Chapter 4. Creating a cluster on AWS
You can deploy OpenShift Dedicated on Amazon Web Services (AWS) by using your own AWS account through the Customer Cloud Subscription (CCS) model or by using an AWS infrastructure account that is owned by Red Hat.
4.1. Prerequisites
- You reviewed the introduction to OpenShift Dedicated and the documentation on architecture concepts.
- You reviewed the OpenShift Dedicated cloud deployment options.
4.2. Creating a cluster on AWS
By using the Customer Cloud Subscription (CCS) billing model, you can create an OpenShift Dedicated cluster in an existing Amazon Web Services (AWS) account that you own.
You can also select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
Complete the following prerequisites to use the CCS model to deploy and manage OpenShift Dedicated into your AWS account.
Prerequisites
- You have configured your AWS account for use with OpenShift Dedicated.
- You have not deployed any services in your AWS account.
- You have configured the AWS account quotas and limits that are required to support the desired cluster size.
-
You have an
osdCcsAdmin
AWS Identity and Access Management (IAM) user with theAdministratorAccess
policy attached. - You have set up a service control policy (SCP) in your AWS organization. For more information, see Minimum required service control policy (SCP).
- Consider having Business Support or higher from AWS.
- If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC.
Procedure
- Log in to OpenShift Cluster Manager.
- On the Overview page, select Create cluster in the Red Hat OpenShift Dedicated card.
Under Billing model, configure the subscription type and infrastructure type:
Select a subscription type. For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.
NoteThe subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.
- Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own or select Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
- Click Next.
Select Run on Amazon Web Services. If you are provisioning your cluster in an AWS account, complete the following substeps:
- Review and complete the listed Prerequisites.
- Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
Provide your AWS account details:
- Enter your AWS account ID.
Enter your AWS access key ID and AWS secret access key for your AWS IAM user account.
NoteRevoking these credentials in AWS results in a loss of access to any cluster created with these credentials.
Optional: You can select Bypass AWS service control policy (SCP) checks to disable the SCP checks.
NoteSome AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed.
- Click Next to validate your cloud provider account and go to the Cluster details page.
On the Cluster details page, provide a name for your cluster and specify the cluster details:
- Add a Cluster name.
Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on
openshiftapps.com
. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.To customize the subdomain, select the Create customize domain prefix checkbox, and enter your domain prefix name in the Domain prefix field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.
- Select a cluster version from the Version drop-down menu.
- Select a cloud provider region from the Region drop-down menu.
- Select a Single zone or Multi-zone configuration.
- Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
Optional: Expand Advanced Encryption to make changes to encryption settings.
Accept the default setting Use default KMS Keys to use your default AWS KMS key, or select Use Custom KMS keys to use a custom KMS key.
- With Use Custom KMS keys selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the Key ARN field. The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
NoteIf Enable FIPS cryptography is selected, Enable additional etcd encryption is enabled by default and cannot be disabled. You can select Enable additional etcd encryption without selecting Enable FIPS cryptography.
Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.
NoteBy enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.
- Click Next.
- On the Default machine pool page, select a Compute node instance type from the drop-down menu.
Optional: Select the Enable autoscaling checkbox to enable autoscaling.
- Click Edit cluster autoscaling settings to make changes to the autoscaling settings.
- Once you have made your desired changes, click Close.
- Select a minimum and maximum node count. Node counts can be selected by engaging the available plus and minus signs or inputting the desired node count into the number input field.
Select a Compute node count from the drop-down menu.
NoteAfter your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.
Choose your preference for the Instance Metadata Service (IMDS) type, either using both IMDSv1 and IMDSv2 types or requiring your EC2 instances to use only IMDSv2. You can access instance metadata from a running instance in two ways:
- Instance Metadata Service Version 1 (IMDSv1) - a request/response method
Instance Metadata Service Version 2 (IMDSv2) - a session-oriented method
ImportantThe Instance Metadata Service settings cannot be changed after your cluster is created.
NoteIMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests.
For more information regarding IMDS, see Instance metadata and user data in the AWS documentation.
- Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.
ImportantIf you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.
Optional: To install the cluster in an existing AWS Virtual Private Cloud (VPC):
- Select Install into an existing VPC.
If you are installing into an existing VPC and opted to use private API endpoints, you can select Use a PrivateLink. This option enables connections to the cluster by Red Hat Site Reliability Engineering (SRE) using only AWS PrivateLink endpoints.
NoteThe Use a PrivateLink option cannot be changed after a cluster is created.
- If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
If you opted to install the cluster in an existing AWS VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.
NoteYou must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.
Optional: Expand Additional security groups and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.
By default, the security groups you specify are added for all node types. Clear the Apply the same security groups to all node types checkbox to apply different security groups for each node type.
For more information, see the requirements for Security groups under Additional resources.
Accept the default application ingress settings, or to create your own custom settings, select Custom Settings.
- Optional: Provide route selector.
- Optional: Provide excluded namespaces.
- Select a namespace ownership policy.
Select a wildcard policy.
For more information about custom application ingress settings, click the information icon provided for each setting.
If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:
Enter a value in at least one of the following fields:
- Specify a valid HTTP proxy URL.
- Specify a valid HTTPS proxy URL.
-
In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the
http-proxy
andhttps-proxy
arguments.
Click Next.
For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.
In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
NoteIf you are installing into a VPC, the Machine CIDR range must match the VPC subnets.
ImportantCIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.
On the Cluster update strategy page, configure your update preferences:
Choose a cluster update method:
- Select Individual updates if you want to schedule each update individually. This is the default option.
Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.
NoteYou can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.
- If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
- Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.
Click Next.
NoteIf critical security concerns that significantly impact the security or stability of a cluster occur, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.
- Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.
- Optional: On the Overview tab, you can enable the delete protection feature by selecting Enable, which is located directly under Delete Protection: Disabled. This will prevent your cluster from being deleted. To disable delete protection, select Disable. By default, clusters are created with the delete protection feature disabled.
Verification
- You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.
4.3. Additional resources
- For information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.
- For details about the AWS service control policies required for CCS deployments, see Minimum required service control policy (SCP).
- For information about persistent storage for OpenShift Dedicated, see the Storage section in the OpenShift Dedicated service definition.
- For information about load balancers for OpenShift Dedicated, see the Load balancers section in the OpenShift Dedicated service definition.
- For more information about etcd encryption, see the etcd encryption service definition.
- For information about the end-of-life dates for OpenShift Dedicated versions, see the OpenShift Dedicated update life cycle.
- For information about the requirements for custom additional security groups, see Additional custom security groups.
- For information about configuring identity providers, see Configuring identity providers.
- For information about revoking cluster privileges, see Revoking privileges and access to an OpenShift Dedicated cluster.