation program creates an instance profile. If you want the installation program to create the IAM instance role for you, do not use the  | String | 
| controlPlane:
  platform:
    aws:
      rootVolume:
        iops: | The Input/Output Operations Per Second (IOPS) that is reserved for the root volume on control plane machines. | 
									Integer, for example  | 
| controlPlane:
  platform:
    aws:
      rootVolume:
        size: | The size in GiB of the root volume for control plane machines. | 
									Integer, for example  | 
| controlPlane:
  platform:
    aws:
      rootVolume:
        type: | The type of the root volume for control plane machines. | 
									Valid AWS EBS volume type, such as  | 
| controlPlane:
  platform:
    aws:
      rootVolume:
        kmsKeyARN: | The Amazon Resource Name (key ARN) of a KMS key. This is required to encrypt operating system volumes of control plane nodes with a specific KMS key. | Valid key ID and the key ARN. | 
| controlPlane:
  platform:
    aws:
      type: | The EC2 instance type for the control plane machines. | 
									Valid AWS instance type, such as  | 
| controlPlane:
  platform:
    aws:
      zones: | The availability zones where the installation program creates machines for the control plane machine pool. | 
									A list of valid AWS availability zones, such as  | 
| platform:
  aws:
    amiID: | The AWS AMI used to boot all machines for the cluster. If set, the AMI must belong to the same region as the cluster. This is required for regions that require a custom RHCOS AMI. | Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs. | 
| platform:
  aws:
    hostedZone: | An existing Route 53 private hosted zone for the cluster. You can only use a pre-existing hosted zone when also supplying your own VPC. The hosted zone must already be associated with the user-provided VPC before installation. Also, the domain of the hosted zone must be the cluster domain or a parent of the cluster domain. If undefined, the installation program creates a new hosted zone. | 
									String, for example  | 
| platform:
  aws:
    hostedZoneRole: | An Amazon Resource Name (ARN) for an existing IAM role in the account containing the specified hosted zone. The installation program and cluster operators assume this role when performing operations on the hosted zone. Use this parameter only when you are installing a cluster into a shared VPC. | 
									String, for example  | 
| platform:
  aws:
    region: | The AWS region that the installation program creates all cluster resources in. | 
									Any valid AWS region, such as  aws ec2 describe-instance-type-offerings --filters Name=instance-type,Values=c7g.xlarge Important When running on ARM based AWS instances, ensure that you enter a region where AWS Graviton processors are available. See Global availability map in the AWS documentation. Currently, AWS Graviton3 processors are only available in some regions. | 
| platform:
  aws:
    serviceEndpoints:
      - name:
        url: | The AWS service endpoint name and URL. Custom endpoints are only required for cases where alternative AWS endpoints, such as FIPS, must be used. Custom API endpoints can be specified for EC2, S3, IAM, Elastic Load Balancing, Tagging, Route 53, and STS AWS services. | Valid AWS service endpoint name and valid AWS service endpoint URL. | 
| platform:
  aws:
    userTags: | A map of keys and values that the installation program adds as tags to all resources that it creates. | 
									Any valid YAML map, such as key value pairs in the  Note You can add up to 25 user-defined tags during installation. The remaining 25 tags are reserved for OpenShift Container Platform. | 
| platform:
  aws:
    propagateUserTags: | A flag that directs in-cluster Operators to include the specified user tags in the tags of the AWS resources that the Operators create. | 
									Boolean values, for example  | 
| platform:
  aws:
    subnets: | 
									If you provide the VPC instead of allowing the installation program to create the VPC for you, specify the subnet for the cluster to use. The subnet must be part of the same  For a standard cluster, specify a public and a private subnet for each availability zone. For a private cluster, specify a private subnet for each availability zone. For clusters that use AWS Local Zones, you must add AWS Local Zone subnets to this list to ensure edge machine pool creation. | Valid subnet IDs. | 
| platform:
  aws:
    publicIpv4Pool: | 
									The public IPv4 pool ID that is used to allocate Elastic IPs (EIPs) when  | A valid public IPv4 pool id Note You can enable BYOIP only for customized installations that do not have any network restrictions. | 
| platform:
  aws:
    preserveBootstrapIgnition: | Prevents the S3 bucket from being deleted after completion of bootstrapping. | 
									 | 
Chapter 8. AWS Local Zone or Wavelength Zone tasks
After installing OpenShift Container Platform on Amazon Web Services (AWS), you can further configure AWS Local Zones or Wavelength Zones and an edge compute pool.
8.1. Extend existing clusters to use AWS Local Zones or Wavelength Zones
As a post-installation task, you can extend an existing OpenShift Container Platform cluster on Amazon Web Services (AWS) to use AWS Local Zones or Wavelength Zones.
Extending nodes to Local Zones or Wavelength Zones locations comprises the following steps:
- Adjusting the cluster-network maximum transmission unit (MTU).
- Opting in the Local Zones or Wavelength Zones group to AWS Local Zones or Wavelength Zones.
- Creating a subnet in the existing VPC for a Local Zones or Wavelength Zones location. Important- Before you extend an existing OpenShift Container Platform cluster on AWS to use Local Zones or Wavelength Zones, check that the existing VPC contains available Classless Inter-Domain Routing (CIDR) blocks. These blocks are needed for creating the subnets. 
- Creating the machine set manifest, and then creating a node in each Local Zone or Wavelength Zone location.
- Local Zones only: Adding the permission - ec2:ModifyAvailabilityZoneGroupto the Identity and Access Management (IAM) user or role, so that the required network resources can be created. For example:- Example of an additional IAM policy for AWS Local Zones deployments - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Wavelength Zone only: Adding the permissions - ec2:ModifyAvailabilityZoneGroup,- ec2:CreateCarrierGateway, and- ec2:DeleteCarrierGatewayto the Identity and Access Management (IAM) user or role, so that the required network resources can be created. For example:- Example of an additional IAM policy for AWS Wavelength Zones deployments - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.1.1. About edge compute pools
Edge compute nodes are tainted compute nodes that run in AWS Local Zones or Wavelength Zones locations.
When deploying a cluster that uses Local Zones or Wavelength Zones, consider the following points:
- Amazon EC2 instances in the Local Zones or Wavelength Zones are more expensive than Amazon EC2 instances in the Availability Zones.
- The latency is lower between the applications running in AWS Local Zones or Wavelength Zones and the end user. A latency impact exists for some workloads if, for example, ingress traffic is mixed between Local Zones or Wavelength Zones and Availability Zones.
						Generally, the maximum transmission unit (MTU) between an Amazon EC2 instance in a Local Zones or Wavelength Zones and an Amazon EC2 instance in the Region is 1300. The cluster network MTU must be always less than the EC2 MTU to account for the overhead. The specific overhead is determined by the network plugin. For example: OVN-Kubernetes has an overhead of 100 bytes.
					
The network plugin can provide additional features, such as IPsec, that also affect the MTU sizing.
You can access the following resources to learn more about a respective zone type:
- See How Local Zones work in the AWS documentation.
- See How AWS Wavelength work in the AWS documentation.
OpenShift Container Platform 4.12 introduced a new compute pool, edge, that is designed for use in remote zones. The edge compute pool configuration is common between AWS Local Zones or Wavelength Zones locations. Because of the type and size limitations of resources like EC2 and EBS on Local Zones or Wavelength Zones resources, the default instance type can vary from the traditional compute pool.
					The default Elastic Block Store (EBS) for Local Zones or Wavelength Zones locations is gp2, which differs from the non-edge compute pool. The instance type used for each Local Zones or Wavelength Zones on an edge compute pool also might differ from other compute pools, depending on the instance offerings on the zone.
				
The edge compute pool creates new labels that developers can use to deploy applications onto AWS Local Zones or Wavelength Zones nodes. The new labels are:
- 
							node-role.kubernetes.io/edge=''
- 
							Local Zones only: machine.openshift.io/zone-type=local-zone
- 
							Wavelength Zones only: machine.openshift.io/zone-type=wavelength-zone
- 
							machine.openshift.io/zone-group=$ZONE_GROUP_NAME
					By default, the machine sets for the edge compute pool define the taint of NoSchedule to prevent other workloads from spreading on Local Zones or Wavelength Zones instances. Users can only run user workloads if they define tolerations in the pod specification.
				
8.2. Changing the cluster network MTU to support Local Zones or Wavelength Zones
You might need to change the maximum transmission unit (MTU) value for the cluster network so that your cluster infrastructure can support Local Zones or Wavelength Zones subnets.
8.2.1. About the cluster MTU
During installation, the cluster network MTU is set automatically based on the primary network interface MTU of cluster nodes. You do not usually need to override the detected MTU.
You might want to change the MTU of the cluster network for one of the following reasons:
- The MTU detected during cluster installation is not correct for your infrastructure.
- Your cluster infrastructure now requires a different MTU, such as from the addition of nodes that need a different MTU for optimal performance.
Only the OVN-Kubernetes network plugin supports changing the MTU value.
8.2.1.1. Service interruption considerations
When you initiate a maximum transmission unit (MTU) change on your cluster the following effects might impact service availability:
- At least two rolling reboots are required to complete the migration to a new MTU. During this time, some nodes are not available as they restart.
- Specific applications deployed to the cluster with shorter timeout intervals than the absolute TCP timeout interval might experience disruption during the MTU change.
8.2.1.2. MTU value selection
When planning your maximum transmission unit (MTU) migration there are two related but distinct MTU values to consider.
- Hardware MTU: This MTU value is set based on the specifics of your network infrastructure.
- 
								Cluster network MTU: This MTU value is always less than your hardware MTU to account for the cluster network overlay overhead. The specific overhead is determined by your network plugin. For OVN-Kubernetes, the overhead is 100bytes.
						If your cluster requires different MTU values for different nodes, you must subtract the overhead value for your network plugin from the lowest MTU value that is used by any node in your cluster. For example, if some nodes in your cluster have an MTU of 9001, and some have an MTU of 1500, you must set this value to 1400.
					
							To avoid selecting an MTU value that is not acceptable by a node, verify the maximum MTU value (maxmtu) that is accepted by the network interface by using the ip -d link command.
						
8.2.1.3. How the migration process works
The following table summarizes the migration process by segmenting between the user-initiated steps in the process and the actions that the migration performs in response.
| User-initiated steps | OpenShift Container Platform activity | 
|---|---|
| Set the following values in the Cluster Network Operator configuration: 
 | Cluster Network Operator (CNO): Confirms that each field is set to a valid value. 
 
										If the values provided are valid, the CNO writes out a new temporary configuration with the MTU for the cluster network set to the value of the  Machine Config Operator (MCO): Performs a rolling reboot of each node in the cluster. | 
| Reconfigure the MTU of the primary network interface for the nodes on the cluster. You can use one of the following methods to accomplish this: 
 | N/A | 
| 
										Set the  | Machine Config Operator (MCO): Performs a rolling reboot of each node in the cluster with the new MTU configuration. | 
8.2.2. Changing the cluster network MTU
As a cluster administrator, you can increase or decrease the maximum transmission unit (MTU) for your cluster.
You cannot roll back an MTU value for nodes during the MTU migration process, but you can roll back the value after the MTU migration process completes.
The migration is disruptive and nodes in your cluster might be temporarily unavailable as the MTU update takes effect.
Prerequisites
- 
							You have installed the OpenShift CLI (oc).
- 
							You have access to the cluster using an account with cluster-adminpermissions.
- 
							You have identified the target MTU for your cluster. The MTU for the OVN-Kubernetes network plugin must be set to 100less than the lowest hardware MTU value in your cluster.
- If your nodes are physical machines, ensure that the cluster network and the connected network switches support jumbo frames.
- If your nodes are virtual machines (VMs), ensure that the hypervisor and the connected network switches support jumbo frames.
8.2.2.1. Checking the current cluster MTU value
Use the following procedure to obtain the current maximum transmission unit (MTU) for the cluster network.
Procedure
- To obtain the current MTU for the cluster network, enter the following command: - oc describe network.config cluster - $ oc describe network.config cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.2.2.2. Beginning the MTU migration
Use the following procedure to start the MTU migration.
Procedure
- To begin the MTU migration, specify the migration configuration by entering the following command. The Machine Config Operator performs a rolling reboot of the nodes in the cluster in preparation for the MTU change. - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": <overlay_from>, "to": <overlay_to> } , "machine": { "to" : <machine_to> } } } } }'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": <overlay_from>, "to": <overlay_to> } , "machine": { "to" : <machine_to> } } } } }'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <overlay_from>
- Specifies the current cluster network MTU value.
- <overlay_to>
- 
											Specifies the target MTU for the cluster network. This value is set relative to the value of <machine_to>. For OVN-Kubernetes, this value must be100less than the value of<machine_to>.
- <machine_to>
- Specifies the MTU for the primary network interface on the underlying host network.
 - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": 1400, "to": 9000 } , "machine": { "to" : 9100} } } } }'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": { "mtu": { "network": { "from": 1400, "to": 9000 } , "machine": { "to" : 9100} } } } }'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- As the Machine Config Operator updates machines in each machine config pool, the Operator reboots each node one by one. You must wait until all the nodes are updated. Check the machine config pool status by entering the following command: - oc get machineconfigpools - $ oc get machineconfigpools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - A successfully updated node has the following status: - UPDATED=true,- UPDATING=false,- DEGRADED=false.Note- By default, the Machine Config Operator updates one machine per pool at a time, causing the total time the migration takes to increase with the size of the cluster. 
8.2.2.3. Verifying the machine configuration
Use the following procedure to verify the machine configuration.
Procedure
- Confirm the status of the new machine configuration on the hosts: - To list the machine configuration state and the name of the applied machine configuration, enter the following command: - oc describe node | egrep "hostname|machineconfig" - $ oc describe node | egrep "hostname|machineconfig"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - kubernetes.io/hostname=master-0 machineconfiguration.openshift.io/currentConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/desiredConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done - kubernetes.io/hostname=master-0 machineconfiguration.openshift.io/currentConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/desiredConfig: rendered-master-c53e221d9d24e1c8bb6ee89dd3d8ad7b machineconfiguration.openshift.io/reason: machineconfiguration.openshift.io/state: Done- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the following statements are true: - 
												The value of machineconfiguration.openshift.io/statefield isDone.
- 
												The value of the machineconfiguration.openshift.io/currentConfigfield is equal to the value of themachineconfiguration.openshift.io/desiredConfigfield.
 
- 
												The value of 
- To confirm that the machine config is correct, enter the following command: - oc get machineconfig <config_name> -o yaml | grep ExecStart - $ oc get machineconfig <config_name> -o yaml | grep ExecStart- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <config_name>
- 
													Specifies the name of the machine config from the machineconfiguration.openshift.io/currentConfigfield.
 - The machine config must include the following update to the systemd configuration: - ExecStart=/usr/local/bin/mtu-migration.sh - ExecStart=/usr/local/bin/mtu-migration.sh- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
8.2.2.4. Finalizing the MTU migration
Use the following procedure to finalize the MTU migration.
Procedure
- To finalize the MTU migration, enter the following command for the OVN-Kubernetes network plugin: - oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": null, "defaultNetwork":{ "ovnKubernetesConfig": { "mtu": <mtu> }}}}'- $ oc patch Network.operator.openshift.io cluster --type=merge --patch \ '{"spec": { "migration": null, "defaultNetwork":{ "ovnKubernetesConfig": { "mtu": <mtu> }}}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <mtu>
- 
											Specifies the new cluster network MTU that you specified with <overlay_to>.
 
- After finalizing the MTU migration, each machine config pool node is rebooted one by one. You must wait until all the nodes are updated. Check the machine config pool status by entering the following command: - oc get machineconfigpools - $ oc get machineconfigpools- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - A successfully updated node has the following status: - UPDATED=true,- UPDATING=false,- DEGRADED=false.
Verification
- Verify that the node in your cluster uses the MTU that you specified by entering the following command: - oc describe network.config cluster - $ oc describe network.config cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.2.3. Opting in to AWS Local Zones or Wavelength Zones
If you plan to create subnets in AWS Local Zones or Wavelength Zones, you must opt in to each zone group separately.
Prerequisites
- You have installed the AWS CLI.
- You have determined an AWS Region for where you want to deploy your OpenShift Container Platform cluster.
- You have attached a permissive IAM policy to a user or role account that opts in to the zone group.
Procedure
- List the zones that are available in your AWS Region by running the following command: - Example command for listing available AWS Local Zones in an AWS Region - aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=local-zone \ --all-availability-zones- $ aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=local-zone \ --all-availability-zones- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example command for listing available AWS Wavelength Zones in an AWS Region - aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=wavelength-zone \ --all-availability-zones- $ aws --region "<value_of_AWS_Region>" ec2 describe-availability-zones \ --query 'AvailabilityZones[].[{ZoneName: ZoneName, GroupName: GroupName, Status: OptInStatus}]' \ --filters Name=zone-type,Values=wavelength-zone \ --all-availability-zones- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Depending on the AWS Region, the list of available zones might be long. The command returns the following fields: - ZoneName
- The name of the Local Zones or Wavelength Zones.
- GroupName
- The group that comprises the zone. To opt in to the Region, save the name.
- Status
- 
										The status of the Local Zones or Wavelength Zones group. If the status is not-opted-in, you must opt in theGroupNameas described in the next step.
 
- Opt in to the zone group on your AWS account by running the following command: - aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \ --opt-in-status opted-in- $ aws ec2 modify-availability-zone-group \ --group-name "<value_of_GroupName>" \- 1 - --opt-in-status opted-in- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<value_of_GroupName>with the name of the group of the Local Zones or Wavelength Zones where you want to create subnets.
 
8.2.4. Create network requirements in an existing VPC that uses AWS Local Zones or Wavelength Zones
If you want a Machine API to create an Amazon EC2 instance in a remote zone location, you must create a subnet in a Local Zones or Wavelength Zones location. You can use any provisioning tool, such as Ansible or Terraform, to create subnets in the existing Virtual Private Cloud (VPC).
You can configure the CloudFormation template to meet your requirements. The following subsections include steps that use CloudFormation templates to create the network requirements that extend an existing VPC to use an AWS Local Zones or Wavelength Zones.
Extending nodes to Local Zones requires that you create the following resources:
- 2 VPC Subnets: public and private. The public subnet associates to the public route table for the regular Availability Zones in the Region. The private subnet associates to the provided route table ID.
Extending nodes to Wavelength Zones requires that you create the following resources:
- 1 VPC Carrier Gateway associated to the provided VPC ID.
- 1 VPC Route Table for Wavelength Zones with a default route entry to VPC Carrier Gateway.
- 2 VPC Subnets: public and private. The public subnet associates to the public route table for an AWS Wavelength Zone. The private subnet associates to the provided route table ID.
Considering the limitation of NAT Gateways in Wavelength Zones, the provided CloudFormation templates support only associating the private subnets with the provided route table ID. A route table ID is attached to a valid NAT Gateway in the AWS Region.
8.2.5. Wavelength Zones only: Creating a VPC carrier gateway
To use public subnets in your OpenShift Container Platform cluster that runs on Wavelength Zones, you must create the carrier gateway and associate the carrier gateway to the VPC. Subnets are useful for deploying load balancers or edge compute nodes.
To create edge nodes or internet-facing load balancers in Wavelength Zones locations for your OpenShift Container Platform cluster, you must create the following required network components:
- A carrier gateway that associates to the existing VPC.
- A carrier route table that lists route entries.
- A subnet that associates to the carrier route table.
Carrier gateways exist for VPCs that only contain subnets in a Wavelength Zone.
The following list explains the functions of a carrier gateway in the context of an AWS Wavelength Zones location:
- Provides connectivity between your Wavelength Zone and the carrier network, which includes any available devices from the carrier network.
- Performs Network Address Translation (NAT) functions, such as translating IP addresses that are public IP addresses stored in a network border group, from Wavelength Zones to carrier IP addresses. These translation functions apply to inbound and outbound traffic.
- Authorizes inbound traffic from a carrier network that is located in a specific location.
- Authorizes outbound traffic to a carrier network and the internet.
No inbound connection configuration exists from the internet to a Wavelength Zone through the carrier gateway.
You can use the provided CloudFormation template to create a stack of the following AWS resources:
- One carrier gateway that associates to the VPC ID in the template.
- 
							One public route table for the Wavelength Zone named as <ClusterName>-public-carrier.
- Default IPv4 route entry in the new route table that targets the carrier gateway.
- VPC gateway endpoint for an AWS Simple Storage Service (S3).
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
Procedure
- Go to the next section of the documentation named "CloudFormation template for the VPC Carrier Gateway", and then copy the syntax from the CloudFormation template for VPC Carrier Gateway template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- clusterName-vpc-carrier-gw. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- <VpcId>is the VPC ID extracted from the CloudFormation stack output created in the section named "Creating a VPC in AWS".
- 4
- <ClusterName>is a custom value that prefixes to resources that the CloudFormation stack creates. You can use the same name that is defined in the- metadata.namesection of the- install-config.yamlconfiguration file.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-2fd3-11eb-820e-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-2fd3-11eb-820e-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Confirm that the CloudFormation template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameter. Ensure that you provide the parameter value to the other CloudFormation templates that you run to create for your cluster.- PublicRouteTableId- The ID of the Route Table in the Carrier infrastructure. 
8.2.6. Wavelength Zones only: CloudFormation template for the VPC Carrier Gateway
You can use the following CloudFormation template to deploy the Carrier Gateway on AWS Wavelength infrastructure.
Example 8.1. CloudFormation template for VPC Carrier Gateway
8.2.7. Creating subnets for AWS edge compute services
Before you configure a machine set for edge compute nodes in your OpenShift Container Platform cluster, you must create a subnet in Local Zones or Wavelength Zones. Complete the following procedure for each Wavelength Zone that you want to deploy compute nodes to.
You can use the provided CloudFormation template and create a CloudFormation stack. You can then use this stack to custom provision a subnet.
If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You configured an AWS account.
- 
							You added your AWS keys and region to your local AWS profile by running aws configure.
- You opted in to the Local Zones or Wavelength Zones group.
Procedure
- Go to the section of the documentation named "CloudFormation template for the VPC subnet", and copy the syntax from the template. Save the copied template syntax as a YAML file on your local system. This template describes the VPC that your cluster requires.
- Run the following command to deploy the CloudFormation template, which creates a stack of AWS resources that represent the VPC: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <stack_name>is the name for the CloudFormation stack, such as- cluster-wl-<local_zone_shortname>for Local Zones and- cluster-wl-<wavelength_zone_shortname>for Wavelength Zones. You need the name of this stack if you remove the cluster.
- 2
- <template>is the relative path and the name of the CloudFormation template YAML file that you saved.
- 3
- ${VPC_ID}is the VPC ID, which is the value- VpcIDin the output of the CloudFormation template for the VPC.
- 4
- ${CLUSTER_NAME}is the value of ClusterName to be used as a prefix of the new AWS resource names.
- 5
- ${ZONE_NAME}is the value of Local Zones or Wavelength Zones name to create the subnets.
- 6
- ${ROUTE_TABLE_PUB}is the Public Route Table Id extracted from the CloudFormation template. For Local Zones, the public route table is extracted from the VPC CloudFormation Stack. For Wavelength Zones, the value must be extracted from the output of the VPC’s carrier gateway CloudFormation stack.
- 7
- ${SUBNET_CIDR_PUB}is a valid CIDR block that is used to create the public subnet. This block must be part of the VPC CIDR block- VpcCidr.
- 8
- ${ROUTE_TABLE_PVT}is the PrivateRouteTableId extracted from the output of the VPC’s CloudFormation stack.
- 9
- ${SUBNET_CIDR_PVT}is a valid CIDR block that is used to create the private subnet. This block must be part of the VPC CIDR block- VpcCidr.
 - Example output - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f - arn:aws:cloudformation:us-east-1:123456789012:stack/<stack_name>/dbedae40-820e-11eb-2fd3-12a48460849f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Confirm that the template components exist by running the following command: - aws cloudformation describe-stacks --stack-name <stack_name> - $ aws cloudformation describe-stacks --stack-name <stack_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - After the - StackStatusdisplays- CREATE_COMPLETE, the output displays values for the following parameters:- PublicSubnetId- The IDs of the public subnet created by the CloudFormation stack. - PrivateSubnetId- The IDs of the private subnet created by the CloudFormation stack. - Ensure that you provide these parameter values to the other CloudFormation templates that you run to create for your cluster. 
8.2.8. CloudFormation template for the VPC subnet
You can use the following CloudFormation template to deploy the private and public subnets in a zone on Local Zones or Wavelength Zones infrastructure.
Example 8.2. CloudFormation template for VPC subnets
8.2.9. Creating a machine set manifest for an AWS Local Zones or Wavelength Zones node
After you create subnets in AWS Local Zones or Wavelength Zones, you can create a machine set manifest.
					The installation program sets the following labels for the edge machine pools at cluster installation time:
				
- 
							machine.openshift.io/parent-zone-name: <value_of_ParentZoneName>
- 
							machine.openshift.io/zone-group: <value_of_ZoneGroup>
- 
							machine.openshift.io/zone-type: <value_of_ZoneType>
					The following procedure details how you can create a machine set configuraton that matches the edge compute pool configuration.
				
Prerequisites
- You have created subnets in AWS Local Zones or Wavelength Zones.
Procedure
- Manually preserve - edgemachine pool labels when creating the machine set manifest by gathering the AWS API. To complete this action, enter the following command in your command-line interface (CLI):- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for Local Zone - us-east-1-nyc-1a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for Wavelength Zone - us-east-1-wl1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.2.9.1. Sample YAML for a compute machine set custom resource on AWS
						This sample YAML defines a compute machine set that runs in the us-east-1-nyc-1a Amazon Web Services (AWS) zone and creates nodes that are labeled with node-role.kubernetes.io/edge: "".
					
If you want to reference the sample YAML file in the context of Wavelength Zones, ensure that you replace the AWS Region and zone information with supported Wavelength Zone values.
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <edge> is the node label to add.
					
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the infrastructure ID,edgerole node label, and zone name.
- 3
- Specify theedgerole node label.
- 4
- Specify a valid Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for your AWS zone for your OpenShift Container Platform nodes. If you want to use an AWS Marketplace image, you must complete the OpenShift Container Platform subscription from the AWS Marketplace to obtain an AMI ID for your region.oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 5
- Specify the zone name, for example,us-east-1-nyc-1a.
- 6
- Specify the region, for example,us-east-1.
- 7
- The ID of the public subnet that you created in AWS Local Zones or Wavelength Zones. You created this public subnet ID when you finished the procedure for "Creating a subnet in an AWS zone".
- 8
- Optional: Specify custom tag data for your cluster. For example, you might add an admin contact email address by specifying aname:valuepair ofEmail:admin-email@example.com.NoteCustom tags can also be specified during installation in the install-config.ymlfile. If theinstall-config.ymlfile and the machine set include a tag with the samenamedata, the value for the tag from the machine set takes priority over the value for the tag in theinstall-config.ymlfile.
- 9
- Specify a taint to prevent user workloads from being scheduled onedgenodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
8.2.9.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
								Install the OpenShift CLI (oc).
- 
								Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
- Optional: To check nodes that were created by the edge machine, run the following command: - oc get nodes -l node-role.kubernetes.io/edge - $ oc get nodes -l node-role.kubernetes.io/edge- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f - NAME STATUS ROLES AGE VERSION ip-10-0-207-188.ec2.internal Ready edge,worker 172m v1.25.2+d2e245f- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.3. Creating user workloads in AWS Local Zones or Wavelength Zones
After you create an Amazon Web Service (AWS) Local Zones or Wavelength Zones infrastructure and deploy your cluster, you can use edge compute nodes to create user workloads in Local Zones or Wavelength Zones subnets.
				When you use the installation program to create a cluster, the installation program automatically specifies a taint effect of NoSchedule to each edge compute node. This means that a scheduler does not add a new pod, or deployment, to a node if the pod does not match the specified tolerations for a taint. You can modify the taint for better control over how nodes create workloads in each Local Zones or Wavelength Zones subnet.
			
				The installation program creates the compute machine set manifests file with node-role.kubernetes.io/edge and node-role.kubernetes.io/worker labels applied to each edge compute node that is located in a Local Zones or Wavelength Zones subnet.
			
The examples in the procedure are for a Local Zones infrastructure. If you are working with a Wavelength Zones infrastructure, ensure you adapt the examples to what is supported in this infrastructure.
Prerequisites
- 
						You have access to the OpenShift CLI (oc).
- You deployed your cluster in a Virtual Private Cloud (VPC) with defined Local Zones or Wavelength Zones subnets.
- 
						You ensured that the compute machine set for the edge compute nodes on Local Zones or Wavelength Zones subnets specifies the taints for node-role.kubernetes.io/edge.
Procedure
- Create a - deploymentresource YAML file for an example application to be deployed in the edge compute node that operates in a Local Zones subnet. Ensure that you specify the correct tolerations that match the taints for the edge compute node.- Example of a configured - deploymentresource for an edge compute node that operates in a Local Zone subnet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- storageClassName: For the Local Zone configuration, you must specify- gp2-csi.
- 2
- kind: Defines the- deploymentresource.
- 3
- name: Specifies the name of your Local Zone application. For example,- local-zone-demo-app-nyc-1.
- 4
- namespace:Defines the namespace for the AWS Local Zone where you want to run the user workload. For example:- local-zone-app-nyc-1a.
- 5
- zone-group: Defines the group to where a zone belongs. For example,- us-east-1-iah-1.
- 6
- nodeSelector: Targets edge compute nodes that match the specified labels.
- 7
- tolerations: Sets the values that match with the- taintsdefined on the- MachineSetmanifest for the Local Zone node.
 
- Create a - serviceresource YAML file for the node. This resource exposes a pod from a targeted edge compute node to services that run inside your Local Zone network.- Example of a configured - serviceresource for an edge compute node that operates in a Local Zone subnet- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.4. Next steps
- Optional: Use the AWS Load Balancer (ALB) Operator to expose a pod from a targeted edge compute node to services that run inside of a Local Zones or Wavelength Zones subnet from a public network. See Installing the AWS Load Balancer Operator.
        Legal Notice
        
          
            
          
        
      
 
Copyright © 2025 Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.