Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Virtualized control planes
Deploying OpenShift Container Platform clusters with virtualized control planes
Abstract
Chapter 1. Understanding virtualized control planes
A virtualized control plane deployment is an OpenShift Container Platform cluster whose control plane nodes run as virtual machines (VMs) on a hosting cluster with OpenShift Virtualization.
KubeVirt Redfish is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
This architecture is useful in the following example scenarios:
- Regulatory requirements mandate VM-level isolation for control plane components.
- You want to reduce hardware costs by consolidating multiple cluster control planes on shared infrastructure.
- You need faster provisioning of new clusters compared to physical bare metal.
In a virtualized control plane deployment, you have two clusters:
- Hosting cluster
- An existing OpenShift Container Platform cluster running OpenShift Virtualization that hosts the control plane VMs.
- Target cluster
- The OpenShift Container Platform cluster with control planes running on the VMs.
KubeVirt Redfish runs on the hosting cluster and exposes the VMs through the standard Redfish API endpoints.
With this approach, you can use installation workflows such as Agent-based Installer or GitOps Zero Touch Provisioning (ZTP), to deploy virtualized control planes exactly like physical servers with baseboard management controllers (BMCs).
Virtualized control planes differ from Hosted control planes. With virtualized control planes, the control plane runs as VMs with hypervisor-level isolation. With Hosted control planes, the control plane runs as pods with container-level isolation.
1.1. Virtualized control plane architecture
A virtualized control plane deployment runs control plane components as VMs on a hosting cluster, providing hypervisor-level isolation between clusters.
A single hosting cluster can support multiple target clusters by running each cluster’s control plane VMs in separate namespaces. This consolidation reduces hardware costs while maintaining isolation. The target cluster’s worker nodes run on separate infrastructure, either physical servers or VMs on different hosts.
For high availability, distribute control plane VMs across different physical nodes on the hosting cluster. This anti-affinity placement ensures that if a physical node fails, only one control plane VM is affected and the remaining nodes maintain etcd quorum. Configure anti-affinity using pod anti-affinity rules or topology spread constraints in the VM specifications.
1.2. Virtualized control plane deployment workflow
Deploy a virtualized control plane cluster by installing KubeVirt Redfish on your hosting cluster, configuring it to expose your VMs, and running your preferred installation method.
Virtualized control planes require an OpenShift Container Platform cluster with OpenShift Virtualization installed and operational, which operates as the hosting cluster.
See the following high-level steps to deploy a virtualized control plane cluster:
-
Install and configure KubeVirt Redfish on the hosting cluster. This includes defining which VMs to expose through the Redfish API, configuring authentication credentials, and creating a
RouteCR to expose the endpoint externally. - Create the control plane VMs on the hosting cluster. Configure the VMs with appropriate resources and network settings, and ensure they remain powered off until the installation begins.
-
Configure your installation method to use KubeVirt Redfish. In your configuration files, specify BMC addresses using the KubeVirt Redfish route URL for the virtualized control plane nodes, for example:
redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.<vm_name>. - Run the installation. The VMs boot from the installation media and communicate with each other to form the cluster. Depending on the installation method, this process is either fully automated or requires manual intervention to boot each node.
- After installation completes, a new OpenShift Container Platform cluster is deployed with its control plane running on VMs hosted by the original OpenShift Virtualization cluster.
Chapter 2. Prerequisites for virtualized control planes
Before deploying a virtualized control plane cluster, ensure your environment meets the following requirements.
KubeVirt Redfish is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
2.1. Hosting cluster requirements
The hosting cluster runs the virtualized control plane VMs and manages their lifecycle through KubeVirt Redfish.
The hosting cluster requires the following components:
- OpenShift Container Platform installed and operational.
- OpenShift Virtualization installed and configured.
- Sufficient compute resources to host control plane VMs.
- At least three physical nodes to enable anti-affinity placement, ensuring control plane VMs are spread across different physical hosts.
2.2. Storage requirements
The hosting cluster must have a storage solution that supports VM disk images and meets the latency requirements of etcd.
The hosting cluster must have one of the following storage solutions:
-
Red Hat OpenShift Data Foundation (ODF) provides VM live migration. When you install ODF on a cluster where OpenShift Virtualization is running, the
ocs-storagecluster-ceph-rbd-virtualizationstorage class is created automatically. This storage class is optimized for KubeVirt workloads. - Logical Volume Manager (LVM) Storage, backed by NVMe drives, provides predictable, low-latency disk I/O but does not support VM live migration.
Consider the following when choosing a storage solution:
-
ODF replicates data across multiple storage nodes for durability. This replication can cause unpredictable latency spikes during synchronization, which might affect
etcdperformance. Monitoretcddisk latency in production and ensure the underlying storage nodes use NVMe disks. - LVM Storage writes directly to local disks without replication, providing consistent low latency. However, data is not replicated across nodes.
2.3. Network requirements
Virtualized control plane deployments require specific network connectivity between VMs, worker nodes, and external services.
Configure networking to meet the following requirements:
- L2 network connectivity between control plane VMs. The OpenShift Container Platform installation program requires all control plane nodes to share the same L2 network segment.
- L3 connectivity without network address translation (NAT) between the control plane VMs and worker nodes. Worker nodes must be able to route traffic directly to the control plane VMs. During installation, the bootstrap VM also requires L3 connectivity to the control plane.
- External access to the cluster API.
- Access to container image registries.
- DNS resolution for cluster components.
You can use either dynamic or static IP addressing for the control plane VMs:
- For deployments that use DHCP, configure static MAC addresses on the primary network interfaces of the VMs and create DHCP reservations for each MAC address. This ensures consistent IP assignment across VM restarts.
-
For deployments that use static IP addressing, define the network configuration in your
install-config.yamlor Agent-based installation manifests.
2.4. Control plane VM requirements
Each control plane VM must meet minimum resource requirements to run the OpenShift Container Platform control plane components reliably.
Each control plane VM requires the following minimum resources:
- 8 vCPUs
- 16 GiB RAM
- 120 GiB storage
2.5. KubeVirt Redfish requirements
KubeVirt Redfish exposes VMs through the Redfish API.
You need the following to use KubeVirt Redfish:
- Network access from the installation workstation to the KubeVirt Redfish route.
- Credentials configured in KubeVirt Redfish for API authentication.
- VMs labeled to be exposed through the Redfish API.
Chapter 3. Preparing the environment for virtualized control planes
Prepare your hosting cluster environment before deploying a virtualized control plane cluster. This includes installing and configuring KubeVirt Redfish and creating the control plane VMs.
KubeVirt Redfish is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
3.1. Install KubeVirt Redfish
Install KubeVirt Redfish on your OpenShift Virtualization cluster by applying a series of custom resources (CRs). These CRs create the namespace, permissions, configuration, and deployment required to expose VMs through the Redfish API.
Prerequisites
- You have a OpenShift Container Platform cluster with OpenShift Virtualization installed.
-
You installed the OpenShift CLI (
oc). -
You logged in to OpenShift Container Platform as a user with
cluster-adminprivileges.
Procedure
Create the
NamespaceCR for KubeVirt Redfish by creating a YAML file with content such as the following example:apiVersion: v1 kind: Namespace metadata: name: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfishApply the resource by running the following command:
$ oc apply -f namespace.yamlCreate the
ServiceAccountCR by creating a YAML file with content such as the following example:apiVersion: v1 kind: ServiceAccount metadata: name: kubevirt-redfish namespace: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: rbacApply the resource by running the following command:
$ oc apply -f serviceaccount.yamlCreate the
ClusterRoleCR with required permissions by creating a YAML file with content such as the following example:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: kubevirt-redfish-role labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: rbac rules: - apiGroups: ["kubevirt.io"] resources: ["virtualmachines", "virtualmachineinstances"] verbs: ["get", "list", "watch", "update", "patch"] - apiGroups: ["kubevirt.io"] resources: ["virtualmachines/status", "virtualmachineinstances/status"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["kubevirt.io"] resources: ["virtualmachines/restart", "virtualmachines/start", "virtualmachines/stop"] verbs: ["create"] - apiGroups: ["subresources.kubevirt.io"] resources: ["virtualmachineinstances/pause", "virtualmachineinstances/unpause"] verbs: ["create", "update"] - apiGroups: [""] resources: ["pods", "services", "configmaps", "secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list"] - apiGroups: ["cdi.kubevirt.io"] resources: ["datavolumes", "volumeimportsources"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list"]Apply the resource by running the following command:
$ oc apply -f clusterrole.yamlCreate the
ClusterRoleBindingCR by creating a YAML file with content such as the following example:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kubevirt-redfish-binding labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: rbac roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt-redfish-role subjects: - kind: ServiceAccount name: kubevirt-redfish namespace: kubevirt-redfishApply the resource by running the following command:
$ oc apply -f clusterrolebinding.yamlCreate the
SecretCR containing the configuration by creating a YAML file with content such as the following example. Edit theconfig.yamlsection to match your environment:apiVersion: v1 kind: Secret metadata: name: kubevirt-redfish-secret namespace: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: config type: Opaque stringData: config.yaml: | server: host: "0.0.0.0" port: 8443 tls: enabled: false system_id_convention: "enhanced" chassis: - name: "<chassis_name>" namespace: "<vm_namespace>" service_account: "kubevirt-redfish" vm_selector: labels: redfish-enabled: "true" authentication: users: - username: "admin" password: "<password>" chassis: ["<chassis_name>"] datavolume: storage_class: "<storage_class>" storage_size: "3Gi"where:
-
system_id_conventionspecifies the format for Redfish system IDs. The recommended setting isenhancedto use<namespace>.<vm-name>format. Thelegacysetting uses<vm-name>only. -
chassisspecifies the namespaces where VMs are deployed. Replace<chassis_name>with a name for this chassis configuration and<vm_namespace>with the namespace containing your VMs. Thevm_selectorlabels identify which VMs in the namespace are exposed through Redfish. Only VMs with matching labels are visible. You can configure multiple chassis entries to expose different subsets of VMs in the same namespace, each with different authentication users. -
authenticationspecifies the username and password required to access the Redfish API. These credentials enable full management control over exposed VMs, independently of any OpenShift Container Platform privileges. Replace<password>with a secure password. -
datavolumespecifies storage for VirtualMedia operations. Replace<storage_class>with a storage class available on your cluster, such aslvms-vg1orocs-storagecluster-ceph-rbd-virtualization. For more information about storage options, see Storage requirements in "Prerequisites for virtualized control planes".
-
Apply the resource by running the following command:
$ oc apply -f secret.yamlWarningThe credentials defined in this
SecretCR enable full management control over the VMs exposed through KubeVirt Redfish, independently of any OpenShift Container Platform privileges.Create the
DeploymentCR by creating a YAML file with content such as the following example:apiVersion: apps/v1 kind: Deployment metadata: name: kubevirt-redfish namespace: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: server spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: server template: metadata: labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: server spec: serviceAccountName: kubevirt-redfish securityContext: runAsNonRoot: true containers: - name: kubevirt-redfish image: registry.redhat.io/container-native-virtualization/kubevirt-redfish-rhel9:v4.22 imagePullPolicy: Always ports: - name: http containerPort: 8443 protocol: TCP env: - name: CONFIG_PATH value: "/app/config/config.yaml" - name: LOG_LEVEL value: "info" resources: requests: memory: "512Mi" cpu: "100m" limits: memory: "2Gi" cpu: "500m" livenessProbe: httpGet: path: /redfish/v1/ port: 8443 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: /redfish/v1/ port: 8443 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 securityContext: runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: - ALL volumeMounts: - name: config-volume mountPath: /app/config readOnly: true volumes: - name: config-volume secret: secretName: kubevirt-redfish-secretwhere:
-
The
imagefield specifies the KubeVirt Redfish container image.
-
The
Apply the resource by running the following command:
$ oc apply -f deployment.yamlCreate the
ServiceCR by creating a YAML file with content such as the following example:apiVersion: v1 kind: Service metadata: name: kubevirt-redfish namespace: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: server spec: type: ClusterIP ports: - name: http port: 8443 targetPort: 8443 protocol: TCP selector: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: serverApply the resource by running the following command:
$ oc apply -f service.yamlCreate the
RouteCR to expose the Redfish API externally by creating a YAML file with content such as the following example:apiVersion: route.openshift.io/v1 kind: Route metadata: name: kubevirt-redfish namespace: kubevirt-redfish labels: app.kubernetes.io/name: kubevirt-redfish app.kubernetes.io/component: server spec: port: targetPort: http to: kind: Service name: kubevirt-redfish weight: 100 tls: termination: edge insecureEdgeTerminationPolicy: RedirectApply the resource by running the following command:
$ oc apply -f route.yaml
Verification
Verify that the pods are running by running the following command:
$ oc get pods -n kubevirt-redfishExample output
NAME READY STATUS RESTARTS AGE kubevirt-redfish-587cd94988-xthml 1/1 Running 0 2mGet the route hostname by running the following command:
$ oc get route kubevirt-redfish -n kubevirt-redfish -o jsonpath='{.spec.host}'Test the Redfish endpoint by running the following command:
$ curl -sk -u "admin:<password>" https://<route_hostname>/redfish/v1/A successful response returns JSON with the Redfish service root:
{ "@odata.id": "/redfish/v1", "@odata.type": "#ServiceRoot.v1_0_0.ServiceRoot", "Id": "RootService", "Name": "Root Service", "Systems": { "@odata.id": "/redfish/v1/Systems" } }
3.2. Create control plane VMs
Create VMs on the hosting cluster that will become the control plane nodes for your virtualized control plane cluster.
Prerequisites
- KubeVirt Redfish is installed and configured on the hosting cluster.
- The hosting cluster has a network configured to provide Layer 2 connectivity between VMs.
Procedure
Enable the
RebootPolicyfeature gate on the hosting cluster by running the following command:$ oc annotate --overwrite -n openshift-cnv hyperconverged kubevirt-hyperconverged \ kubevirt.kubevirt.io/jsonpatch='[{"op":"add","path":"/spec/configuration/developerConfiguration/featureGates/-","value":"RebootPolicy"}]'NoteThe
RebootPolicyfeature gate enables therebootPolicyfield inVirtualMachinespecifications. This configuration is required when using KubeVirt Redfish for cluster installation. The feature gate is enabled through an annotation on theHyperConvergedresource, which propagates the configuration to the underlyingKubeVirtCR.Enable the
declarativeHotplugVolumesfeature gate on the hosting cluster by running the following command:$ oc patch hyperconverged kubevirt-hyperconverged -n openshift-cnv \ --type merge \ -p '{"spec": {"featureGates": {"declarativeHotplugVolumes": true}}}'NoteThe
declarativeHotplugVolumesfeature gate enables KubeVirt Redfish to dynamically attach boot media to VMs through the Redfish API. This configuration is required when using KubeVirt Redfish for cluster installation.Create a
VirtualMachineCR for each control plane node by creating a YAML file with content such as the following example:apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: name: master-0 namespace: <vm_namespace> labels: redfish-enabled: "true" spec: runStrategy: Halted template: metadata: labels: redfish-enabled: "true" spec: domain: rebootPolicy: Terminate cpu: cores: 8 memory: guest: 16Gi devices: disks: - name: rootdisk disk: bus: virtio - name: cloudinitdisk disk: bus: virtio interfaces: - name: default bridge: {} networks: - name: default multus: networkName: <network_attachment_definition> volumes: - name: rootdisk dataVolume: name: master-0-disk - name: cloudinitdisk cloudInitNoCloud: userData: | #cloud-config hostname: master-0 user: corewhere:
-
<vm_namespace>specifies the namespace for the VMs. Must match the namespace specified in the KubeVirt Redfish chassis configuration. -
redfish-enabled: "true"specifies the label that must match thevm_selectorlabels in the KubeVirt Redfish configuration so the VM is exposed through the Redfish API. -
runStrategy: Haltedspecifies that VMs must be powered off initially. The installation powers them on by using the Redfish API. -
rebootPolicy: Terminatespecifies the reboot behavior required for Redfish API boot override operations. Ensures the VM terminates cleanly when boot media changes. -
cores: 8andguest: 16Gispecify the minimum recommended resources for control plane nodes. <network_attachment_definition>specifies the name of aNetworkAttachmentDefinitionconfigured on your hosting cluster. All control plane VMs must share the same L2 network segment. Common options include localnet, Linux bridge, or OVN Layer 2 networks.ImportantFor production deployments, configure anti-affinity rules to ensure control plane VMs are distributed across different physical nodes. This prevents a single node failure from affecting multiple control plane VMs simultaneously. Add pod anti-affinity rules or topology spread constraints to the VM specification based on your environment requirements.
-
Apply the resource by running the following command:
$ oc apply -f master-0.yaml
If required, create further VMs for master-1 and master-2, for example.
Verification
Verify that the VMs are created and powered off by running the following command:
$ oc get vm -n <vm_namespace>vm_namespaceis the namespace of the VMs.Example output
NAME AGE STATUS READY master-0 1m Stopped False master-1 1m Stopped False master-2 1m Stopped FalseVerify that KubeVirt Redfish can discover the VMs by querying the Redfish API:
$ curl -sk -u "<username>:<password>" \ https://<kubevirt_redfish_route>/redfish/v1/Systems
Chapter 4. Deploying a virtualized control plane
After preparing your environment, install the virtualized control plane cluster by using your preferred installation method. The agent-based installer and GitOps Zero Touch Provisioning (ZTP) are the recommended methods for virtualized control plane deployments.
KubeVirt Redfish is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
4.1. Deploying a virtualized control plane with the Agent-based installer
Use the Agent-based Installer to deploy a virtualized control plane cluster. This method generates a bootable ISO containing all required configuration. You must mount the ISO to both the virtualized control plane nodes, by using KubeVirt Redfish, and the baremetal worker nodes, by using the Redfish API.
When configuring the Agent-based Installer, the platform parameter in install-config.yaml determines the level of hardware management:
platform: baremetal- Enables full hardware awareness. The cluster installs the Bare Metal Operator, and uses it to manage node lifecycle, power states, and automatic remediation through the Redfish API.
platform: none- Treats infrastructure as generic compute. The cluster cannot control power states or boot orders. Requires external DNS and load balancing.
Prerequisites
- KubeVirt Redfish is installed and configured on the hosting cluster.
- Control plane VMs are created on the hosting cluster and powered off. In this state, you can manage the VM power lifecycle and boot configuration through KubeVirt Redfish.
- You have network access to the KubeVirt Redfish route.
- An HTTP server is available to host the agent ISO.
Procedure
Create an
install-config.yamlfile with BMC addresses pointing to KubeVirt Redfish for the virtualized control plane nodes and real Redfish endpoints for the baremetal worker nodes:apiVersion: v1 metadata: name: my-vcp-cluster baseDomain: example.com controlPlane: architecture: amd64 hyperthreading: Enabled name: master replicas: 3 compute: - name: worker architecture: amd64 hyperthreading: Enabled replicas: 2 networking: networkType: OVNKubernetes clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 serviceNetwork: - 172.30.0.0/16 machineNetwork: - cidr: 10.0.0.0/24 platform: baremetal: provisioningNetwork: Disabled apiVIPs: - 10.0.0.10 ingressVIPs: - 10.0.0.11 hosts: - name: master-0 role: master bootMACAddress: 52:54:00:00:00:01 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-0 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:01 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: master-1 role: master bootMACAddress: 52:54:00:00:00:02 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-1 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:02 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: master-2 role: master bootMACAddress: 52:54:00:00:00:03 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-2 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:03 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: worker-0 role: worker bootMACAddress: e4:43:4b:00:00:01 bootMode: UEFI rootDeviceHints: deviceName: /dev/nvme0n1 bmc: address: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 username: <bmc_username> password: <bmc_password> disableCertificateVerification: false networkConfig: interfaces: - name: ens1f0 mac-address: e4:43:4b:00:00:01 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: worker-1 role: worker bootMACAddress: e4:43:4b:00:00:02 bootMode: UEFI rootDeviceHints: deviceName: /dev/nvme0n1 bmc: address: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 username: <bmc_username> password: <bmc_password> disableCertificateVerification: false networkConfig: interfaces: - name: ens1f0 mac-address: e4:43:4b:00:00:02 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true pullSecret: '<pull_secret>' sshKey: '<ssh_public_key>'where:
-
replicasspecifies the number of worker node replicas to match the number of baremetal worker hosts defined in thehostssection. -
platform: baremetalspecifies full hardware lifecycle management. Set tononefor infrastructure-agnostic installation. -
provisioningNetwork: Disabledspecifies that the provisioning network is disabled for agent-based installations on virtual media. Nodes boot from the agent ISO, not PXE. -
apiVIPsandingressVIPsspecifies the virtual IP addresses that must be allocated from the machine network. TheapiVIPsmust reside on the same L2 network segment as the control plane VMs, and theingressVIPsmust reside on the same L2 network segment as the worker nodes. -
bootMACAddressspecifies the MAC address used for network boot. When using DHCP, ensure this MAC has a reserved IP address configured in your DHCP server. -
deviceName: /dev/vdaspecifies the installation disk for virtualized control plane nodes. -
bmc.addressfor control plane nodes specifies the KubeVirt Redfish route. The<vm_namespace>.<vm_name>format corresponds to the enhanced system ID convention configured in KubeVirt Redfish. Replace<kubevirt_redfish_route>with your route hostname and<vm_namespace>with the namespace containing your VMs. -
disableCertificateVerificationspecifies whether to skip TLS certificate validation. For production deployments, configure properly signed TLS certificates and set tofalse. Set totrueonly for lab or development environments. -
networkConfigspecifies the host network configuration for each node. This example uses DHCP. -
deviceName: /dev/nvme0n1specifies the installation disk for baremetal worker nodes. -
bmc.addressfor worker nodes specifies the real Redfish endpoint of the physical server. Replace<worker_bmc_ip>with the BMC IP address.
-
Create an
agent-config.yamlYAML file similar to the following example:apiVersion: v1alpha1 kind: AgentConfig metadata: name: my-vcp-cluster rendezvousIP: 10.0.0.20where: * The
rendezvousIPfield specifies the IP address of the first control plane node. This node coordinates the installation.Generate the agent ISO by running the following command:
$ openshift-install agent create image --dir <installation_directory>-
Host the generated
agent.x86_64.isoon an HTTP server accessible from your hosting cluster. Boot each node from the agent ISO:
- For virtualized control plane nodes, use KubeVirt Redfish to mount the ISO and power on the VMs.
- For baremetal worker nodes, use the server’s BMC interface to mount the ISO and boot.
Monitor the installation progress by running the following command:
$ openshift-install agent wait-for install-complete --dir <installation_directory>-
Replace
<installation_directory>with the path to the directory where the agent ISO was generated.
-
Replace
Verification
After installation completes, verify the cluster is operational:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig $ oc get nodes
4.2. Deploying a virtualized control plane with GitOps ZTP
Use GitOps Zero Touch Provisioning (ZTP) to deploy virtualized control plane clusters at scale. GitOps Zero Touch Provisioning (ZTP) uses GitOps to manage cluster deployments declaratively through Red Hat Advanced Cluster Management (RHACM).
Prerequisites
- RHACM is installed on a hub cluster.
- KubeVirt Redfish is installed and configured on the hosting cluster.
- Control plane VMs are created and powered off.
- A Git repository is configured for GitOps ZTP manifests.
- A pull secret is available for the cluster.
Procedure
Create
Secretcustom resources (CRs) that contain the BMC credentials for each node. The following example shows a secret for a control plane node:apiVersion: v1 kind: Secret metadata: name: master-0-bmc-secret namespace: my-vcp-cluster type: Opaque data: username: <base64_encoded_username> password: <base64_encoded_password>Create similar
SecretCRs for each node, for examplemaster-1-bmc-secret,worker-0-bmc-secretand so on. For virtualized control plane nodes, use the KubeVirt Redfish credentials. For baremetal worker nodes, use the physical server’s BMC credentials.Create a
ClusterInstancecustom resource (CR) that defines the cluster. Specify BMC addresses pointing to KubeVirt Redfish for the virtualized control plane nodes and real Redfish endpoints for the baremetal worker nodes:apiVersion: siteconfig.open-cluster-management.io/v1alpha1 kind: ClusterInstance metadata: name: my-vcp-cluster namespace: my-vcp-cluster spec: baseDomain: example.com clusterImageSetNameRef: "openshift-4.22" clusterName: my-vcp-cluster clusterType: HighlyAvailable platformType: BareMetal networkType: OVNKubernetes clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 serviceNetwork: - cidr: 172.30.0.0/16 machineNetwork: - cidr: 10.0.0.0/24 apiVIPs: - 10.0.0.10 ingressVIPs: - 10.0.0.11 pullSecretRef: name: assisted-deployment-pull-secret sshPublicKey: "<ssh_public_key>" extraLabels: ManagedCluster: common: "true" sites: "my-vcp-cluster" templateRefs: - name: ai-cluster-templates-v1 namespace: open-cluster-management nodes: - hostName: master-0.my-vcp-cluster.example.com role: master bmcAddress: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-0 bmcCredentialsName: name: master-0-bmc-secret bootMACAddress: 52:54:00:00:00:01 bootMode: UEFI automatedCleaningMode: disabled rootDeviceHints: deviceName: /dev/vda templateRefs: - name: ai-node-templates-v1 namespace: open-cluster-management - hostName: master-1.my-vcp-cluster.example.com role: master bmcAddress: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-1 bmcCredentialsName: name: master-1-bmc-secret bootMACAddress: 52:54:00:00:00:02 bootMode: UEFI automatedCleaningMode: disabled rootDeviceHints: deviceName: /dev/vda templateRefs: - name: ai-node-templates-v1 namespace: open-cluster-management - hostName: master-2.my-vcp-cluster.example.com role: master bmcAddress: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-2 bmcCredentialsName: name: master-2-bmc-secret bootMACAddress: 52:54:00:00:00:03 bootMode: UEFI automatedCleaningMode: disabled rootDeviceHints: deviceName: /dev/vda templateRefs: - name: ai-node-templates-v1 namespace: open-cluster-management - hostName: worker-0.my-vcp-cluster.example.com role: worker bmcAddress: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 bmcCredentialsName: name: worker-0-bmc-secret bootMACAddress: e4:43:4b:00:00:01 bootMode: UEFI automatedCleaningMode: disabled rootDeviceHints: deviceName: /dev/nvme0n1 templateRefs: - name: ai-node-templates-v1 namespace: open-cluster-management - hostName: worker-1.my-vcp-cluster.example.com role: worker bmcAddress: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 bmcCredentialsName: name: worker-1-bmc-secret bootMACAddress: e4:43:4b:00:00:02 bootMode: UEFI automatedCleaningMode: disabled rootDeviceHints: deviceName: /dev/nvme0n1 templateRefs: - name: ai-node-templates-v1 namespace: open-cluster-managementwhere:
-
apiVIPsandingressVIPsspecifies the virtual IP addresses that must be allocated from the machine network. TheapiVIPsmust reside on the same L2 network segment as the control plane VMs, and theingressVIPsmust reside on the same L2 network segment as the worker nodes. -
bmcAddressfor control plane nodes specifies the KubeVirt Redfish route. The<vm_namespace>.<vm_name>format corresponds to the enhanced system ID convention configured in KubeVirt Redfish. Replace<kubevirt_redfish_route>with your route hostname and<vm_namespace>with the namespace containing your VMs. -
bmcCredentialsNamespecifies a reference to aSecretcontaining BMC credentials. -
bootMACAddressspecifies the MAC address used for network boot. When using DHCP, ensure this MAC has a reserved IP address configured in your DHCP server. -
deviceName: /dev/vdaspecifies the installation disk for virtualized control plane nodes. -
bmcAddressfor worker nodes specifies the real Redfish endpoint of the physical server. Replace<worker_bmc_ip>with the BMC IP address. -
deviceName: /dev/nvme0n1specifies the installation disk for baremetal worker nodes.
-
- Commit the manifests to your Git repository.
Apply the configuration through ArgoCD or your GitOps tooling.
ZTP generates the required resources and uses KubeVirt Redfish to provision the VMs automatically.
Verification
Monitor the cluster deployment from the hub cluster:
$ oc get managedcluster my-vcp-cluster $ oc get agentclusterinstall my-vcp-cluster -n my-vcp-cluster -o jsonpath='{.status.debugInfo.stateInfo}'
4.3. Deploying a virtualized control plane with installer-provisioned infrastructure
Use installer-provisioned infrastructure to deploy a virtualized control plane cluster. Installer-provisioned infrastructure provides full lifecycle management where the installation program automates hardware provisioning, power states, and cluster initialization.
Installer-provisioned infrastructure for virtualized control planes requires a provisioning network or a RHEL 9 provisioner node. Verify Installer-provisioned infrastructure support for virtualized control plane deployments with your Red Hat representative, as this combination may have additional requirements.
Prerequisites
- KubeVirt Redfish is installed and configured on the hosting cluster.
- Control plane VMs are created on the hosting cluster and powered off. In this state, the installation manages the VM power lifecycle and boot configuration through KubeVirt Redfish.
- A RHEL 9 provisioner node is available, or a provisioning network is configured.
- You have network access to the KubeVirt Redfish route.
Procedure
Create the
install-config.yamlfile with BMC addresses pointing to KubeVirt Redfish for the virtualized control plane nodes and real Redfish endpoints for the baremetal worker nodes:apiVersion: v1 metadata: name: my-vcp-cluster baseDomain: example.com controlPlane: architecture: amd64 hyperthreading: Enabled name: master replicas: 3 platform: baremetal: {} compute: - name: worker architecture: amd64 hyperthreading: Enabled replicas: 2 platform: baremetal: {} networking: networkType: OVNKubernetes clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 serviceNetwork: - 172.30.0.0/16 machineNetwork: - cidr: 10.0.0.0/24 platform: baremetal: apiVIPs: - 10.0.0.10 ingressVIPs: - 10.0.0.11 provisioningNetwork: Disabled hosts: - name: master-0 role: master bootMACAddress: 52:54:00:00:00:01 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-0 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:01 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: master-1 role: master bootMACAddress: 52:54:00:00:00:02 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-1 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:02 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: master-2 role: master bootMACAddress: 52:54:00:00:00:03 bootMode: UEFI rootDeviceHints: deviceName: /dev/vda bmc: address: redfish-virtualmedia+https://<kubevirt_redfish_route>/redfish/v1/Systems/<vm_namespace>.master-2 username: admin password: <password> disableCertificateVerification: false networkConfig: interfaces: - name: enp1s0 mac-address: 52:54:00:00:00:03 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: worker-0 role: worker bootMACAddress: e4:43:4b:00:00:01 bootMode: UEFI rootDeviceHints: deviceName: /dev/nvme0n1 bmc: address: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 username: <bmc_username> password: <bmc_password> disableCertificateVerification: false networkConfig: interfaces: - name: ens1f0 mac-address: e4:43:4b:00:00:01 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true - name: worker-1 role: worker bootMACAddress: e4:43:4b:00:00:02 bootMode: UEFI rootDeviceHints: deviceName: /dev/nvme0n1 bmc: address: redfish-virtualmedia+https://<worker_bmc_ip>/redfish/v1/Systems/System.Embedded.1 username: <bmc_username> password: <bmc_password> disableCertificateVerification: false networkConfig: interfaces: - name: ens1f0 mac-address: e4:43:4b:00:00:02 type: ethernet state: up ipv4: enabled: true dhcp: true auto-dns: true ipv6: enabled: true pullSecret: '<pull_secret>' sshKey: '<ssh_public_key>'where:
-
replicasspecifies the number of worker node replicas to match the number of baremetal worker hosts defined in thehostssection. -
apiVIPsandingressVIPsspecifies the virtual IP addresses that must be allocated from the machine network. TheapiVIPsmust reside on the same L2 network segment as the control plane VMs, and theingressVIPsmust reside on the same L2 network segment as the worker nodes. -
provisioningNetwork: Disabledspecifies that the provisioning network is disabled when using virtual media. -
bootMACAddressspecifies the MAC address used for network boot. When using DHCP, ensure this MAC has a reserved IP address configured in your DHCP server. -
deviceName: /dev/vdaspecifies the installation disk for virtualized control plane nodes. -
bmc.addressfor control plane nodes specifies the KubeVirt Redfish route. The<vm_namespace>.<vm_name>format corresponds to the enhanced system ID convention configured in KubeVirt Redfish. Replace<kubevirt_redfish_route>with your route hostname and<vm_namespace>with the namespace containing your VMs. -
disableCertificateVerificationspecifies whether to skip TLS certificate validation. For production deployments, configure properly signed TLS certificates and set tofalse. Set totrueonly for lab or development environments. -
networkConfigspecifies the host network configuration for each node. This example uses DHCP. -
deviceName: /dev/nvme0n1specifies the installation disk for baremetal worker nodes. -
bmc.addressfor worker nodes specifies the real Redfish endpoint of the physical server. Replace<worker_bmc_ip>with the BMC IP address.
-
Run the installation by running the following command:
$ openshift-install create cluster --dir <installation_directory>The installation process uses KubeVirt Redfish to manage VM power states and boot configuration automatically.
Verification
After installation completes, verify the cluster is operational by running the following commands:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig $ oc get nodes
Legal Notice
Copyright © Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of the OpenJS Foundation.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}