Chapter 4. Creating a cluster on AWS


You can deploy OpenShift Dedicated on Amazon Web Services (AWS) by using your own AWS account through the Customer Cloud Subscription (CCS) model or by using an AWS infrastructure account that is owned by Red Hat.

4.1. Prerequisites

4.2. Creating a cluster on AWS

By using the Customer Cloud Subscription (CCS) billing model, you can create an OpenShift Dedicated cluster in an existing Amazon Web Services (AWS) account that you own.

You can also select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.

Complete the following prerequisites to use the CCS model to deploy and manage OpenShift Dedicated into your AWS account.

Prerequisites

  • You have configured your AWS account for use with OpenShift Dedicated.
  • You have not deployed any services in your AWS account.
  • You have configured the AWS account quotas and limits that are required to support the desired cluster size.
  • You have an osdCcsAdmin AWS Identity and Access Management (IAM) user with the AdministratorAccess policy attached.
  • You have set up a service control policy (SCP) in your AWS organization. For more information, see Minimum required service control policy (SCP).
  • Consider having Business Support or higher from AWS.
  • If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into. The proxy must also be accessible from the private subnets of the VPC.

Procedure

  1. Log in to OpenShift Cluster Manager.
  2. On the Overview page, select Create cluster in the Red Hat OpenShift Dedicated card.
  3. Under Billing model, configure the subscription type and infrastructure type:

    1. Select a subscription type. For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.

      Note

      The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.

    2. Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own or select Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
    3. Click Next.
  4. Select Run on Amazon Web Services. If you are provisioning your cluster in an AWS account, complete the following substeps:

    1. Review and complete the listed Prerequisites.
    2. Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
    3. Provide your AWS account details:

      1. Enter your AWS account ID.
      2. Enter your AWS access key ID and AWS secret access key for your AWS IAM user account.

        Note

        Revoking these credentials in AWS results in a loss of access to any cluster created with these credentials.

      3. Optional: You can select Bypass AWS service control policy (SCP) checks to disable the SCP checks.

        Note

        Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed.

  5. Click Next to validate your cloud provider account and go to the Cluster details page.
  6. On the Cluster details page, provide a name for your cluster and specify the cluster details:

    1. Add a Cluster name.
    2. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on openshiftapps.com. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.

      To customize the subdomain, select the Create customize domain prefix checkbox, and enter your domain prefix name in the Domain prefix field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.

    3. Select a cluster version from the Version drop-down menu.
    4. Select a cloud provider region from the Region drop-down menu.
    5. Select a Single zone or Multi-zone configuration.
    6. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
    7. Optional: Expand Advanced Encryption to make changes to encryption settings.

      1. Accept the default setting Use default KMS Keys to use your default AWS KMS key, or select Use Custom KMS keys to use a custom KMS key.

        1. With Use Custom KMS keys selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the Key ARN field. The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.
      2. Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.

        Note

        If Enable FIPS cryptography is selected, Enable additional etcd encryption is enabled by default and cannot be disabled. You can select Enable additional etcd encryption without selecting Enable FIPS cryptography.

      3. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

        Note

        By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

    8. Click Next.
  7. On the Default machine pool page, select a Compute node instance type from the drop-down menu.
  8. Optional: Select the Enable autoscaling checkbox to enable autoscaling.

    1. Click Edit cluster autoscaling settings to make changes to the autoscaling settings.
    2. Once you have made your desired changes, click Close.
    3. Select a minimum and maximum node count. Node counts can be selected by engaging the available plus and minus signs or inputting the desired node count into the number input field.
  9. Select a Compute node count from the drop-down menu.

    Note

    After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

  10. Choose your preference for the Instance Metadata Service (IMDS) type, either using both IMDSv1 and IMDSv2 types or requiring your EC2 instances to use only IMDSv2. You can access instance metadata from a running instance in two ways:

    • Instance Metadata Service Version 1 (IMDSv1) - a request/response method
    • Instance Metadata Service Version 2 (IMDSv2) - a session-oriented method

      Important

      The Instance Metadata Service settings cannot be changed after your cluster is created.

      Note

      IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests.

      For more information regarding IMDS, see Instance metadata and user data in the AWS documentation.

  11. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
  12. On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.

    Important

    If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.

  13. Optional: To install the cluster in an existing AWS Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.
    2. If you are installing into an existing VPC and opted to use private API endpoints, you can select Use a PrivateLink. This option enables connections to the cluster by Red Hat Site Reliability Engineering (SRE) using only AWS PrivateLink endpoints.

      Note

      The Use a PrivateLink option cannot be changed after a cluster is created.

    3. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
  14. If you opted to install the cluster in an existing AWS VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.

    Note

    You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.

    1. Optional: Expand Additional security groups and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.

      By default, the security groups you specify are added for all node types. Clear the Apply the same security groups to all node types checkbox to apply different security groups for each node type.

      For more information, see the requirements for Security groups under Additional resources.

  15. Accept the default application ingress settings, or to create your own custom settings, select Custom Settings.

    1. Optional: Provide route selector.
    2. Optional: Provide excluded namespaces.
    3. Select a namespace ownership policy.
    4. Select a wildcard policy.

      For more information about custom application ingress settings, click the information icon provided for each setting.

  16. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

      • Specify a valid HTTP proxy URL.
      • Specify a valid HTTPS proxy URL.
      • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the http-proxy and https-proxy arguments.
    2. Click Next.

      For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.

  17. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Note

    If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

  18. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

      • Select Individual updates if you want to schedule each update individually. This is the default option.
      • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

        Note

        You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    3. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.
    4. Click Next.

      Note

      If critical security concerns that significantly impact the security or stability of a cluster occur, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

  19. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.
  20. Optional: On the Overview tab, you can enable the delete protection feature by selecting Enable, which is located directly under Delete Protection: Disabled. This will prevent your cluster from being deleted. To disable delete protection, select Disable. By default, clusters are created with the delete protection feature disabled.

Verification

  • You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.

4.3. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.