Chapter 15. Installation configuration parameters for Azure
Before you deploy an OpenShift Container Platform cluster on Microsoft Azure, you provide parameters to customize your cluster and the platform that hosts it. When you create the install-config.yaml
file, you provide values for the required parameters through the command line. You can then modify the install-config.yaml
file to customize your cluster further.
15.1. Available installation configuration parameters for Azure
The following tables specify the required, optional, and Azure-specific installation configuration parameters that you can set as part of the installation process.
After installation, you cannot modify these parameters in the install-config.yaml
file.
15.1.1. Required configuration parameters
Required installation configuration parameters are described in the following table:
Parameter | Description | Values |
---|---|---|
apiVersion: |
The API version for the | String |
baseDomain: |
The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the |
A fully-qualified domain or subdomain name, such as |
metadata: |
Kubernetes resource | Object |
metadata: name: |
The name of the cluster. DNS records for the cluster are all subdomains of |
String of lowercase letters, hyphens ( |
platform: |
The configuration for the specific platform upon which to perform the installation: | Object |
pullSecret: | Get a pull secret from Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io. |
{ "auths":{ "cloud.openshift.com":{ "auth":"b3Blb=", "email":"you@example.com" }, "quay.io":{ "auth":"b3Blb=", "email":"you@example.com" } } } |
15.1.2. Network configuration parameters
You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or provide different IP address blocks than the defaults.
Only IPv4 addresses are supported.
Parameter | Description | Values |
---|---|---|
networking: | The configuration for the cluster network. | Object Note
You cannot modify parameters specified by the |
networking: networkType: | The Red Hat OpenShift Networking network plugin to install. |
|
networking: clusterNetwork: | The IP address blocks for pods.
The default value is If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking: clusterNetwork: - cidr: 10.128.0.0/14 hostPrefix: 23 |
networking: clusterNetwork: cidr: |
Required if you use An IPv4 network. |
An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between |
networking: clusterNetwork: hostPrefix: |
The subnet prefix length to assign to each individual node. For example, if | A subnet prefix.
The default value is |
networking: serviceNetwork: |
The IP address block for services. The default value is The OVN-Kubernetes network plugins supports only a single IP address block for the service network. | An array with an IP address block in CIDR format. For example: networking: serviceNetwork: - 172.30.0.0/16 |
networking: machineNetwork: | The IP address blocks for machines. If you specify multiple IP address blocks, the blocks must not overlap. | An array of objects. For example: networking: machineNetwork: - cidr: 10.0.0.0/16 |
networking: machineNetwork: cidr: |
Required if you use | An IP network block in CIDR notation.
For example, Note
Set the |
15.1.3. Optional configuration parameters
Optional installation configuration parameters are described in the following table:
Parameter | Description | Values |
---|---|---|
additionalTrustBundle: | A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle may also be used when a proxy has been configured. | String |
capabilities: | Controls the installation of optional core cluster components. You can reduce the footprint of your OpenShift Container Platform cluster by disabling optional components. For more information, see the "Cluster capabilities" page in Installing. | String array |
capabilities: baselineCapabilitySet: |
Selects an initial set of optional capabilities to enable. Valid values are | String |
capabilities: additionalEnabledCapabilities: |
Extends the set of optional capabilities beyond what you specify in | String array |
cpuPartitioningMode: | Enables workload partitioning, which isolates OpenShift Container Platform services, cluster management workloads, and infrastructure pods to run on a reserved set of CPUs. Workload partitioning can only be enabled during installation and cannot be disabled after installation. While this field enables workload partitioning, it does not configure workloads to use specific CPUs. For more information, see the Workload partitioning page in the Scalability and Performance section. |
|
compute: | The configuration for the machines that comprise the compute nodes. |
Array of |
compute: architecture: |
Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are | String |
compute: hyperthreading: |
Whether to enable or disable simultaneous multithreading, or Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. |
|
compute: name: |
Required if you use |
|
compute: platform: |
Required if you use |
|
compute: replicas: | The number of compute machines, which are also known as worker machines, to provision. |
A positive integer greater than or equal to |
featureSet: | Enables the cluster for a feature set. A feature set is a collection of OpenShift Container Platform features that are not enabled by default. For more information about enabling a feature set during installation, see "Enabling features using feature gates". |
String. The name of the feature set to enable, such as |
controlPlane: | The configuration for the machines that comprise the control plane. |
Array of |
controlPlane: architecture: |
Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are | String |
controlPlane: hyperthreading: |
Whether to enable or disable simultaneous multithreading, or Important If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. |
|
controlPlane: name: |
Required if you use |
|
controlPlane: platform: |
Required if you use |
|
controlPlane: replicas: | The number of control plane machines to provision. |
Supported values are |
credentialsMode: | The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported. Note Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the "Managing cloud provider credentials" entry in the Authentication and authorization content. |
|
fips: |
Enable or disable FIPS mode. The default is Important To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode. When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures. Note If you are using Azure File storage, you cannot enable FIPS mode. |
|
imageContentSources: | Sources and repositories for the release-image content. |
Array of objects. Includes a |
imageContentSources: source: |
Required if you use | String |
imageContentSources: mirrors: | Specify one or more repositories that may also contain the same images. | Array of strings |
publish: | How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes. |
|
sshKey: | The SSH key to authenticate access to your cluster machines. Note
For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your |
For example, |
+
Setting this parameter to Manual
enables alternatives to storing administrator-level secrets in the kube-system
project, which require additional configuration steps. For more information, see "Alternatives to storing administrator-level secrets in the kube-system project".
15.1.4. Additional Azure configuration parameters
Additional Azure configuration parameters are described in the following table.
By default, if you specify availability zones in the install-config.yaml
file, the installation program distributes the control plane machines and the compute machines across these availability zones within a region. To ensure high availability for your cluster, select a region with at least three availability zones. If your region contains fewer than three availability zones, the installation program places more than one control plane machine in the available zones.
Parameter | Description | Values |
---|---|---|
compute: platform: azure: encryptionAtHost: | Enables host-level encryption for compute machines. You can enable this encryption alongside user-managed server-side encryption. This feature encrypts temporary, ephemeral, cached and un-managed disks on the VM host. This is not a prerequisite for user-managed server-side encryption. |
|
compute: platform: azure: osDisk: diskSizeGB: | The Azure disk size for the VM. |
Integer that represents the size of the disk in GB. The default is |
compute: platform: azure: osDisk: diskType: | Defines the type of disk. |
|
compute: platform: azure: ultraSSDCapability: | Enables the use of Azure ultra disks for persistent storage on compute nodes. This requires that your Azure region and zone have ultra disks available. |
|
compute: platform: azure: osDisk: diskEncryptionSet: resourceGroup: | The name of the Azure resource group that contains the disk encryption set from the installation prerequisites. This resource group should be different from the resource group where you install the cluster to avoid deleting your Azure encryption key when the cluster is destroyed. This value is only necessary if you intend to install the cluster with user-managed disk encryption. |
String, for example |
compute: platform: azure: osDisk: diskEncryptionSet: name: | The name of the disk encryption set that contains the encryption key from the installation prerequisites. |
String, for example |
compute: platform: azure: osDisk: diskEncryptionSet: subscriptionId: | Defines the Azure subscription of the disk encryption set where the disk encryption set resides. This secondary disk encryption set is used to encrypt compute machines. |
String, in the format |
compute: platform: azure: osImage: publisher: | Optional. By default, the installation program downloads and installs the Red Hat Enterprise Linux CoreOS (RHCOS) image that is used to boot compute machines. You can override the default behavior by using a custom RHCOS image that is available from the Azure Marketplace. The installation program uses this image for compute machines only. | String. The name of the image publisher. |
compute: platform: azure: osImage: offer: |
The name of Azure Marketplace offer that is associated with the custom RHCOS image. If you use | String. The name of the image offer. |
compute: platform: azure: osImage: sku: |
An instance of the Azure Marketplace offer. If you use | String. The SKU of the image offer. |
compute: platform: azure: osImage: version: |
The version number of the image SKU. If you use | String. The version of the image to use. |
compute: platform: azure: vmNetworkingType: |
Enables accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, improving its networking performance. If instance type of compute machines support |
|
compute: platform: azure: type: | Defines the Azure instance type for compute machines. | String |
compute: platform: azure: zones: | The availability zones where the installation program creates compute machines. | String list |
compute: platform: azure: settings: securityType: | Enables confidential VMs or trusted launch for compute nodes. This option is not enabled by default. |
|
compute: platform: azure: settings: confidentialVM: uefiSettings: secureBoot: | Enables secure boot on compute nodes if you are using confidential VMs. |
|
compute: platform: azure: settings: confidentialVM: uefiSettings: virtualizedTrustedPlatformModule: | Enables the virtualized Trusted Platform Module (vTPM) feature on compute nodes if you are using confidential VMs. |
|
compute: platform: azure: settings: trustedLaunch: uefiSettings: secureBoot: | Enables secure boot on compute nodes if you are using trusted launch. |
|
compute: platform: azure: settings: trustedLaunch: uefiSettings: virtualizedTrustedPlatformModule: | Enables the vTPM feature on compute nodes if you are using trusted launch. |
|
compute: platform: azure: osDisk: securityProfile: securityEncryptionType: | Enables the encryption of the virtual machine guest state for compute nodes. This parameter can only be used if you use Confidential VMs. |
|
controlPlane: platform: azure: settings: securityType: | Enables confidential VMs or trusted launch for control plane nodes. This option is not enabled by default. |
|
controlPlane: platform: azure: settings: confidentialVM: uefiSettings: secureBoot: | Enables secure boot on control plane nodes if you are using confidential VMs. |
|
controlPlane: platform: azure: settings: confidentialVM: uefiSettings: virtualizedTrustedPlatformModule: | Enables the vTPM feature on control plane nodes if you are using confidential VMs. |
|
controlPlane: platform: azure: settings: trustedLaunch: uefiSettings: secureBoot: | Enables secure boot on control plane nodes if you are using trusted launch. |
|
controlPlane: platform: azure: settings: trustedLaunch: uefiSettings: virtualizedTrustedPlatformModule: | Enables the vTPM feature on control plane nodes if you are using trusted launch. |
|
controlPlane: platform: azure: osDisk: securityProfile: securityEncryptionType: | Enables the encryption of the virtual machine guest state for control plane nodes. This parameter can only be used if you use Confidential VMs. |
|
controlPlane: platform: azure: type: | Defines the Azure instance type for control plane machines. | String |
controlPlane: platform: azure: zones: | The availability zones where the installation program creates control plane machines. | String list |
platform: azure: defaultMachinePlatform: settings: securityType: | Enables confidential VMs or trusted launch for all nodes. This option is not enabled by default. |
|
platform: azure: defaultMachinePlatform: settings: confidentialVM: uefiSettings: secureBoot: | Enables secure boot on all nodes if you are using confidential VMs. |
|
platform: azure: defaultMachinePlatform: settings: confidentialVM: uefiSettings: virtualizedTrustedPlatformModule: | Enables the virtualized Trusted Platform Module (vTPM) feature on all nodes if you are using confidential VMs. |
|
platform: azure: defaultMachinePlatform: settings: trustedLaunch: uefiSettings: secureBoot: | Enables secure boot on all nodes if you are using trusted launch. |
|
platform: azure: defaultMachinePlatform: settings: trustedLaunch: uefiSettings: virtualizedTrustedPlatformModule: | Enables the vTPM feature on all nodes if you are using trusted launch. |
|
platform: azure: defaultMachinePlatform: osDisk: securityProfile: securityEncryptionType: | Enables the encryption of the virtual machine guest state for all nodes. This parameter can only be used if you use Confidential VMs. |
|
platform: azure: defaultMachinePlatform: encryptionAtHost: | Enables host-level encryption for compute machines. You can enable this encryption alongside user-managed server-side encryption. This feature encrypts temporary, ephemeral, cached, and un-managed disks on the VM host. This parameter is not a prerequisite for user-managed server-side encryption. |
|
platform: azure: defaultMachinePlatform: osDisk: diskEncryptionSet: name: | The name of the disk encryption set that contains the encryption key from the installation prerequisites. |
String, for example, |
platform: azure: defaultMachinePlatform: osDisk: diskEncryptionSet: resourceGroup: | The name of the Azure resource group that contains the disk encryption set from the installation prerequisites. To avoid deleting your Azure encryption key when the cluster is destroyed, this resource group must be different from the resource group where you install the cluster. This value is necessary only if you intend to install the cluster with user-managed disk encryption. |
String, for example, |
platform: azure: defaultMachinePlatform: osDisk: diskEncryptionSet: subscriptionId: | Defines the Azure subscription of the disk encryption set where the disk encryption set resides. This secondary disk encryption set is used to encrypt compute machines. |
String, in the format |
platform: azure: defaultMachinePlatform: osDisk: diskSizeGB: | The Azure disk size for the VM. |
Integer that represents the size of the disk in GB. The default is |
platform: azure: defaultMachinePlatform: osDisk: diskType: | Defines the type of disk. |
|
platform: azure: defaultMachinePlatform: osImage: publisher: | Optional. By default, the installation program downloads and installs the Red Hat Enterprise Linux CoreOS (RHCOS) image that is used to boot control plane and compute machines. You can override the default behavior by using a custom RHCOS image that is available from the Azure Marketplace. The installation program uses this image for both types of machines. | String. The name of the image publisher. |
platform: azure: defaultMachinePlatform: osImage: offer: |
The name of Azure Marketplace offer that is associated with the custom RHCOS image. If you use | String. The name of the image offer. |
platform: azure: defaultMachinePlatform: osImage: sku: |
An instance of the Azure Marketplace offer. If you use | String. The SKU of the image offer. |
platform: azure: defaultMachinePlatform: osImage: version: |
The version number of the image SKU. If you use | String. The version of the image to use. |
platform: azure: defaultMachinePlatform: type: | The Azure instance type for control plane and compute machines. | The Azure instance type. |
platform: azure: defaultMachinePlatform: zones: | The availability zones where the installation program creates compute and control plane machines. | String list. |
controlPlane: platform: azure: encryptionAtHost: | Enables host-level encryption for control plane machines. You can enable this encryption alongside user-managed server-side encryption. This feature encrypts temporary, ephemeral, cached and un-managed disks on the VM host. This is not a prerequisite for user-managed server-side encryption. |
|
controlPlane: platform: azure: osDisk: diskEncryptionSet: resourceGroup: | The name of the Azure resource group that contains the disk encryption set from the installation prerequisites. This resource group should be different from the resource group where you install the cluster to avoid deleting your Azure encryption key when the cluster is destroyed. This value is only necessary if you intend to install the cluster with user-managed disk encryption. |
String, for example |
controlPlane: platform: azure: osDisk: diskEncryptionSet: name: | The name of the disk encryption set that contains the encryption key from the installation prerequisites. |
String, for example |
controlPlane: platform: azure: osDisk: diskEncryptionSet: subscriptionId: | Defines the Azure subscription of the disk encryption set where the disk encryption set resides. This secondary disk encryption set is used to encrypt control plane machines. |
String, in the format |
controlPlane: platform: azure: osDisk: diskSizeGB: | The Azure disk size for the VM. |
Integer that represents the size of the disk in GB. The default is |
controlPlane: platform: azure: osDisk: diskType: | Defines the type of disk. |
|
controlPlane: platform: azure: osImage: publisher: | Optional. By default, the installation program downloads and installs the Red Hat Enterprise Linux CoreOS (RHCOS) image that is used to boot control plane machines. You can override the default behavior by using a custom RHCOS image that is available from the Azure Marketplace. The installation program uses this image for control plane machines only. | String. The name of the image publisher. |
controlPlane: platform: azure: osImage: offer: |
The name of Azure Marketplace offer that is associated with the custom RHCOS image. If you use | String. The name of the image offer. |
controlPlane: platform: azure: osImage: sku: |
An instance of the Azure Marketplace offer. If you use | String. The SKU of the image offer. |
controlPlane: platform: azure: osImage: version: |
The version number of the image SKU. If you use | String. The version of the image to use. |
controlPlane: platform: azure: ultraSSDCapability: | Enables the use of Azure ultra disks for persistent storage on control plane machines. This requires that your Azure region and zone have ultra disks available. |
|
controlPlane: platform: azure: vmNetworkingType: |
Enables accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, improving its networking performance. If instance type of control plane machines support |
|
platform: azure: baseDomainResourceGroupName: | The name of the resource group that contains the DNS zone for your base domain. |
String, for example |
platform: azure: resourceGroupName: | The name of an already existing resource group to install your cluster to. This resource group must be empty and only used for this specific cluster; the cluster components assume ownership of all resources in the resource group. If you limit the service principal scope of the installation program to this resource group, you must ensure all other resources used by the installation program in your environment have the necessary permissions, such as the public DNS zone and virtual network. Destroying the cluster by using the installation program deletes this resource group. |
String, for example |
platform: azure: outboundType: |
The outbound routing strategy used to connect your cluster to the internet. If you are using user-defined routing, you must have pre-existing networking available where the outbound routing has already been configured prior to installing a cluster. The installation program is not responsible for configuring user-defined routing. If you specify the Important
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
|
platform: azure: region: | The name of the Azure region that hosts your cluster. |
Any valid region name, such as |
platform: azure: zone: | List of availability zones to place machines in. For high availability, specify at least two zones. |
List of zones, for example |
platform: azure: customerManagedKey: keyVault: name: | Specifies the name of the key vault that contains the encryption key that is used to encrypt Azure storage. | String. |
platform: azure: customerManagedKey: keyVault: keyName: | Specifies the name of the user-managed encryption key that is used to encrypt Azure storage. | String. |
platform: azure: customerManagedKey: keyVault: resourceGroup: | Specifies the name of the resource group that contains the key vault and managed identity. | String. |
platform: azure: customerManagedKey: keyVault: subscriptionId: | Specifies the subscription ID that is associated with the key vault. |
String, in the format |
platform: azure: customerManagedKey: userAssignedIdentityKey: | Specifies the name of the user-assigned managed identity that resides in the resource group with the key vault and has access to the user-managed key. | String. |
platform: azure: defaultMachinePlatform: ultraSSDCapability: | Enables the use of Azure ultra disks for persistent storage on control plane and compute machines. This requires that your Azure region and zone have ultra disks available. |
|
platform: azure: networkResourceGroupName: |
The name of the resource group that contains the existing VNet that you want to deploy your cluster to. This name cannot be the same as the | String. |
platform: azure: virtualNetwork: | The name of the existing VNet that you want to deploy your cluster to. | String. |
platform: azure: controlPlaneSubnet: | The name of the existing subnet in your VNet that you want to deploy your control plane machines to. |
Valid CIDR, for example |
platform: azure: computeSubnet: | The name of the existing subnet in your VNet that you want to deploy your compute machines to. |
Valid CIDR, for example |
platform: azure: cloudName: |
The name of the Azure cloud environment that is used to configure the Azure SDK with the appropriate Azure API endpoints. If empty, the default value |
Any valid cloud environment, such as |
platform: azure: defaultMachinePlatform: vmNetworkingType: | Enables accelerated networking. Accelerated networking enables single root I/O virtualization (SR-IOV) to a VM, improving its networking performance. |
|
operatorPublishingStrategy: apiserver: |
Determines whether the load balancers that service the API are public or private. Set this parameter to |
|
operatorPublishingStrategy: ingress: |
Determines whether the DNS resources that the cluster creates for ingress traffic are publicly visible. Set this parameter to |
|
You cannot customize Azure Availability Zones or Use tags to organize your Azure resources with an Azure cluster.