Install ROSA Classic clusters

Procedure

1. Create an OpenShift Cluster Manager role and link it to your Red Hat organization:

   Note

   To enable automatic deployment of the cluster-specific Operator roles and the OpenID Connect (OIDC) provider using the OpenShift Cluster Manager Hybrid Cloud Console, you must apply the administrative privileges to the role by choosing the Admin OCM role command in the Accounts and roles step of creating a ROSA cluster. For more information about the basic and administrative privileges for the OpenShift Cluster Manager role, see Understanding AWS account association.

   Note

   If you choose the Basic OCM role command in the Accounts and roles step of creating a ROSA cluster in the OpenShift Cluster Manager Hybrid Cloud Console, you must deploy a ROSA cluster using manual mode. You will be prompted to configure the cluster-specific Operator roles and the OpenID Connect (OIDC) provider in a later step.

   $ rosa create ocm-role

   Select the default values at the prompts to quickly create and link the role.

2. Create a user role and link it to your Red Hat user account:

   $ rosa create user-role

   Select the default values at the prompts to quickly create and link the role.

   Note

   The Red Hat user account must exist in the Red Hat organization that is linked to your OpenShift Cluster Manager role.

Procedure

1. Check your AWS account for existing roles and policies:

   $ rosa list account-roles

2. If they do not exist in your AWS account, create the required account-wide STS roles and policies:

   $ rosa create account-roles

   Select the default values at the prompts to quickly create the roles and policies.

Procedure

1. To create your OIDC configuration alongside the AWS resources, run the following command:

   $ rosa create oidc-config --mode=auto --yes

   This command returns the following information.

   Example output

   ? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
   I: Setting up managed OIDC configuration
   I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
   	rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
   If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
   I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
   ? Create the OIDC provider? Yes
   I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'

   When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for --mode auto, otherwise you must determine these values based on aws CLI output for --mode manual.

2. Optional: you can save the OIDC configuration ID as a variable to use later. Run the following command to save the variable:

   $ export OIDC_ID=<oidc_config_id>1

   1

   In the example output above, the OIDC configuration ID is 13cdr6b.

   • View the value of the variable by running the following command:

     $ echo $OIDC_ID

     Example output

     13cdr6b

Procedure

1. Navigate to OpenShift Cluster Manager and select Create cluster.
2. On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Service on AWS (ROSA) row.

3. Verify that your AWS account ID is listed in the Associated AWS accounts drop-down menu and that the installer, support, worker, and control plane account role Amazon Resource Names (ARNs) are listed on the Accounts and roles page.

   Note

   If your AWS account ID is not listed, check that you have successfully associated your AWS account with your Red Hat organization. If your account role ARNs are not listed, check that the required account-wide STS roles exist in your AWS account.

4. Click Next.

5. On the Cluster details page, provide a name for your cluster in the Cluster name field. Leave the default values in the remaining fields and click Next.

   Note

   Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on openshiftapps.com. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated as a 15-character string. To customize the subdomain, select the Create custom domain prefix checkbox, and enter your domain prefix name in the Domain prefix field.

6. To deploy a cluster quickly, leave the default options in the Cluster settings, Networking, Cluster roles and policies, and Cluster updates pages and click Next on each page.
7. On the Review your ROSA cluster page, review the summary of your selections and click Create cluster to start the installation.

8. Optional: On the Overview tab, you can enable the delete protection feature by selecting Enable, which is located directly under Delete Protection: Disabled. This will prevent your cluster from being deleted. To disable delete protection, select Disable. By default, clusters are created with the delete protection feature disabled.

   Verification

   • You can check the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.

     Note

     If the installation fails or the cluster State does not change to Ready after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see Troubleshooting installations. For steps to contact Red Hat Support for assistance, see Getting support for Red Hat OpenShift Service on AWS.

Procedure

1. Navigate to OpenShift Cluster Manager and select Create cluster.
2. On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Service on AWS (ROSA) row.

3. If an AWS account is automatically detected, the account ID is listed in the Associated AWS accounts drop-down menu. If no AWS accounts are automatically detected, click Select an account → Associate AWS account and follow these steps:

   1. On the Authenticate page, click the copy button next to the rosa login command. The command includes your OpenShift Cluster Manager API login token.

      Note

      You can also load your API token on the OpenShift Cluster Manager API Token page on OpenShift Cluster Manager.

   2. Run the copied command in the CLI to log in to your ROSA account.

      $ rosa login --token=<api_login_token> 1

      1

      Replace <api_login_token> with the token that is provided in the copied command.

      Example output

      I: Logged in as '<username>' on 'https://api.openshift.com'

   3. On the Authenticate page in OpenShift Cluster Manager, click Next.

   4. On the OCM role page, click the copy button next to the Basic OCM role or the Admin OCM role commands.

      The basic role enables OpenShift Cluster Manager to detect the AWS IAM roles and policies required by ROSA. The admin role also enables the detection of the roles and policies. In addition, the admin role enables automatic deployment of the cluster-specific Operator roles and the OpenID Connect (OIDC) provider by using OpenShift Cluster Manager.

   5. Run the copied command in the CLI and follow the prompts to create the OpenShift Cluster Manager IAM role. The following example creates a basic OpenShift Cluster Manager IAM role using the default options:

      $ rosa create ocm-role

      Example output

      I: Creating ocm role
      ? Role prefix: ManagedOpenShift 1
      ? Enable admin capabilities for the OCM role (optional): No 2
      ? Permissions boundary ARN (optional):  3
      ? Role Path (optional): 4
      ? Role creation mode: auto 5
      I: Creating role using 'arn:aws:iam::<aws_account_id>:user/<aws_username>'
      ? Create the 'ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role? Yes
      I: Created role 'ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' with ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>'
      I: Linking OCM role
      ? OCM Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>
      ? Link the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role with organization '<red_hat_organization_id>'? Yes 6
      I: Successfully linked role-arn 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' with organization account '<red_hat_organization_id>'

      1

      Specify the prefix to include in the OCM IAM role name. The default is ManagedOpenShift. You can create only one OCM role per AWS account for your Red Hat organization.

      2

      Enable the admin OpenShift Cluster Manager IAM role, which is equivalent to specifying the --admin argument. The admin role is required if you want to use Auto mode to automatically provision the cluster-specific Operator roles and the OIDC provider by using OpenShift Cluster Manager.

      3

      Optional: Specify a permissions boundary Amazon Resource Name (ARN) for the role. For more information, see Permissions boundaries for IAM entities in the AWS documentation.

      4

      Specify a custom ARN path for your OCM role. The path must contain alphanumeric characters only and start and end with /, for example /test/path/dev/. For more information, see ARN path customization for IAM roles and policies.

      5

      Select the role creation mode. You can use auto mode to automatically create the OpenShift Cluster Manager IAM role and link it to your Red Hat organization account. In manual mode, the ROSA CLI generates the aws commands needed to create and link the role. In manual mode, the corresponding policy JSON files are also saved to the current directory. manual mode enables you to review the details before running the aws commands manually.

      6

      Link the OpenShift Cluster Manager IAM role to your Red Hat organization account.

   6. If you opted not to link the OpenShift Cluster Manager IAM role to your Red Hat organization account in the preceding command, copy the rosa link command from the OpenShift Cluster Manager OCM role page and run it:

      $ rosa link ocm-role <arn> 1

      1

      Replace <arn> with the ARN of the OpenShift Cluster Manager IAM role that is included in the output of the preceding command.

   7. Select Next on the OpenShift Cluster Manager OCM role page.

   8. On the User role page, click the copy button for the User role command and run the command in the CLI. Red Hat uses the user role to verify your AWS identity when you install a cluster and the required resources with OpenShift Cluster Manager.

      Follow the prompts to create the user role:

      $ rosa create user-role

      Example output

      I: Creating User role
      ? Role prefix: ManagedOpenShift 1
      ? Permissions boundary ARN (optional): 2
      ? Role Path (optional): [? for help] 3
      ? Role creation mode: auto 4
      I: Creating ocm user role using 'arn:aws:iam::<aws_account_id>:user/<aws_username>'
      ? Create the 'ManagedOpenShift-User-<red_hat_username>-Role' role? Yes
      I: Created role 'ManagedOpenShift-User-<red_hat_username>-Role' with ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<red_hat_username>-Role'
      I: Linking User role
      ? User Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<red_hat_username>-Role
      ? Link the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<red_hat_username>-Role' role with account '<red_hat_user_account_id>'? Yes 5
      I: Successfully linked role ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<red_hat_username>-Role' with account '<red_hat_user_account_id>'

      1

      Specify the prefix to include in the user role name. The default is ManagedOpenShift.

      2

      Optional: Specify a permissions boundary Amazon Resource Name (ARN) for the role. For more information, see Permissions boundaries for IAM entities in the AWS documentation.

      3

      Specify a custom ARN path for your user role. The path must contain alphanumeric characters only and start and end with /, for example /test/path/dev/. For more information, see ARN path customization for IAM roles and policies.

      4

      Select the role creation mode. You can use auto mode to automatically create the user role and link it to your OpenShift Cluster Manager user account. In manual mode, the ROSA CLI generates the aws commands needed to create and link the role. In manual mode, the corresponding policy JSON files are also saved to the current directory. manual mode enables you to review the details before running the aws commands manually.

      5

      Link the user role to your OpenShift Cluster Manager user account.

   9. If you opted not to link the user role to your OpenShift Cluster Manager user account in the preceding command, copy the rosa link command from the OpenShift Cluster Manager User role page and run it:

      $ rosa link user-role <arn> 1

      1

      Replace <arn> with the ARN of the user role that is included in the output of the preceding command.

   10. On the OpenShift Cluster Manager User role page, click Ok.
   11. Verify that the AWS account ID is listed in the Associated AWS accounts drop-down menu on the Accounts and roles page.

   12. If the required account roles do not exist, a notification is provided stating that Some account roles ARNs were not detected. You can create the AWS account-wide roles and policies, including the Operator policies, by clicking the copy buffer next to the rosa create account-roles command and running the command in the CLI:

       $ rosa create account-roles

       Example output

       I: Logged in as '<red_hat_username>' on 'https://api.openshift.com'
       I: Validating AWS credentials...
       I: AWS credentials are valid!
       I: Validating AWS quota...
       I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
       I: Verifying whether OpenShift command-line tool is available...
       I: Current OpenShift Client Version: 4.0
       I: Creating account roles
       ? Role prefix: ManagedOpenShift 1
       ? Permissions boundary ARN (optional): 2
       ? Path (optional): [? for help] 3
       ? Role creation mode: auto 4
       I: Creating roles using 'arn:aws:iam::<aws_account_number>:user/<aws_username>'
       ? Create the 'ManagedOpenShift-Installer-Role' role? Yes 5
       I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Installer-Role'
       ? Create the 'ManagedOpenShift-ControlPlane-Role' role? Yes 6
       I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-ControlPlane-Role'
       ? Create the 'ManagedOpenShift-Worker-Role' role? Yes 7
       I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Worker-Role'
       ? Create the 'ManagedOpenShift-Support-Role' role? Yes 8
       I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Support-Role'
       I: To create a cluster with these roles, run the following command:
       rosa create cluster --sts

       1

       Specify the prefix to include in the OpenShift Cluster Manager IAM role name. The default is ManagedOpenShift.

       Important

       You must specify an account-wide role prefix that is unique across your AWS account, even if you use a custom ARN path for your account roles.

       2

       Optional: Specify a permissions boundary Amazon Resource Name (ARN) for the role. For more information, see Permissions boundaries for IAM entities in the AWS documentation.

       3

       Specify a custom ARN path for your account-wide roles. The path must contain alphanumeric characters only and start and end with /, for example /test/path/dev/. For more information, see ARN path customization for IAM roles and policies.

       4

       Select the role creation mode. You can use auto mode to automatically create the account wide roles and policies. In manual mode, the ROSA CLI generates the aws commands needed to create the roles and policies. In manual mode, the corresponding policy JSON files are also saved to the current directory. manual mode enables you to review the details before running the aws commands manually.

       5 6 7 8

       Creates the account-wide installer, control plane, worker and support roles and corresponding IAM policies. For more information, see Account-wide IAM role and policy reference.

       Note

       In this step, the ROSA CLI also automatically creates the account-wide Operator IAM policies that are used by the cluster-specific Operator policies to permit the ROSA cluster Operators to carry out core OpenShift functionality. For more information, see Account-wide IAM role and policy reference.

   13. On the Accounts and roles page, click Refresh ARNs and verify that the installer, support, worker, and control plane account role ARNs are listed.

       If you have more than one set of account roles in your AWS account for your cluster version, a drop-down list of Installer role ARNs is provided. Select the ARN for the installer role that you want to use with your cluster. The cluster uses the account-wide roles and policies that relate to the selected installer role.

4. Click Next.

   Note

   If the Accounts and roles page was refreshed, you might need to select the checkbox again to acknowledge that you have read and completed all of the prerequisites.

5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.

   2. Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on openshiftapps.com. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.

      To customize the subdomain, select the Create custom domain prefix checkbox, and enter your domain prefix name in the Domain prefix field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.

   3. Select a cluster version from the Version drop-down menu.
   4. Select a cloud provider region from the Region drop-down menu.
   5. Select a Single zone or Multi-zone configuration.
   6. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

   7. Optional: Expand Advanced Encryption to make changes to encryption settings.

      1. Accept the default setting Use default KMS Keys to use your default AWS KMS key, or select Use Custom KMS keys to use a custom KMS key.

         1. With Use Custom KMS keys selected, enter the AWS Key Management Service (KMS) custom key Amazon Resource Name (ARN) ARN in the Key ARN field. The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.

         2. Optional: To create a customer managed KMS key, follow the procedure for Creating symmetric encryption KMS keys.

            Important

            The EBS Operator role is required in addition to the account roles to successfully create your cluster.

            This role must be attached with the ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credentials policy, an IAM policy required by ROSA to manage back-end storage through the Container Storage Interface (CSI).

            For more information about the policies and permissions that the cluster Operators require, see Methods of account-wide role creation.

            Example EBS Operator role

            "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"

            After you create your Operator roles, you must edit the Key Policy in the Key Management Service (KMS) page of the AWS Console to add the roles.

      2. Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.

         Note

         If Enable FIPS cryptography is selected, Enable additional etcd encryption is enabled by default and cannot be disabled. You can select Enable additional etcd encryption without selecting Enable FIPS cryptography.

      3. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in Red Hat OpenShift Service on AWS clusters by default.

         Note

         By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   8. Click Next.

6. On the Default machine pool page, select a Compute node instance type.

   Note

   After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in the default machine pool. The number and types of nodes available to you depend on whether you use single or multiple availability zones. They also depend on what is enabled and available in your AWS account and the selected region.

7. Optional: Configure autoscaling for the default machine pool:

   1. Select Enable autoscaling to automatically scale the number of machines in your default machine pool to meet the deployment needs.

   2. Set the minimum and maximum node count limits for autoscaling. The cluster autoscaler does not reduce or increase the default machine pool node count beyond the limits that you specify.

      • If you deployed your cluster using a single availability zone, set the Minimum node count and Maximum node count. This defines the minimum and maximum compute node limits in the availability zone.
      • If you deployed your cluster using multiple availability zones, set the Minimum nodes per zone and Maximum nodes per zone. This defines the minimum and maximum compute node limits per zone.
      Note

      Alternatively, you can set your autoscaling preferences for the default machine pool after the machine pool is created.

8. If you did not enable autoscaling, select a compute node count for your default machine pool:

   • If you deployed your cluster using a single availability zone, select a Compute node count from the drop-down menu. This defines the number of compute nodes to provision to the machine pool for the zone.
   • If you deployed your cluster using multiple availability zones, select a Compute node count (per zone) from the drop-down menu. This defines the number of compute nodes to provision to the machine pool per zone.

9. Optional: Select an EC2 Instance Metadata Service (IMDS) configuration - optional (default) or required - to enforce use of IMDSv2. For more information regarding IMDS, see Instance metadata and user data in the AWS documentation.

   Important

   The Instance Metadata Service settings cannot be changed after your cluster is created.

10. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.

11. In the Cluster privacy section of the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.

    Important

    The API endpoint cannot be changed between public and private after your cluster is created.

    Public API endpoint

    Select Public if you do not want to restrict access to your cluster. You can access the Kubernetes API endpoint and application routes from the internet.

    Private API endpoint

    Select Private if you want to restrict network access to your cluster. The Kubernetes API endpoint and application routes are accessible from direct private connections only.

    Important

    If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.

12. Optional: If you opted to use public API endpoints, by default a new VPC is created for your cluster. If you want to install your cluster in an existing VPC instead, select Install into an existing VPC.

    Warning

    You cannot install a ROSA cluster into an existing VPC that was created by the OpenShift installer. These VPCs are created during the cluster deployment process and must only be associated with a single cluster to ensure that cluster provisioning and deletion operations work correctly.

    To verify whether a VPC was created by the OpenShift installer, check for the owned value on the kubernetes.io/cluster/<infra-id> tag. For example, when viewing the tags for the VPC named mycluster-12abc-34def, the kubernetes.io/cluster/mycluster-12abc-34def tag has a value of owned. Therefore, the VPC was created by the installer and must not be modified by the administrator.

    Note

    If you opted to use private API endpoints, you must use an existing VPC and PrivateLink and the Install into an existing VPC and Use a PrivateLink options are automatically selected. With these options, the Red Hat Site Reliability Engineering (SRE) team can connect to the cluster to assist with support by using only AWS PrivateLink endpoints.

13. Optional: If you are installing your cluster into an existing VPC, select Configure a cluster-wide proxy to enable an HTTP or HTTPS proxy to deny direct access to the internet from your cluster.
14. Click Next.

15. If you opted to install the cluster in an existing AWS VPC, provide your Virtual Private Cloud (VPC) subnet settings.

    Note

    You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.

    1. Optional: Expand Additional security groups and select additional custom security groups to apply to nodes in the machine pools created by default. You must have already created the security groups and associated them with the VPC you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.

       By default, the security groups you specify will be added for all node types. Uncheck the Apply the same security groups to all node types (control plane, infrastructure and worker) checkbox to select different security groups for each node type.

       For more information, see the requirements for Security groups under Additional resources.

16. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

       • Specify a valid HTTP proxy URL.
       • Specify a valid HTTPS proxy URL.
       • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the http-proxy and https-proxy arguments.

    2. Click Next.

       For more information about configuring a proxy with Red Hat OpenShift Service on AWS, see Configuring a cluster-wide proxy.

17. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided and click Next.

    Note

    If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

18. Under the Cluster roles and policies page, select your preferred cluster-specific Operator IAM role and OIDC provider creation mode.

    With Manual mode, you can use either the rosa CLI commands or the aws CLI commands to generate the required Operator roles and OIDC provider for your cluster. Manual mode enables you to review the details before using your preferred option to create the IAM resources manually and complete your cluster installation.

    Alternatively, you can use Auto mode to automatically create the Operator roles and OIDC provider. To enable Auto mode, the OpenShift Cluster Manager IAM role must have administrator capabilities.

    Note

    If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected and applied to the Operator roles. The custom ARN path is applied when the Operator roles are created by using either Manual or Auto mode.

19. Optional: Specify a Custom operator roles prefix for your cluster-specific Operator IAM roles.

    Note

    By default, the cluster-specific Operator role names are prefixed with the cluster name and random 4-digit hash. You can optionally specify a custom prefix to replace <cluster_name>-<hash> in the role names. The prefix is applied when you create the cluster-specific Operator IAM roles. For information about the prefix, see About custom Operator IAM role prefixes.

20. Select Next.

21. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Important

         Even when you opt for recurring updates, you must update the account-wide and cluster-specific IAM resources before you upgrade your cluster between minor releases.

         Note

         You can review the end-of-life dates in the update life cycle documentation for Red Hat OpenShift Service on AWS. For more information, see Red Hat OpenShift Service on AWS update life cycle.

    2. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    3. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    4. Click Next.

       Note

       If there are critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

22. Review the summary of your selections and click Create cluster to start the cluster installation.

23. If you opted to use Manual mode, create the cluster-specific Operator roles and OIDC provider manually to continue the installation:

    1. In the Action required to continue installation dialog, select either the AWS CLI or the ROSA CLI tab and manually create the resources:

       • If you opted to use the AWS CLI method, click Download .zip, save the file, and then extract the AWS CLI command and policy files. Then, run the provided aws commands in the CLI.

         Note

         You must run the aws commands in the directory that contains the policy files.

       • If you opted to use the ROSA CLI method, click the copy button next to the rosa create commands and run them in the CLI.

         Note

         If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected and applied to the Operator roles when you create them by using these manual methods.

    2. In the Action required to continue installation dialog, click x to return to the Overview page for your cluster.
    3. Verify that the cluster Status in the Details section of the Overview page for your cluster has changed from Waiting to Installing. There might be a short delay of approximately two minutes before the status changes.
    Note

    If you opted to use Auto mode, OpenShift Cluster Manager creates the Operator roles and the OIDC provider automatically.

    Important

    The EBS Operator role is required in addition to the account roles to successfully create your cluster.

    This role must be attached with the ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credentials policy, an IAM policy required by ROSA to manage back-end storage through the Container Storage Interface (CSI).

    For more information about the policies and permissions that the cluster Operators require, see Methods of account-wide role creation.

    Example EBS Operator role

    "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"

    After you create your Operator roles, you must edit the Key Policy in the Key Management Service (KMS) page of the AWS Console to add the roles.

Procedure

1. Create the required account-wide roles and policies, including the Operator policies:

   1. Generate the IAM policy JSON files in the current working directory and output the aws CLI commands for review:

      $ rosa create account-roles --interactive \ 1
                                  --mode manual 2

      1

      interactive mode enables you to specify configuration options at the interactive prompts. For more information, see Interactive cluster creation mode reference.

      2

      manual mode generates the aws CLI commands and JSON files needed to create the account-wide roles and policies. After review, you must run the commands manually to create the resources.

      Example output

      I: Logged in as '<red_hat_username>' on 'https://api.openshift.com'
      I: Validating AWS credentials...
      I: AWS credentials are valid!
      I: Validating AWS quota...
      I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
      I: Verifying whether OpenShift command-line tool is available...
      I: Current OpenShift Client Version: 4.0
      I: Creating account roles
      ? Role prefix: ManagedOpenShift 1
      ? Permissions boundary ARN (optional): 2
      ? Path (optional): [? for help] 3
      ? Role creation mode: auto 4
      I: Creating roles using 'arn:aws:iam::<aws_account_number>:user/<aws_username>'
      ? Create the 'ManagedOpenShift-Installer-Role' role? Yes 5
      I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Installer-Role'
      ? Create the 'ManagedOpenShift-ControlPlane-Role' role? Yes 6
      I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-ControlPlane-Role'
      ? Create the 'ManagedOpenShift-Worker-Role' role? Yes 7
      I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Worker-Role'
      ? Create the 'ManagedOpenShift-Support-Role' role? Yes 8
      I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::<aws_account_number>:role/ManagedOpenShift-Support-Role'
      I: To create a cluster with these roles, run the following command:
      rosa create cluster --sts

      1

      Specify the prefix to include in the OpenShift Cluster Manager IAM role name. The default is ManagedOpenShift.

      Important

      You must specify an account-wide role prefix that is unique across your AWS account, even if you use a custom ARN path for your account roles.

      2

      Optional: Specifies a permissions boundary Amazon Resource Name (ARN) for the role. For more information, see Permissions boundaries for IAM entities in the AWS documentation.

      3

      Specify a custom ARN path for your account-wide roles. The path must contain alphanumeric characters only and start and end with /, for example /test/path/dev/. For more information, see ARN path customization for IAM roles and policies.

      4

      Select the role creation mode. You can use auto mode to automatically create the account wide roles and policies. In manual mode, the rosa CLI generates the aws commands needed to create the roles and policies. In manual mode, the corresponding policy JSON files are also saved to the current directory. manual mode enables you to review the details before running the aws commands manually.

      5 6 7 8

      Creates the account-wide installer, control plane, worker and support roles and corresponding IAM policies. For more information, see Account-wide IAM role and policy reference.

      Note

      In this step, the ROSA CLI also automatically creates the account-wide Operator IAM policies that are used by the cluster-specific Operator policies to permit the ROSA cluster Operators to run core OpenShift functionality. For more information, see Account-wide IAM role and policy reference.

      1. After review, run the aws commands manually to create the roles and policies. Alternatively, you can run the preceding command using --mode auto to run the aws commands immediately.

2. Optional: If you are using your own AWS KMS key to encrypt the control plane, infrastructure, worker node root volumes, and persistent volumes (PVs), add the ARN for the account-wide installer role to your KMS key policy.

   Important

   Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.

   PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.

   1. Save the key policy for your KMS key to a file on your local machine. The following example saves the output to kms-key-policy.json in the current working directory:

      $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output text > kms-key-policy.json 1

      1

      Replace <key_id_or_arn> with the ID or ARN of your KMS key.

   2. Add the ARN for the account-wide installer role that you created in the preceding step to the Statement.Principal.AWS section in the file. In the following example, the ARN for the default ManagedOpenShift-Installer-Role role is added:

      {
          "Version": "2012-10-17",
          "Id": "key-rosa-policy-1",
          "Statement": [
              {
                  "Sid": "Enable IAM User Permissions",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::<aws_account_id>:root"
                  },
                  "Action": "kms:*",
                  "Resource": "*"
              },
              {
                  "Sid": "Allow ROSA use of the key",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": [
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role", 1
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role",
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role",
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role",
                          "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent" 2
                      ]
                  },
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:ReEncrypt*",
                      "kms:GenerateDataKey*",
                      "kms:DescribeKey"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "Allow attachment of persistent resources",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": [
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role", 3
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role",
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role",
                          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role",
                          "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent" 4
                      ]
                  },
                  "Action": [
                      "kms:CreateGrant",
                      "kms:ListGrants",
                      "kms:RevokeGrant"
                  ],
                  "Resource": "*",
                  "Condition": {
                      "Bool": {
                          "kms:GrantIsForAWSResource": "true"
                      }
                  }
              }
          ]
      }

      1 3

      You must specify the ARN for the account-wide role that will be used when you create the ROSA cluster. The ARNs listed in the section must be comma-separated.

      2 4

      You must specify the ARN for the operator role that will be used when you create the ROSA cluster. The ARNs listed in the section must be comma-separated.

   3. Apply the changes to your KMS key policy:

      $ aws kms put-key-policy --key-id <key_id_or_arn> \ 1
          --policy file://kms-key-policy.json \ 2
          --policy-name default

      1

      Replace <key_id_or_arn> with the ID or ARN of your KMS key.

      2

      You must include the file:// prefix when referencing a key policy in a local file.

      You can reference the ARN of your KMS key when you create the cluster in the next step.

3. Create a cluster with STS using custom installation options. You can use the --interactive mode to interactively specify custom settings:

   Warning

   You cannot install a ROSA cluster into an existing VPC that was created by the OpenShift installer. These VPCs are created during the cluster deployment process and must only be associated with a single cluster to ensure that cluster provisioning and deletion operations work correctly.

   To verify whether a VPC was created by the OpenShift installer, check for the owned value on the kubernetes.io/cluster/<infra-id> tag. For example, when viewing the tags for the VPC named mycluster-12abc-34def, the kubernetes.io/cluster/mycluster-12abc-34def tag has a value of owned. Therefore, the VPC was created by the installer and must not be modified by the administrator.

   $ rosa create cluster --interactive --sts

   Example output

   I: Interactive mode enabled.
   Any optional fields can be left empty and a default will be selected.
   ? Cluster name: <cluster_name>
   ? Domain prefix: <domain_prefix> 1
   ? Deploy cluster with Hosted Control Plane (optional): No
   ? Create cluster admin user: Yes 2
   ? Create custom password for cluster admin: No 3
   I: cluster admin user is cluster-admin
   I: cluster admin password is password
   ? OpenShift version: <openshift_version> 4
   ? Configure the use of IMDSv2 for ec2 instances optional/required (optional): 5
   I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role for the Installer role 6
   I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role for the ControlPlane role
   I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role for the Worker role
   I: Using arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role for the Support role
   ? External ID (optional): 7
   ? Operator roles prefix: <cluster_name>-<random_string> 8
   ? Deploy cluster using pre registered OIDC Configuration ID:
   ? Tags (optional) 9
   ? Multiple availability zones (optional): No 10
   ? AWS region: us-east-1
   ? PrivateLink cluster (optional): No
   ? Machine CIDR: 10.0.0.0/16
   ? Service CIDR: 172.30.0.0/16
   ? Pod CIDR: 10.128.0.0/14
   ? Install into an existing VPC (optional): Yes 11
   ? Subnet IDs (optional):
   ? Select availability zones (optional): No
   ? Enable Customer Managed key (optional): No 12
   ? Compute nodes instance type (optional):
   ? Enable autoscaling (optional): No
   ? Compute nodes: 2
   ? Worker machine pool labels (optional):
   ? Host prefix: 23
   ? Additional Security Group IDs (optional): 13
   ? > [*]  sg-0e375ff0ec4a6cfa2 ('sg-1')
   ? > [ ]  sg-0e525ef0ec4b2ada7 ('sg-2')
   ? Enable FIPS support: No 14
   ? Encrypt etcd data: No 15
   ? Disable Workload monitoring (optional): No
   I: Creating cluster '<cluster_name>'
   I: To create this cluster again in the future, you can run:
      rosa create cluster --cluster-name <cluster_name> --role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role --support-role-arn arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role --master-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role --worker-iam-role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role --operator-roles-prefix <cluster_name>-<random_string> --region us-east-1 --version 4.17.0 --additional-compute-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-infra-security-group-ids sg-0e375ff0ec4a6cfa2 --additional-control-plane-security-group-ids sg-0e375ff0ec4a6cfa2 --replicas 2 --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 16
   I: To view a list of clusters and their status, run 'rosa list clusters'
   I: Cluster '<cluster_name>' has been created.
   I: Once the cluster is installed you will need to add an Identity Provider before you can login into the cluster. See 'rosa create idp --help' for more information.
   ...

   1

   Optional. When creating your cluster, you can customize the subdomain for your cluster on *.openshiftapps.com using the --domain-prefix flag. The value for this flag must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation. If the flag is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.

   2

   When creating your cluster, you can create a local administrator user (cluster-admin) for your cluster. This automatically configures an htpasswd identity provider for the cluster-admin user.

   3

   You can create a custom password for the cluster-admin user, or have the system generate a password. If you do not create a custom password, the generated password is displayed in the command line output. If you specify a custom password, the password must be at least 14 characters (ASCII-standard) without any whitespace. When defined, the password is hashed and transported securely.

   4

   When creating the cluster, the listed OpenShift version options include the major, minor, and patch versions, for example 4.17.0.

   5

   Optional: Specify optional to configure all EC2 instances to use both v1 and v2 endpoints of EC2 Instance Metadata Service (IMDS). This is the default value. Specify required to configure all EC2 instances to use IMDSv2 only.

   Important

   The Instance Metadata Service settings cannot be changed after your cluster is created.

   6

   If you have more than one set of account roles for your cluster version in your Amazon Web Services (AWS) account, an interactive list of options is provided.

   7

   Optional: Specify an unique identifier that is passed by Red Hat OpenShift Service on AWS and the OpenShift installer when an account role is assumed. This option is only required for custom account roles that expect an external ID.

   8

   By default, the cluster-specific Operator role names are prefixed with the cluster name and a random 4-digit hash. You can optionally specify a custom prefix to replace <cluster_name>-<hash> in the role names. The prefix is applied when you create the cluster-specific Operator IAM roles. For information about the prefix, see About custom Operator IAM role prefixes.

   Note

   If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected. The custom path is applied to the cluster-specific Operator roles when you create them in a later step.

   9

   Optional: Specify a tag that is used on all resources created by Red Hat OpenShift Service on AWS in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: key value, data input.

   Important

   Red Hat OpenShift Service on AWS only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited. Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed.

   Red Hat OpenShift Service on AWS does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.

   10

   Optional: Multiple availability zones are recommended for production workloads. The default is a single availability zone.

   11

   Optional: You can create a cluster in an existing VPC, or ROSA can create a new VPC to use.

   Warning

   You cannot install a ROSA cluster into an existing VPC that was created by the OpenShift installer. These VPCs are created during the cluster deployment process and must only be associated with a single cluster to ensure that cluster provisioning and deletion operations work correctly.

   To verify whether a VPC was created by the OpenShift installer, check for the owned value on the kubernetes.io/cluster/<infra-id> tag. For example, when viewing the tags for the VPC named mycluster-12abc-34def, the kubernetes.io/cluster/mycluster-12abc-34def tag has a value of owned. Therefore, the VPC was created by the installer and must not be modified by the administrator.

   12

   Optional: Enable this option if you are using your own AWS KMS key to encrypt the control plane, infrastructure, worker node root volumes, and PVs. Specify the ARN for the KMS key that you added to the account-wide role ARN in the preceding step.

   Important

   Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.

   PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.

   13

   Optional: You can select additional custom security groups to use in your cluster. You must have already created the security groups and associated them with the VPC you selected for this cluster. You cannot add or edit security groups for the default machine pools after you create the machine pool. For more information, see the requirements for Security groups under Additional resources.

   14

   Optional: Enable this option if you require your cluster to be FIPS validated. Selecting this option means the encrypt etcd data option is enabled by default and cannot be disabled. You can encrypt etcd data without enabling FIPS support.

   15

   Optional: Enable this option if your use case only requires etcd key value encryption in addition to the control plane storage encryption that encrypts the etcd volumes by default. With this option, the etcd key values are encrypted but not the keys.

   Important

   By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Red Hat recommends that you enable etcd encryption only if you specifically require it for your use case.

   16

   The output includes a custom command that you can run to create another cluster with the same configuration.

   As an alternative to using the --interactive mode, you can specify the customization options directly when you run the rosa create cluster command. Run the rosa create cluster --help command to view a list of available CLI options, or see create cluster in Managing objects with the ROSA CLI.

   Important

   You must complete the following steps to create the Operator IAM roles and the OpenID Connect (OIDC) provider to move the state of the cluster to ready.

4. Create the cluster-specific Operator IAM roles:

   1. Generate the Operator IAM policy JSON files in the current working directory and output the aws CLI commands for review:

      $ rosa create operator-roles --mode manual --cluster <cluster_name|cluster_id> 1

      1

      manual mode generates the aws CLI commands and JSON files needed to create the Operator roles. After review, you must run the commands manually to create the resources.

   2. After review, run the aws commands manually to create the Operator IAM roles and attach the managed Operator policies to them. Alternatively, you can run the preceding command again using --mode auto to run the aws commands immediately.

      Note

      A custom prefix is applied to the Operator role names if you specified the prefix in the preceding step.

      If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected and applied to the Operator roles.

      Important

      The EBS Operator role is required in addition to the account roles to successfully create your cluster.

      This role must be attached with the ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credentials policy, an IAM policy required by ROSA to manage back-end storage through the Container Storage Interface (CSI).

      For more information about the policies and permissions that the cluster Operators require, see Methods of account-wide role creation. .Example EBS Operator role "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"

      After you create your Operator roles, you must edit the Key Policy in the Key Management Service (KMS) page of the AWS Console to add the roles.

5. Create the OpenID Connect (OIDC) provider that the cluster Operators use to authenticate:

   $ rosa create oidc-provider --mode auto --cluster <cluster_name|cluster_id> 1

   1

   auto mode immediately runs the aws CLI command that creates the OIDC provider.

6. Check the status of your cluster:

   $ rosa describe cluster --cluster <cluster_name|cluster_id>

   Example output

   Name:                       <cluster_name>
   ID:                         <cluster_id>
   External ID:                <external_id>
   OpenShift Version:          <version>
   Channel Group:              stable
   DNS:                        <cluster_name>.xxxx.p1.openshiftapps.com
   AWS Account:                <aws_account_id>
   API URL:                    https://api.<cluster_name>.xxxx.p1.openshiftapps.com:6443
   Console URL:                https://console-openshift-console.apps.<cluster_name>.xxxx.p1.openshiftapps.com
   Region:                     <aws_region>
   Multi-AZ:                   false
   Nodes:
    - Master:                  3
    - Infra:                   2
    - Compute:                 2
   Network:
    - Service CIDR:            172.30.0.0/16
    - Machine CIDR:            10.0.0.0/16
    - Pod CIDR:                10.128.0.0/14
    - Host Prefix:             /23
   STS Role ARN:               arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role
   Support Role ARN:           arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role
   Instance IAM Roles:
    - Master:                  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role
    - Worker:                  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role
   Operator IAM Roles:
    - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-ingress-operator-cloud-credentials
    - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent
    - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-machine-api-aws-cloud-credentials
    - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cloud-credential-operator-cloud-crede
    - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-image-registry-installer-cloud-creden
   Ec2 Metadata Http Tokens:   optional
   State:                      ready
   Private:                    No
   Created:                    Oct  1 2021 08:12:25 UTC
   Details Page:               https://console.redhat.com/openshift/details/s/<subscription_id>
   OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/<cluster_id>|<oidc_config_id> \ 1

   1. The endpoint URL depends on the BYO OIDC configuration. If you are pre-creating the OIDC configuration, the URL ends with the <oidc_config_id> value; otherwise, the URL ends with the <cluster-ID> value.

   The following State field changes are listed in the output as the cluster installation progresses:

   • waiting (Waiting for OIDC configuration)
   • pending (Preparing account)
   • installing (DNS setup in progress)
   • installing

   • ready

     Note

     If the installation fails or the State field does not change to ready after about 40 minutes, check the installation troubleshooting documentation for details. For more information, see Troubleshooting installations. For steps to contact Red Hat Support for assistance, see Getting support for Red Hat OpenShift Service on AWS.

7. Track the progress of the cluster creation by watching the OpenShift installer logs:

   $ rosa logs install --cluster <cluster_name|cluster_id> --watch 1

   1 1

   Specify the --watch flag to watch for new log messages as the installation progresses. This argument is optional.

Procedure

1. Enter the following command to revoke the dedicated-admin access of a user:

   $ rosa revoke user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>

2. Enter the following command to verify that your user no longer has dedicated-admin access. The output does not list the revoked user.

   $ oc get groups dedicated-admins

Procedure

1. Enter the following command to revoke the cluster-admin access of a user:

   $ rosa revoke user cluster-admins --user=myusername --cluster=mycluster

2. Enter the following command to verify that the user no longer has cluster-admin access. The output does not list the revoked user.

   $ oc get groups cluster-admins

Procedure

1. Delete the account-wide roles:

   1. List the account-wide roles in your AWS account by using the ROSA CLI (rosa):

      $ rosa list account-roles

      Example output

      I: Fetching account roles
      ROLE NAME                           ROLE TYPE      ROLE ARN                                                           OPENSHIFT VERSION
      ManagedOpenShift-ControlPlane-Role  Control plane  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role  4.10
      ManagedOpenShift-Installer-Role     Installer      arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role     4.10
      ManagedOpenShift-Support-Role       Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role       4.10
      ManagedOpenShift-Worker-Role        Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role        4.10

1. Delete the account-wide roles:

   $ rosa delete account-roles --prefix <prefix> --mode auto 1

   1

   You must include the --<prefix> argument. Replace <prefix> with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, ManagedOpenShift.

   Important

   The account-wide IAM roles might be used by other ROSA clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

   Example output

   W: There are no classic account roles to be deleted
   I: Deleting hosted CP account roles
   ? Delete the account role 'delete-rosa-HCP-ROSA-Installer-Role'? Yes
   I: Deleting account role 'delete-rosa-HCP-ROSA-Installer-Role'
   ? Delete the account role 'delete-rosa-HCP-ROSA-Support-Role'? Yes
   I: Deleting account role 'delete-rosa-HCP-ROSA-Support-Role'
   ? Delete the account role 'delete-rosa-HCP-ROSA-Worker-Role'? Yes
   I: Deleting account role 'delete-rosa-HCP-ROSA-Worker-Role'
   I: Successfully deleted the hosted CP account roles

   1. Delete the account-wide in-line and Operator policies:

2. Under the Policies page in the AWS IAM Console, filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.

   Note

   If you did not specify a custom prefix when you created the account-wide roles, search for the default prefix, ManagedOpenShift.

3. Delete the account-wide in-line policies and Operator policies by using the AWS IAM Console. For more information about deleting IAM policies by using the AWS IAM Console, see Deleting IAM policies in the AWS documentation.

   Important

   The account-wide in-line and Operator IAM policies might be used by other ROSA clusters ROSA with HCP in the same AWS account. Only remove the roles if they are not required by other clusters.

Procedure

1. Unlink the OpenShift Cluster Manager IAM role from your Red Hat organization and delete the role:

   1. List the OpenShift Cluster Manager IAM roles in your AWS account:

      $ rosa list ocm-roles

      Example output

      I: Fetching ocm roles
      ROLE NAME                                                     ROLE ARN                                                                                         LINKED  ADMIN  AWS Managed
      ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>  Yes      Yes     Yes

   2. If your OpenShift Cluster Manager IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization by running the following command:

      $ rosa unlink ocm-role --role-arn <arn> 1

      1

      Replace <arn> with the Amazon Resource Name (ARN) for your OpenShift Cluster Manager IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>.

      Example output

      I: Unlinking OCM role
      ? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role from organization '<red_hat_organization_id>'? Yes
      I: Successfully unlinked role-arn 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' from organization account '<red_hat_organization_id>'

   3. Delete the OpenShift Cluster Manager IAM role and policies:

      $ rosa delete ocm-role --role-arn <arn>

      Example output

      I: Deleting OCM role
      ? OCM Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>
      ? Delete 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' ocm role? Yes
      ? OCM role deletion mode: auto 1
      I: Successfully deleted the OCM role

      1

      Specifies the deletion mode. You can use auto mode to automatically delete the OpenShift Cluster Manager IAM role and policies. In manual mode, the ROSA CLI generates the aws commands needed to delete the role and policies. manual mode enables you to review the details before running the aws commands manually.

2. Unlink the user IAM role from your Red Hat organization and delete the role:

   1. List the user IAM roles in your AWS account:

      $ rosa list user-roles

      Example output

      I: Fetching user roles
      ROLE NAME                                  ROLE ARN                                                                  LINKED
      ManagedOpenShift-User-<ocm_user_name>-Role  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role  Yes

   2. If your user IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization:

      $ rosa unlink user-role --role-arn <arn> 1

      1

      Replace <arn> with the Amazon Resource Name (ARN) for your user IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role.

      Example output

      I: Unlinking user role
      ? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the current account '<ocm_user_account_id>'? Yes
      I: Successfully unlinked role ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' from account '<ocm_user_account_id>'

   3. Delete the user IAM role:

      $ rosa delete user-role --role-arn <arn>

      Example output

      I: Deleting user role
      ? User Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role
      ? Delete the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the AWS account? Yes
      ? User role deletion mode: auto 1
      I: Successfully deleted the user role

      1

      Specifies the deletion mode. You can use auto mode to automatically delete the user IAM role. In manual mode, the ROSA CLI generates the aws command needed to delete the role. manual mode enables you to review the details before running the aws command manually.

Procedure

1. If you, as the customer, are utilizing AWS Organizations, then you must use an AWS account within your organization or create a new one.
2. To ensure that Red Hat can perform necessary actions, you must either create a service control policy (SCP) or ensure that none is applied to the AWS account.
3. Attach the SCP to the AWS account.
4. Follow the ROSA procedures for setting up the environment.

1. Perform the AWS prerequisites. To deploy a ROSA cluster, your AWS account must meet the prerequisite requirements.
2. Review the required AWS service quotas. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster.
3. Configure your AWS account. Before you create a ROSA cluster, you must enable ROSA in your AWS account, install and configure the AWS CLI (aws) tool, and verify the AWS CLI tool configuration.
4. Install the ROSA and OpenShift CLI tools and verify the AWS servce quotas. Install and configure the ROSA CLI (rosa) and the OpenShift CLI (oc). You can verify if the required AWS resource quotas are available by using the ROSA CLI.
5. Create a ROSA cluster or Create a ROSA cluster using AWS PrivateLink. Use the ROSA CLI (rosa) to create a cluster. You can optionally create a ROSA cluster with AWS PrivateLink.
6. Access a cluster. You can configure an identity provider and grant cluster administrator privileges to the identity provider users as required. You can also access a newly deployed cluster quickly by configuring a cluster-admin user.
7. Revoke access to a ROSA cluster for a user. You can revoke access to a ROSA cluster from a user by using the ROSA CLI or the web console.
8. Delete a ROSA cluster. You can delete a ROSA cluster by using the ROSA CLI (rosa).

Procedure

1. Log in to the Amazon Web Services (AWS) account that you want to use.

   A dedicated AWS account is recommended to run production clusters. If you are using AWS Organizations, you can use an AWS account within your organization or create a new one.

   If you are using AWS Organizations and you need to have a service control policy (SCP) applied to the AWS account you plan to use, see AWS Prerequisites for details on the minimum required SCP.

   As part of the cluster creation process, rosa establishes an osdCcsAdmin IAM user. This user uses the IAM credentials you provide when configuring the AWS CLI.

   Note

   This user has Programmatic access enabled and the AdministratorAccess policy attached to it.

2. Enable the ROSA service in the AWS Console.

   1. Sign in to your AWS account.
   2. To enable ROSA, go to the ROSA service and select Enable OpenShift.

3. Install and configure the AWS CLI.

   1. Follow the AWS command-line interface documentation to install and configure the AWS CLI for your operating system.

      Specify the correct aws_access_key_id and aws_secret_access_key in the .aws/credentials file. See AWS Configuration basics in the AWS documentation.

   2. Set a default AWS region.

      Note

      It is recommended to set the default AWS region by using the environment variable.

      The ROSA service evaluates regions in the following priority order:

      1. The region specified when running the rosa command with the --region flag.
      2. The region set in the AWS_DEFAULT_REGION environment variable. See Environment variables to configure the AWS CLI in the AWS documentation.
      3. The default region set in your AWS configuration file. See Quick configuration with aws configure in the AWS documentation.

   3. Optional: Configure your AWS CLI settings and credentials by using an AWS named profile. rosa evaluates AWS named profiles in the following priority order:

      1. The profile specified when running the rosa command with the --profile flag.
      2. The profile set in the AWS_PROFILE environment variable. See Named profiles in the AWS documentation.

   4. Verify the AWS CLI is installed and configured correctly by running the following command to query the AWS API:

      $ aws sts get-caller-identity --output text

      Example output

      <aws_account_id>    arn:aws:iam::<aws_account_id>:user/<username>  <aws_user_id>

      After completing these steps, install ROSA.

Procedure

1. Install rosa, the Red Hat OpenShift Service on AWS command-line interface (CLI).

   1. Download the latest release of the ROSA CLI for your operating system.
   2. Optional: Rename the executable file you downloaded to rosa. This documentation uses rosa to refer to the executable file.

   3. Optional: Add rosa to your path.

      Example

      $ mv rosa /usr/local/bin/rosa

   4. Enter the following command to verify your installation:

      $ rosa

      Example output

      Command line tool for Red Hat OpenShift Service on AWS.
      For further documentation visit https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws
      
      Usage:
        rosa [command]
      
      Available Commands:
        completion  Generates completion scripts
        create      Create a resource from stdin
        delete      Delete a specific resource
        describe    Show details of a specific resource
        download    Download necessary tools for using your cluster
        edit        Edit a specific resource
        grant       Grant role to a specific resource
        help        Help about any command
        init        Applies templates to support Red Hat OpenShift Service on AWS
        install     Installs a resource into a cluster
        link        Link a ocm/user role from stdin
        list        List all resources of a specific type
        login       Log in to your Red Hat account
        logout      Log out
        logs        Show installation or uninstallation logs for a cluster
        revoke      Revoke role from a specific resource
        uninstall   Uninstalls a resource from a cluster
        unlink      UnLink a ocm/user role from stdin
        upgrade     Upgrade a resource
        verify      Verify resources are configured correctly for cluster install
        version     Prints the version of the tool
        whoami      Displays user account information
      
      Flags:
            --color string   Surround certain characters with escape sequences to display them in color on the terminal. Allowed options are [auto never always] (default "auto")
            --debug          Enable debug mode.
        -h, --help           help for rosa
      
      Use "rosa [command] --help" for more information about a command.

   5. Optional: Generate the command completion scripts for the ROSA CLI. The following example generates the Bash completion scripts for a Linux machine:

      $ rosa completion bash | sudo tee /etc/bash_completion.d/rosa

   6. Optional: Enable command completion for the ROSA CLI from your existing terminal. The following example enables Bash completion for rosa in an existing terminal on a Linux machine:

      $ source /etc/bash_completion.d/rosa

2. Log in to your Red Hat account with rosa.

   1. Enter the following command.

      $ rosa login

   2. Replace <my_offline_access_token> with your token.

      Example output

      To login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa
      ? Copy the token and paste it here: <my-offline-access-token>

      Example output continued

      I: Logged in as 'rh-rosa-user' on 'https://api.openshift.com'

3. Enter the following command to verify that your AWS account has the necessary permissions.

   $ rosa verify permissions

   Example output

   I: Validating SCP policies...
   I: AWS SCP policies ok

   Note

   This command verifies permissions only for ROSA clusters that do not use the AWS Security Token Service (STS).

4. Verify that your AWS account has the necessary quota to deploy an Red Hat OpenShift Service on AWS cluster.

   $ rosa verify quota --region=us-west-2

   Example output

   I: Validating AWS quota...
   I: AWS quota ok

   Note

   Sometimes your AWS quota varies by region. If you receive any errors, try a different region.

   If you need to increase your quota, go to your AWS console, and request a quota increase for the service that failed.

   After both the permissions and quota checks pass, proceed to the next step.

5. Prepare your AWS account for cluster deployment:

   1. Run the following command to verify your Red Hat and AWS credentials are setup correctly. Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with OCM for now.

      $ rosa whoami

      Example output

      AWS Account ID:               000000000000
      AWS Default Region:           us-east-2
      AWS ARN:                      arn:aws:iam::000000000000:user/hello
      OCM API:                      https://api.openshift.com
      OCM Account ID:               1DzGIdIhqEWyt8UUXQhSoWaaaaa
      OCM Account Name:             Your Name
      OCM Account Username:         you@domain.com
      OCM Account Email:            you@domain.com
      OCM Organization ID:          1HopHfA2hcmhup5gCr2uH5aaaaa
      OCM Organization Name:        Red Hat
      OCM Organization External ID: 0000000

   2. Initialize your AWS account. This step runs a CloudFormation template that prepares your AWS account for cluster deployment and management. This step typically takes 1-2 minutes to complete.

      $ rosa init

      Example output

      I: Logged in as 'rh-rosa-user' on 'https://api.openshift.com'
      I: Validating AWS credentials...
      I: AWS credentials are valid!
      I: Validating SCP policies...
      I: AWS SCP policies ok
      I: Validating AWS quota...
      I: AWS quota ok
      I: Ensuring cluster administrator user 'osdCcsAdmin'...
      I: Admin user 'osdCcsAdmin' created successfully!
      I: Verifying whether OpenShift command-line tool is available...
      E: OpenShift command-line tool is not installed.
      Run 'rosa download oc' to download the latest version, then add it to your PATH.

6. Install the OpenShift CLI (oc) from the ROSA CLI.

   1. Enter this command to download the latest version of the oc CLI:

      $ rosa download oc

   2. After downloading the oc CLI, unzip it and add it to your path.

   3. Enter this command to verify that the oc CLI is installed correctly:

      $ rosa verify oc

Procedure

1. You can create a cluster using the default settings or by specifying custom settings using the interactive mode. To view other options when creating a cluster, enter the rosa create cluster --help command.

   Creating a cluster can take up to 40 minutes.

   Note

   Multiple availability zones (AZ) are recommended for production workloads. The default is a single availability zone. Use --help for an example of how to set this option manually or use interactive mode to be prompted for this setting.

   • To create your cluster with the default cluster settings:

     $ rosa create cluster --cluster-name=<cluster_name>

     Example output

     I: Creating cluster with identifier '1de87g7c30g75qechgh7l5b2bha6r04e' and name 'rh-rosa-test-cluster1'
     I: To view list of clusters and their status, run `rosa list clusters`
     I: Cluster 'rh-rosa-test-cluster1' has been created.
     I: Once the cluster is 'Ready' you will need to add an Identity Provider and define the list of cluster administrators. See `rosa create idp --help` and `rosa create user --help` for more information.
     I: To determine when your cluster is Ready, run `rosa describe cluster rh-rosa-test-cluster1`.

   • To create a cluster using interactive prompts:

     $ rosa create cluster --interactive

   • To configure your networking IP ranges, you can use the following default ranges. For more information when using manual mode, use the rosa create cluster --help | grep cidr command. In interactive mode, you are prompted for the settings.

     • Node CIDR: 10.0.0.0/16
     • Service CIDR: 172.30.0.0/16
     • Pod CIDR: 10.128.0.0/14

2. Enter the following command to check the status of your cluster. During cluster creation, the State field from the output will transition from pending to installing, and finally to ready.

   $ rosa describe cluster --cluster=<cluster_name>

   Example output

   Name: rh-rosa-test-cluster1
   OpenShift Version: 4.6.8
   DNS: *.example.com
   ID: uniqueidnumber
   External ID: uniqueexternalidnumber
   AWS Account: 123456789101
   API URL: https://api.rh-rosa-test-cluster1.example.org:6443
   Console URL: https://console-openshift-console.apps.rh-rosa-test-cluster1.example.or
   Nodes: Master: 3, Infra: 2, Compute: 2
   Region: us-west-2
   Multi-AZ: false
   State: ready
   Channel Group: stable
   Private: No
   Created: Jan 15 2021 16:30:55 UTC
   Details Page: https://console.redhat.com/examplename/details/idnumber

   Note

   If installation fails or the State field does not change to ready after 40 minutes, check the installation troubleshooting documentation for more details.

3. Track the progress of the cluster creation by watching the OpenShift installer logs:

   $ rosa logs install --cluster=<cluster_name> --watch

Procedure

1. Enter the following command to revoke the dedicated-admin access of a user:

   $ rosa revoke user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>

2. Enter the following command to verify that your user no longer has dedicated-admin access. The output does not list the revoked user.

   $ oc get groups dedicated-admins

Procedure

1. Enter the following command to revoke the cluster-admin access of a user:

   $ rosa revoke user cluster-admins --user=myusername --cluster=mycluster

2. Enter the following command to verify that the user no longer has cluster-admin access. The output does not list the revoked user.

   $ oc get groups cluster-admins

Procedure

1. Obtain the cluster ID, the Amazon Resource Names (ARNs) for the cluster-specific Operator roles and the endpoint URL for the OIDC provider:

   $ rosa describe cluster --cluster=<cluster_name> 1

   1

   Replace <cluster_name> with the name of your cluster.

   Example output

   Name:                       mycluster
   ID:                         1s3v4x39lhs8sm49m90mi0822o34544a 1
   ...
   Operator IAM Roles: 2
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-machine-api-aws-cloud-credentials
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-cloud-credential-operator-cloud-crede
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-image-registry-installer-cloud-creden
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-ingress-operator-cloud-credentials
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-cluster-csi-drivers-ebs-cloud-credent
    - arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-cloud-network-config-controller-cloud
   State:                      ready
   Private:                    No
   Created:                    May 13 2022 11:26:15 UTC
   Details Page:               https://console.redhat.com/openshift/details/s/296kyEFwzoy1CREQicFRdZybrc0
   OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/<oidc_config_id> 3

   1

   Lists the cluster ID.

   2

   Specifies the ARNs for the cluster-specific Operator roles. For example, in the sample output the ARN for the role required by the Machine Config Operator is arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-machine-api-aws-cloud-credentials.

   3

   Displays the endpoint URL for the cluster-specific OIDC provider.

   Important

   You require the cluster ID to delete the cluster-specific STS resources using the ROSA CLI (rosa) after the cluster is deleted.

2. Delete the cluster:

   • To delete the cluster by using Red Hat OpenShift Cluster Manager:

     1. Navigate to OpenShift Cluster Manager.
     2. Click the Options menu next to your cluster and select Delete cluster.
     3. Type the name of your cluster at the prompt and click Delete.

   • To delete the cluster using the ROSA CLI (rosa):

     1. Enter the following command to delete the cluster and watch the logs, replacing <cluster_name> with the name or ID of your cluster:

        $ rosa delete cluster --cluster=<cluster_name> --watch

        Important

        You must wait for the cluster deletion to complete before you remove the Operator roles and the OIDC provider. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.

3. Delete the OIDC provider that the cluster Operators use to authenticate:

   $ rosa delete oidc-provider -c <cluster_id> --mode auto 1

   1

   Replace <cluster_id> with the ID of the cluster.

   Note

   You can use the -y option to automatically answer yes to the prompts.

4. Optional. Delete the cluster-specific Operator IAM roles:

   Important

   The account-wide IAM roles can be used by other ROSA clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

   $ rosa delete operator-roles -c <cluster_id> --mode auto 1

   1

   Replace <cluster_id> with the ID of the cluster.