Chapter 8. ROSA CLI
8.1. Getting started with the ROSA CLI
8.1.1. About the ROSA CLI
Use the Red Hat OpenShift Service on AWS (ROSA) command-line interface (CLI), the rosa
command, to create, update, manage, and delete ROSA clusters and resources.
8.1.2. Setting up the ROSA CLI
Use the following steps to install and configure the ROSA CLI (rosa
) on your installation host.
Procedure
Install and configure the latest AWS CLI (
aws
).Follow the AWS Command Line Interface documentation to install and configure the AWS CLI for your operating system.
Specify your
aws_access_key_id
,aws_secret_access_key
, andregion
in the.aws/credentials
file. See AWS Configuration basics in the AWS documentation.NoteYou can optionally use the
AWS_DEFAULT_REGION
environment variable to set the default AWS region.Query the AWS API to verify if the AWS CLI is installed and configured correctly:
$ aws sts get-caller-identity --output text
Example output
<aws_account_id> arn:aws:iam::<aws_account_id>:user/<username> <aws_user_id>
-
Download the latest version of the ROSA CLI (
rosa
) for your operating system from the Downloads page on OpenShift Cluster Manager. Extract the
rosa
binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive:$ tar xvf rosa-linux.tar.gz
Add
rosa
to your path. In the following example, the/usr/local/bin
directory is included in the path of the user:$ sudo mv rosa /usr/local/bin/rosa
Verify if the ROSA CLI is installed correctly by querying the
rosa
version:$ rosa version
Example output
1.2.15 Your ROSA CLI is up to date.
Optional: Enable tab completion for the ROSA CLI. With tab completion enabled, you can press the
Tab
key twice to automatically complete subcommands and receive command suggestions:To enable persistent tab completion for Bash on a Linux host:
Generate a
rosa
tab completion configuration file for Bash and save it to your/etc/bash_completion.d/
directory:# rosa completion bash > /etc/bash_completion.d/rosa
- Open a new terminal to activate the configuration.
To enable persistent tab completion for Bash on a macOS host:
Generate a
rosa
tab completion configuration file for Bash and save it to your/usr/local/etc/bash_completion.d/
directory:$ rosa completion bash > /usr/local/etc/bash_completion.d/rosa
- Open a new terminal to activate the configuration.
To enable persistent tab completion for Zsh:
If tab completion is not enabled for your Zsh environment, enable it by running the following command:
$ echo "autoload -U compinit; compinit" >> ~/.zshrc
Generate a
rosa
tab completion configuration file for Zsh and save it to the first directory in your functions path:$ rosa completion zsh > "${fpath[1]}/_rosa"
- Open a new terminal to activate the configuration.
To enable persistent tab completion for fish:
Generate a
rosa
tab completion configuration file for fish and save it to your~/.config/fish/completions/
directory:$ rosa completion fish > ~/.config/fish/completions/rosa.fish
- Open a new terminal to activate the configuration.
To enable persistent tab completion for PowerShell:
Generate a
rosa
tab completion configuration file for PowerShell and save it to a file namedrosa.ps1
:PS> rosa completion powershell | Out-String | Invoke-Expression
-
Source the
rosa.ps1
file from your PowerShell profile.
NoteFor more information about configuring
rosa
tab completion, see the help menu by running therosa completion --help
command.
8.1.3. Configuring the ROSA CLI
Use the following commands to configure the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
.
8.1.3.1. login
Log in to your Red Hat account, saving the credentials to the rosa
configuration file. You must provide a token when logging in. You can copy your token from the ROSA token page.
The ROSA CLI (rosa
) looks for a token in the following priority order:
- Command-line arguments
-
The
ROSA_TOKEN
environment variable -
The
rosa
configuration file - Interactively from a command-line prompt
Syntax
$ rosa login [arguments]
Option | Definition |
---|---|
--client-id |
The OpenID client identifier (string). Default: |
--client-secret | The OpenID client secret (string). |
--insecure | Enables insecure communication with the server. This disables verification of TLS certificates and host names. |
--scope |
The OpenID scope (string). If this option is used, it replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: |
--token | Accesses or refreshes the token (string). |
--token-url |
The OpenID token URL (string). Default: |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.1.3.2. logout
Log out of rosa
. Logging out also removes the rosa
configuration file.
Syntax
$ rosa logout [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.1.3.3. verify permissions
Verify that the AWS permissions required to create a ROSA cluster are configured correctly:
Syntax
$ rosa verify permissions [arguments]
This command verifies permissions only for clusters that do not use the AWS Security Token Service (STS).
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--region |
The AWS region (string) in which to run the command. This value overrides the |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Verify that the AWS permissions are configured correctly:
$ rosa verify permissions
Verify that the AWS permissions are configured correctly in a specific region:
$ rosa verify permissions --region=us-west-2
8.1.3.4. verify quota
Verifies that AWS quotas are configured correctly for your default region.
Syntax
$ rosa verify quota [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--region |
The AWS region (string) in which to run the command. This value overrides the |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Verify that the AWS quotas are configured correctly for the default region:
$ rosa verify quota
Verify that the AWS quotas are configured correctly in a specific region:
$ rosa verify quota --region=us-west-2
8.1.3.5. download rosa
Download the latest compatible version of the rosa
CLI.
After you download rosa
, extract the contents of the archive and add it to your path.
Syntax
$ rosa download rosa [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
8.1.3.6. download oc
Download the latest compatible version of the OpenShift Container Platform CLI (oc
).
After you download oc
, you must extract the contents of the archive and add it to your path.
Syntax
$ rosa download oc [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
Example
Download oc
client tools:
$ rosa download oc
8.1.3.7. verify oc
Verifies that the OpenShift Container Platform CLI (oc
) is installed correctly.
Syntax
$ rosa verify oc [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
Example
Verify oc
client tools:
$ rosa verify oc
Additional resources
8.1.4. Initializing ROSA
Use the init
command to initialize Red Hat OpenShift Service on AWS (ROSA) only if you are using non-STS.
8.1.4.1. init
Perform a series of checks to verify that you are ready to deploy a ROSA cluster.
The list of checks includes the following:
-
Checks to see that you have logged in (see
login
) - Checks that your AWS credentials are valid
-
Checks that your AWS permissions are valid (see
verify permissions
) -
Checks that your AWS quota levels are high enough (see
verify quota
) - Runs a cluster simulation to ensure cluster creation will perform as expected
-
Checks that the
osdCcsAdmin
user has been created in your AWS account - Checks that the OpenShift Container Platform command-line tool is available on your system
Syntax
$ rosa init [arguments]
Option | Definition |
---|---|
--region |
The AWS region (string) in which to verify quota and permissions. This value overrides the |
--delete |
Deletes the stack template that is applied to your AWS account during the |
--client-id |
The OpenID client identifier (string). Default: |
--client-secret | The OpenID client secret (string). |
--insecure | Enables insecure communication with the server. This disables verification of TLS certificates and host names. |
--scope |
The OpenID scope (string). If this option is used, it completely replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: |
--token | Accesses or refreshes the token (string). |
--token-url |
The OpenID token URL (string). Default: |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Configure your AWS account to allow ROSA clusters:
$ rosa init
Configure a new AWS account using pre-existing OpenShift Cluster Manager credentials:
$ rosa init --token=$OFFLINE_ACCESS_TOKEN
8.1.5. Using a Bash script
This is an example workflow of how to use a Bash script with the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
.
Prerequisites
Make sure that AWS credentials are available as one of the following options:
- AWS profile
-
Environment variables (
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
)
Procedure
Initialize
rosa
using an Red Hat OpenShift Cluster Manager offline token from Red Hat:$ rosa init --token=<token>
Create the ROSA cluster:
$ rosa create cluster --cluster-name=<cluster_name>
Add an identity provider (IDP):
$ rosa create idp --cluster=<cluster_name> --type=<identity_provider> [arguments]
Add a
dedicated-admin
user:$ rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>
8.1.6. Updating the ROSA CLI
Update to the latest compatible version of the ROSA CLI (rosa
).
Procedure
Confirm that a new version of the ROSA CLI (
rosa
) is available:$ rosa version
Example output
1.2.12 There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
Download the latest compatible version of the ROSA CLI:
$ rosa download rosa
This command downloads an archive called
rosa-*.tar.gz
into the current directory. The exact name of the file depends on your operating system and system architecture.Extract the contents of the archive:
$ tar -xzf rosa-linux.tar.gz
Install the new version of the ROSA CLI by moving the extracted file into your path. In the following example, the
/usr/local/bin
directory is included in the path of the user:$ sudo mv rosa /usr/local/bin/rosa
Verification
Verify that the new version of ROSA is installed.
$ rosa version
Example output
1.2.15 Your ROSA CLI is up to date.
8.2. Managing objects with the ROSA CLI
Managing objects with the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
, such as adding dedicated-admin
users, managing clusters, and scheduling cluster upgrades.
To access a cluster that is accessible only over an HTTP proxy server, you can set the HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
variables. These environment variables are respected by the rosa
CLI so that all communication with the cluster goes through the HTTP proxy.
8.2.1. Common commands and arguments
These common commands and arguments are available for the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
.
8.2.1.1. debug
Enables debug mode for the parent command to help with troubleshooting.
Example
$ rosa create cluster --cluster-name=<cluster_name> --debug
8.2.1.2. download
Downloads the latest compatible version of the specified software to the current directory in an archive file. Extract the contents of the archive and add the contents to your path to use the software. To download the latest ROSA CLI, specify rosa
. To download the latest OpenShift CLI, specify oc
.
Example
$ rosa download <software>
8.2.1.3. help
Displays general help information for the ROSA CLI (rosa
) and a list of available commands. This option can also be used as an argument to display help information for a parent command, such as version
or create
.
Examples
Displays general help for the ROSA CLI.
$ rosa --help
Displays general help for version
.
$ rosa version --help
8.2.1.4. interactive
Enables interactive mode.
Example
$ rosa create cluster --cluster-name=<cluster_name> --interactive
8.2.1.5. profile
Specifies an AWS profile from your credential file.
Example
$ rosa create cluster --cluster-name=<cluster_name> --profile=myAWSprofile
8.2.1.6. version
Displays the rosa
version and checks whether a newer version is available.
Example
$ rosa version [arguments]
Example output
Displayed when a newer version of the ROSA CLI is available.
1.2.12 There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
8.2.2. Parent commands
The Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
, uses parent commands with child commands to manage objects. The parent commands are create
, edit
, delete
, list
, and describe
. Not all parent commands can be used with all child commands. For more information, see the specific reference topics that describes the child commands.
8.2.2.1. create
Creates an object or resource when paired with a child command.
Example
$ rosa create cluster --cluster-name=mycluster
8.2.2.2. edit
Edits options for an object, such as making a cluster private.
Example
$ rosa edit cluster --cluster=mycluster --private
8.2.2.3. delete
Deletes an object or resource when paired with a child command.
Example
$ rosa delete ingress --cluster=mycluster
8.2.2.4. list
Lists clusters or resources for a specific cluster.
Example
$ rosa list users --cluster=mycluster
8.2.2.5. describe
Shows the details for a cluster.
Example
$ rosa describe cluster --cluster=mycluster
8.2.3. Create objects
This section describes the create
commands for clusters and resources.
8.2.3.1. create account-roles
Create the required account-wide role and policy resources for your cluster.
Syntax
$ rosa create account-roles [flags]
Option | Definition |
---|---|
--debug | Enable debug mode. |
-i, --interactive | Enable interactive mode. |
-m, --mode string | How to perform the operation. Valid options are:
|
--path string | The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies. |
--permissions-boundary string | The ARN of the policy that is used to set the permissions boundary for the account roles. |
--prefix string |
User-defined prefix for all generated AWS resources. The default is |
--profile string | Use a specific AWS profile from your credential file. |
-y, --yes | Automatically answer yes to confirm operations. |
8.2.3.2. create admin
Create a cluster administrator with an automatically generated password that can log in to a cluster.
Syntax
$ rosa create admin --cluster=<cluster_name>|<cluster_id>
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> | Required. The name or ID (string) of the cluster to add to the identity provider (IDP). |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile string | Specifies an AWS profile from your credentials file. |
Example
Create a cluster administrator that can log in to a cluster named mycluster
.
$ rosa create admin --cluster=mycluster
8.2.3.3. create break glass credential
Create a break glass credential for a hosted control plane cluster with external authentication enabled.
Syntax
$ rosa create break-glass-credential --cluster=<cluster_name> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> | Required. The name or ID of the cluster to which the break glass credential will be added. |
--expiration | Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours. |
--username | Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--region |
Specifies an AWS region, overriding the |
--yes |
Automatically answers |
Examples
Add a break glass credential to a cluster named mycluster
.
Syntax
$ rosa create break-glass-credential --cluster=mycluster
Add a break glass credential to a cluster named mycluster
using the interactive mode.
Syntax
$ rosa create break-glass-credential --cluster=mycluster -i
8.2.3.4. create cluster
Create a new cluster.
Syntax
$ rosa create cluster --cluster-name=<cluster_name> [arguments]
Option | Definition |
---|---|
--additional-compute-security-group-ids <sec_group_id> | The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
--additional-infra-security-group-ids <sec_group_id> | The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
--additional-control-plane-security-group-ids <sec_group_id> | The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
--additional-allowed-principals <arn> | A comma-separated list of additional allowed principal ARNs to be added to the hosted control plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted. |
--cluster-name <cluster_name> |
Required. The name of the cluster. When used with the |
--compute-machine-type <instance_type> | The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, see AWS Instance types in ROSA service definition. |
--controlplane-iam-role <arn> | The ARN of the IAM role to attach to control plane instances. |
--create-cluster-admin |
Optional. As part of cluster creation, create a local administrator user ( |
--cluster-admin-user |
Optional. Specifies the user name of the cluster administrator user created when used in conjunction with the |
--cluster-admin-password |
Optional. Specifies the password of the cluster administrator user created when used in conjunction with the |
--disable-scp-checks | Indicates whether cloud permission checks are disabled when attempting to install a cluster. |
--dry-run | Simulates creating the cluster. |
--domain-prefix |
Optional: When used with the |
--ec2-metadata-http-tokens string |
Configures the use of IMDSv2 for EC2 instances. Valid values are |
--enable-autoscaling |
Enables autoscaling of compute nodes. By default, autoscaling is set to |
--etcd-encryption | Enables encryption of ETCD key-values on Red Hat OpenShift Service on AWS (classical architecture) clusters. |
--etcd-encryption-kms-arn | Enables encryption of ETCD storage using the customer-managed key managed in AWS Key Management Service. |
--host-prefix <subnet> |
The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to |
--machine-cidr <address_block> |
Block of IP addresses (ipNet) used by ROSA while installing the cluster, for example, Important
OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the |
--max-replicas <number_of_nodes> |
Specifies the maximum number of compute nodes when enabling autoscaling. Default: |
--min-replicas <number_of_nodes> |
Specifies the minimum number of compute nodes when enabling autoscaling. Default: |
--multi-az | Deploys to multiple data centers. |
--no-cni | Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation. |
--operator-roles-prefix <string> | Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one. |
--pod-cidr <address_block> |
Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example, Important
OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the |
--private | Restricts primary API endpoint and application routes to direct, private connectivity. |
--private-link |
Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The |
--region <region_name> |
The name of the AWS region where your worker pool will be located, for example, |
--replicas n |
The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default: |
--role-arn <arn> | The ARN of the installer role that OpenShift Cluster Manager uses to create the cluster. This is required if you have not already created account roles. |
--service-cidr <address_block> |
Block of IP addresses (ipNet) for services, for example, Important
OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the |
--sts | --non-sts | Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster. |
--subnet-ids <aws_subnet_id> |
The AWS subnet IDs that are used when installing the cluster, for example,
When using |
--support-role-arn string | The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support. |
--tags | Tags that are used on resources created by Red Hat OpenShift Service on AWS in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar". Important Red Hat OpenShift Service on AWS only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited. Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed. Red Hat OpenShift Service on AWS does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact. |
--version string |
The version of ROSA that will be used to install the cluster or cluster resources. For |
--worker-iam-role string | The ARN of the IAM role that will be attached to compute instances. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Create a cluster named mycluster
.
$ rosa create cluster --cluster-name=mycluster
Create a cluster with a specific AWS region.
$ rosa create cluster --cluster-name=mycluster --region=us-east-2
Create a cluster with autoscaling enabled on the default worker machine pool.
$ rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5
8.2.3.5. create external-auth-provider
Add an external identity provider instead of the OpenShift OAuth2 server.
You can only use external authentication providers on ROSA with HCP clusters.
Syntax
$ rosa create external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--claim-mapping-groups-claim <string> | Required. Describes rules on how to transform information from an ID token into a cluster identity. |
--claim-validation-rule <strings> |
Rules that are applied to validate token claims to authenticate users. The input will be in a |
--claim-mapping-username-claim <string> | The name of the claim that should be used to construct user names for the cluster identity. |
--cluster <cluster_name>|<cluster_id> | Required. The name or ID of the cluster to which the IDP will be added. |
--console-client-id <string> | The identifier of the OIDC client from the OIDC provider for the OpenShift Cluster Manager web console. |
--console-client-secret <string> | The secret that is associated with the console application registration. |
--issuer-audiences <strings> | An array of audiences to check the incoming tokens against. Valid tokens must include at least one of these values in their audience claim. |
--issuer-ca-file <string> | The path to the PEM-encoded certificate file to use when making requests to the server. |
--issuer-url <string> | The serving URL of the token issuer. |
--name <string> | A name that is used to refer to the external authentication provider. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile string from your credentials file. |
Examples
Add a Microsoft Entra ID identity provider to a cluster named mycluster
.
$ rosa create external-auth-provider --cluster=mycluster --name <provider_name> --issuer-audiences <audience_id> --issuer-url <issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claim groups
8.2.3.6. create idp
Add an identity provider (IDP) to define how users log in to a cluster.
Syntax
$ rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> | Required. The name or ID of the cluster to which the IDP will be added. |
--ca <path_to_file> |
The path to the PEM-encoded certificate file to use when making requests to the server, for example, |
--client-id | The client ID (string) from the registered application. |
--client-secret | The client secret (string) from the registered application. |
--mapping-method |
Specifies how new identities (string) are mapped to users when they log in. Default: |
--name | The name (string) for the identity provider. |
--type |
The type (string) of identity provider. Options: |
Option | Definition |
---|---|
--hostname | The optional domain (string) that are used with a hosted instance of GitHub Enterprise. |
--organizations | Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in. |
--teams |
Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is |
Option | Definition |
---|---|
--host-url |
The host URL (string) of a GitLab provider. Default: |
Option | Definition |
---|---|
--hosted-domain | Restricts users to a Google Apps domain (string). |
Option | Definition |
---|---|
--bind-dn | The domain name (string) to bind with during the search phase. |
--bind-password | The password (string) to bind with during the search phase. |
--email-attributes | The list (string) of attributes whose values should be used as the email address. |
--id-attributes |
The list (string) of attributes whose values should be used as the user ID. Default: |
--insecure | Does not make TLS connections to the server. |
--name-attributes |
The list (string) of attributes whose values should be used as the display name. Default: |
--url | An RFC 2255 URL (string) which specifies the LDAP search parameters that are used. |
--username-attributes |
The list (string) of attributes whose values should be used as the preferred username. Default: |
Option | Definition |
---|---|
--email-claims | The list (string) of claims that are used as the email address. |
--extra-scopes |
The list (string) of scopes to request, in addition to the |
--issuer-url | The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment. |
--name-claims | The list (string) of claims that are used as the display name. |
--username-claims | The list (string) of claims that are used as the preferred username when provisioning a user. |
--groups-claims | The list (string) of claims that are used as the groups names. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Add a GitHub identity provider to a cluster named mycluster
.
$ rosa create idp --type=github --cluster=mycluster
Add an identity provider following interactive prompts.
$ rosa create idp --cluster=mycluster --interactive
8.2.3.7. create ingress
Add an ingress endpoint to enable API access to the cluster.
Syntax
$ rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> | Required: The name or ID of the cluster to which the ingress will be added. |
--label-match | The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers. |
--private | Restricts application route to direct, private connectivity. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Add an internal ingress to a cluster named mycluster
.
$ rosa create ingress --private --cluster=mycluster
Add a public ingress to a cluster named mycluster
.
$ rosa create ingress --cluster=mycluster
Add an ingress with a route selector label match.
$ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz
8.2.3.8. create kubeletconfig
Create a custom KubeletConfig
object to allow custom configuration of nodes in a machine pool. For Red Hat OpenShift Service on AWS clusters, these settings are cluster-wide. For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, each machine pool can be configured differently.
Syntax
$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Option | Definition |
---|---|
--pod-pids-limit <number> |
Required. The maximum number of PIDs for each node in the machine pool associated with the |
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster in which to create the |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-i, --interactive | Enable interactive mode. |
-h, --help | Shows help for this command. |
For more information about setting the PID limit for the cluster, see Configuring PID limits.
8.2.3.9. create machinepool
Add a machine pool to an existing cluster.
Syntax
$ rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]
Option | Definition |
---|---|
--additional-security-group-ids <sec_group_id> | The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
--cluster <cluster_name>|<cluster_id> | Required: The name or ID of the cluster to which the machine pool will be added. |
--disk-size | Set the disk volume size for the machine pool, in Gib or TiB. The default is 300 GiB. For ROSA (classic architecture) clusters version 4.13 or earlier, the minimum disk size is 128 GiB, and the maximum is 1 TiB. For cluster version 4.14 and later, the minimum is 128 GiB, and the maximum is 16 TiB. For ROSA with HCP clusters, the minimum disk size is 75 GiB, and the maximum is 16,384 GiB. |
--enable-autoscaling |
Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the |
--instance-type |
The instance type (string) that should be used. Default: |
--kubelet-configs <kubeletconfig_name> |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any |
--labels | The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis. |
--max-replicas | Specifies the maximum number of compute nodes when enabling autoscaling. |
--min-replicas | Specifies the minimum number of compute nodes when enabling autoscaling. |
--max-surge |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the
The default value is |
--max-unavailable |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the
The default value is |
--name | Required: The name (string) for the machine pool. |
--replicas | Required when autoscaling is not configured. The number (integer) of machines for this machine pool. |
--tags |
Apply user defined tags to all resources created by ROSA in AWS. Tags are comma separated, for example: |
--taints |
Taints for the machine pool. This string value should be formatted as a comma-separated list of |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Interactively add a machine pool to a cluster named mycluster
.
$ rosa create machinepool --cluster=mycluster --interactive
Add a machine pool that is named mp-1
to a cluster with autoscaling enabled.
$ rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1
Add a machine pool that is named mp-1
with 3 replicas of m5.xlarge
to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1
Add a machine pool (mp-1
) to a Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) cluster, configuring 6 replicas and the following upgrade behavior:
- Allow up to 2 excess nodes to be provisioned during an upgrade.
- Ensure that no more than 3 nodes are unavailable during an upgrade.
$ rosa create machinepool --cluster=mycluster --replicas=6 --name=mp-1 --max-surge=2 --max-unavailable=3
Add a machine pool with labels to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1
Add a machine pool with tags to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1
8.2.3.10. create network
Create a network that creates any necessary AWS resources through AWS CloudFormation templates. This helper command is intended to help create and configure a VPC for use with ROSA with HCP. This command also supports zero egress clusters.
Running this command creates resources within your AWS account.
For custom or advanced configuration, it is highly recommended to use the AWS CLI directly using the aws cloudformation
command or create a new custom template with the required configurations.
Syntax
$ rosa create network [flags]
Option | Definition |
---|---|
<template-name> |
Allows you to use a custom template. Templates must be in the template folder, structured as |
Default template YAML
AWSTemplateFormatVersion: '2010-09-09' Description: CloudFormation template to create a ROSA Quickstart default VPC. This CloudFormation template may not work with rosa CLI versions later than 1.2.47. Please ensure that you are using the compatible CLI version before deploying this template. Parameters: AvailabilityZoneCount: Type: Number Description: "Number of Availability Zones to use" Default: 1 MinValue: 1 MaxValue: 3 Region: Type: String Description: "AWS Region" Default: "us-west-2" Name: Type: String Description: "Name prefix for resources" VpcCidr: Type: String Description: CIDR block for the VPC Default: '10.0.0.0/16' Conditions: HasAZ1: !Equals [!Ref AvailabilityZoneCount, 1] HasAZ2: !Equals [!Ref AvailabilityZoneCount, 2] HasAZ3: !Equals [!Ref AvailabilityZoneCount, 3] One: Fn::Or: - Condition: HasAZ1 - Condition: HasAZ2 - Condition: HasAZ3 Two: Fn::Or: - Condition: HasAZ3 - Condition: HasAZ2 Resources: VPC: Type: AWS::EC2::VPC Properties: CidrBlock: !Ref VpcCidr EnableDnsSupport: true EnableDnsHostnames: true Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' S3VPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.s3" VpcEndpointType: Gateway RouteTableIds: - !Ref PublicRouteTable - !Ref PrivateRouteTable SubnetPublic1: Condition: One Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${Name}-Public-Subnet-1" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/elb' Value: '1' SubnetPrivate1: Condition: One Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [0, !GetAZs ''] MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub "${Name}-Private-Subnet-1" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/internal-elb' Value: '1' SubnetPublic2: Condition: Two Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [1, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${Name}-Public-Subnet-2" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/elb' Value: '1' SubnetPrivate2: Condition: Two Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [1, !GetAZs ''] MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub "${Name}-Private-Subnet-2" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/internal-elb' Value: '1' SubnetPublic3: Condition: HasAZ3 Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [2, !GetAZs ''] MapPublicIpOnLaunch: true Tags: - Key: Name Value: !Sub "${Name}-Public-Subnet-3" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/elb' Value: '1' SubnetPrivate3: Condition: HasAZ3 Type: AWS::EC2::Subnet Properties: VpcId: !Ref VPC CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, 8]] AvailabilityZone: !Select [2, !GetAZs ''] MapPublicIpOnLaunch: false Tags: - Key: Name Value: !Sub "${Name}-Private-Subnet-3" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' - Key: 'kubernetes.io/role/internal-elb' Value: '1' InternetGateway: Type: AWS::EC2::InternetGateway Properties: Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' AttachGateway: Type: AWS::EC2::VPCGatewayAttachment Properties: VpcId: !Ref VPC InternetGatewayId: !Ref InternetGateway ElasticIP1: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' ElasticIP2: Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' ElasticIP3: Condition: HasAZ3 Type: AWS::EC2::EIP Properties: Domain: vpc Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' NATGateway1: Condition: One Type: 'AWS::EC2::NatGateway' Properties: AllocationId: !GetAtt ElasticIP1.AllocationId SubnetId: !Ref SubnetPublic1 Tags: - Key: Name Value: !Sub "${Name}-NAT-1" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' NATGateway2: Condition: Two Type: 'AWS::EC2::NatGateway' Properties: AllocationId: !GetAtt ElasticIP2.AllocationId SubnetId: !Ref SubnetPublic2 Tags: - Key: Name Value: !Sub "${Name}-NAT-2" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' NATGateway3: Condition: HasAZ3 Type: 'AWS::EC2::NatGateway' Properties: AllocationId: !GetAtt ElasticIP3.AllocationId SubnetId: !Ref SubnetPublic3 Tags: - Key: Name Value: !Sub "${Name}-NAT-3" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' PublicRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Ref Name - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' PublicRoute: Type: AWS::EC2::Route DependsOn: AttachGateway Properties: RouteTableId: !Ref PublicRouteTable DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref InternetGateway PrivateRouteTable: Type: AWS::EC2::RouteTable Properties: VpcId: !Ref VPC Tags: - Key: Name Value: !Sub "${Name}-Private-Route-Table" - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' - Key: 'service' Value: 'ROSA' PrivateRoute: Type: AWS::EC2::Route Properties: RouteTableId: !Ref PrivateRouteTable DestinationCidrBlock: 0.0.0.0/0 NatGatewayId: !If - One - !Ref NATGateway1 - !If - Two - !Ref NATGateway2 - !If - HasAZ3 - !Ref NATGateway3 - !Ref "AWS::NoValue" PublicSubnetRouteTableAssociation1: Condition: One Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPublic1 RouteTableId: !Ref PublicRouteTable PublicSubnetRouteTableAssociation2: Condition: Two Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPublic2 RouteTableId: !Ref PublicRouteTable PublicSubnetRouteTableAssociation3: Condition: HasAZ3 Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPublic3 RouteTableId: !Ref PublicRouteTable PrivateSubnetRouteTableAssociation1: Condition: One Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPrivate1 RouteTableId: !Ref PrivateRouteTable PrivateSubnetRouteTableAssociation2: Condition: Two Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPrivate2 RouteTableId: !Ref PrivateRouteTable PrivateSubnetRouteTableAssociation3: Condition: HasAZ3 Type: AWS::EC2::SubnetRouteTableAssociation Properties: SubnetId: !Ref SubnetPrivate3 RouteTableId: !Ref PrivateRouteTable SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupDescription: "Authorize inbound VPC traffic" VpcId: !Ref VPC SecurityGroupIngress: - IpProtocol: -1 FromPort: 0 ToPort: 0 CidrIp: "10.0.0.0/16" SecurityGroupEgress: - IpProtocol: -1 FromPort: 0 ToPort: 0 CidrIp: 0.0.0.0/0 Tags: - Key: Name Value: !Ref Name - Key: 'service' Value: 'ROSA' - Key: 'rosa_managed_policies' Value: 'true' - Key: 'rosa_hcp_policies' Value: 'true' EC2VPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.ec2" PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup KMSVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.kms" PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup STSVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.sts" PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup EcrApiVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.ecr.api" PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup EcrDkrVPCEndpoint: Type: AWS::EC2::VPCEndpoint Properties: VpcId: !Ref VPC ServiceName: !Sub "com.amazonaws.${Region}.ecr.dkr" PrivateDnsEnabled: true VpcEndpointType: Interface SubnetIds: - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"] - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"] - !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"] SecurityGroupIds: - !Ref SecurityGroup Outputs: VPCId: Description: "VPC Id" Value: !Ref VPC Export: Name: !Sub "${Name}-VPCId" VPCEndpointId: Description: The ID of the VPC Endpoint Value: !Ref S3VPCEndpoint Export: Name: !Sub "${Name}-VPCEndpointId" PublicSubnets: Description: "Public Subnet Ids" Value: !Join [",", [!If [One, !Ref SubnetPublic1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPublic2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPublic3, !Ref "AWS::NoValue"]]] Export: Name: !Sub "${Name}-PublicSubnets" PrivateSubnets: Description: "Private Subnet Ids" Value: !Join [",", [!If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]]] Export: Name: !Sub "${Name}-PrivateSubnets" EIP1AllocationId: Description: Allocation ID for ElasticIP1 Value: !GetAtt ElasticIP1.AllocationId Export: Name: !Sub "${Name}-EIP1-AllocationId" EIP2AllocationId: Description: Allocation ID for ElasticIP2 Value: !GetAtt ElasticIP2.AllocationId Export: Name: !Sub "${Name}-EIP2-AllocationId" EIP3AllocationId: Condition: HasAZ3 Description: Allocation ID for ElasticIP3 Value: !GetAtt ElasticIP3.AllocationId Export: Name: !Sub "${Name}-EIP3-AllocationId" NatGatewayId: Description: The NAT Gateway IDs Value: !Join [",", [!If [One, !Ref NATGateway1, !Ref "AWS::NoValue"], !If [Two, !Ref NATGateway2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref NATGateway3, !Ref "AWS::NoValue"]]] Export: Name: !Sub "${Name}-NatGatewayId" InternetGatewayId: Description: The ID of the Internet Gateway Value: !Ref InternetGateway Export: Name: !Sub "${Name}-InternetGatewayId" PublicRouteTableId: Description: The ID of the public route table Value: !Ref PublicRouteTable Export: Name: !Sub "${Name}-PublicRouteTableId" PrivateRouteTableId: Description: The ID of the private route table Value: !Ref PrivateRouteTable Export: Name: !Sub "${Name}-PrivateRouteTableId" EC2VPCEndpointId: Description: The ID of the EC2 VPC Endpoint Value: !Ref EC2VPCEndpoint Export: Name: !Sub "${Name}-EC2VPCEndpointId" KMSVPCEndpointId: Description: The ID of the KMS VPC Endpoint Value: !Ref KMSVPCEndpoint Export: Name: !Sub "${Name}-KMSVPCEndpointId" STSVPCEndpointId: Description: The ID of the STS VPC Endpoint Value: !Ref STSVPCEndpoint Export: Name: !Sub "${Name}-STSVPCEndpointId" EcrApiVPCEndpointId: Description: The ID of the ECR API VPC Endpoint Value: !Ref EcrApiVPCEndpoint Export: Name: !Sub "${Name}-EcrApiVPCEndpointId" EcrDkrVPCEndpointId: Description: The ID of the ECR DKR VPC Endpoint Value: !Ref EcrDkrVPCEndpoint Export: Name: !Sub "${Name}-EcrDkrVPCEndpointId"
Option | Definition |
---|---|
--template-dir |
Allows you to specify the path to the template directory. Overrides the |
--param Name | Define the name of your network. A required parameter when using a custom template file. |
--param Region | Define the region of your network. A required parameter when using a custom template file. |
--param <various> |
Available parameters depend on the template. Use |
--mode=manual | Provides AWS commands to create the network stack. |
Example
Create a basic network with regular arguments and flags.
$ rosa create network rosa-quickstart-default-vpc --param Tags=key1=value1,key2=value2 --param Name=example-stack --param Region=us-west-2
8.2.3.11. create ocm-role
Create the required ocm-role resources for your cluster.
Syntax
$ rosa create ocm-role [flags]
Option | Definition |
---|---|
--admin | Enable admin capabilities for the role. |
--debug | Enable debug mode. |
-i, --interactive | Enable interactive mode. |
-m, --mode string | How to perform the operation. Valid options are:
|
--path string | The ARN path for the OCM role and policies. |
--permissions-boundary string | The ARN of the policy that is used to set the permissions boundary for the OCM role. |
--prefix string |
User-defined prefix for all generated AWS resources. The default is |
--profile string | Use a specific AWS profile from your credential file. |
-y, --yes | Automatically answer yes to confirm operation. |
For more information about the OCM role created with the rosa create ocm-role
command, see Account-wide IAM role and policy reference.
8.2.3.12. create user-role
Create the required user-role resources for your cluster.
Syntax
$ rosa create user-role [flags]
Option | Definition |
---|---|
--debug | Enable debug mode. |
-i, --interactive | Enable interactive mode. |
-m, --mode string | How to perform the operation. Valid options are:
|
--path string | The ARN path for the user role and policies. |
--permissions-boundary string | The ARN of the policy that is used to set the permissions boundary for the user role. |
--prefix string |
User-defined prefix for all generated AWS resources The default is |
--profile string | Use a specific AWS profile from your credential file. |
-y, --yes | Automatically answer yes to confirm operation. |
For more information about the user role created with the rosa create user-role
command, see Understanding AWS account association.
8.2.4. Additional resources
- See AWS Instance types for a list of supported instance types.
- See Account-wide IAM role and policy reference for a list of IAM roles needed for cluster creation.
- See Understanding AWS account association for more information about the OCM role and user role.
- See Additional custom security groups for information about security group requirements.
8.2.5. Edit objects
This section describes the edit
commands for clusters and resources.
8.2.5.1. edit cluster
Allows edits to an existing cluster.
Syntax
$ rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--additional-allowed-principals <arn> | A comma-separated list of additional allowed principal ARNs to be added to the Hosted Control Plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted. |
--cluster | Required: The name or ID (string) of the cluster to edit. |
--private | Restricts a primary API endpoint to direct, private connectivity. |
--enable-delete-protection=true | Enables the delete protection feature. |
--enable-delete-protection=false | Disables the delete protection feature. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Edit a cluster named mycluster
to make it private.
$ rosa edit cluster --cluster=mycluster --private
Edit all cluster options interactively on a cluster named mycluster
.
$ rosa edit cluster --cluster=mycluster --interactive
8.2.5.2. edit ingress
Edits the default application router for a cluster.
For information about editing non-default application routers, see Additional resources.
Syntax
$ rosa edit ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to which the ingress will be added. |
--cluster-routes-hostname | Components route hostname for OAuth, console, and download. |
--cluster-routes-tls-secret-ref | Components route TLS secret reference for OAuth, console, and download. |
--excluded-namespaces |
Excluded namespaces for ingress. Format is a comma-separated list |
--label-match | The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers. |
--lb-type |
Type of Load Balancer. Options are |
--namespace-ownership-policy |
Namespace Ownership Policy for ingress. Options are |
--private | Restricts the application route to direct, private connectivity. |
--route-selector | Route Selector for ingress. Format is a comma-separated list of key=value. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label. |
--wildcard-policy |
Wildcard Policy for ingress. Options are |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Make an additional ingress with the ID a1b2
as a private connection on a cluster named mycluster
.
$ rosa edit ingress --private --cluster=mycluster a1b2
Update the router selectors for the additional ingress with the ID a1b2
on a cluster named mycluster
.
$ rosa edit ingress --label-match=foo=bar --cluster=mycluster a1b2
Update the default ingress using the sub-domain identifier apps
on a cluster named mycluster
.
$ rosa edit ingress --private=false --cluster=mycluster apps
Update the load balancer type of the apps2
ingress.
$ rosa edit ingress --lb-type=nlb --cluster=mycluster apps2
8.2.5.3. edit kubeletconfig
Edit a custom KubeletConfig
object in a machine pool.
Syntax
$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which the |
-i, --interactive | Enable interactive mode. |
--pod-pids-limit <number> |
Required. The maximum number of PIDs for each node in the machine pool associated with the |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-h, --help | Shows help for this command. |
For more information about setting the PID limit for the cluster, see Configuring PID limits.
8.2.5.4. edit machinepool
Allows edits to the machine pool in a cluster.
Syntax
$ rosa edit machinepool --cluster=<cluster_name_or_id> <machinepool_name> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to edit on which the additional machine pool will be edited. |
--enable-autoscaling |
Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the |
--labels | The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis. |
--kubelet-configs <kubeletconfig_name> |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any |
--max-replicas | Specifies the maximum number of compute nodes when enabling autoscaling. |
--min-replicas | Specifies the minimum number of compute nodes when enabling autoscaling. |
--max-surge |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the
The default value is |
--max-unavailable |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the
The default value is |
--node-drain-grace-period | Specifies the node drain grace period when upgrading or replacing the machine pool. (This is for ROSA with HCP clusters only.) |
--replicas | Required when autoscaling is not configured. The number (integer) of machines for this machine pool. |
--taints |
Taints for the machine pool. This string value should be formatted as a comma-separated list of |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Set 4 replicas on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --replicas=4 mp1
Enable autoscaling on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 mp1
Disable autoscaling on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --enable-autoscaling=false --replicas=3 mp1
Modify the autoscaling range on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --max-replicas=9 --cluster=mycluster mp1
On Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, edit the mp1
machine pool to add the following behavior during upgrades:
- Allow up to 2 excess nodes to be provisioned during an upgrade.
- Ensure that no more than 3 nodes are unavailable during an upgrade.
$ rosa edit machinepool --cluster=mycluster mp1 --max-surge=2 --max-unavailable=3
Associate a KubeletConfig
object with an existing high-pid-pool
machine pool on a ROSA with HCP cluster.
$ rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids high-pid-pool
8.2.6. Additional resources
- See Configuring the Ingress Controller for information regarding editing non-default application routers.
8.2.7. Delete objects
This section describes the delete
commands for clusters and resources.
8.2.7.1. delete admin
Deletes a cluster administrator from a specified cluster.
Syntax
$ rosa delete admin --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to add to the identity provider (IDP). |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Delete a cluster administrator from a cluster named mycluster
.
$ rosa delete admin --cluster=mycluster
8.2.7.2. delete cluster
Deletes a cluster.
Syntax
$ rosa delete cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to delete. |
--watch | Watches the cluster uninstallation logs. |
--best-effort |
Skips steps in the cluster destruction chain that are known to cause the cluster deletion process to fail. You should use this option with care and it is recommended that you manually check your AWS account for any resources that might be left over after using |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Examples
Delete a cluster named mycluster
.
$ rosa delete cluster --cluster=mycluster
8.2.7.3. delete external-auth-provider
Deletes an external authentication provider from a cluster.
Syntax
$ rosa delete external-auth-provider <name_of_external_auth_provider> --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required. The name or ID string of the cluster the external auth provider will be deleted from. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile string from your credentials file. |
--yes |
Automatically answers |
Example
Delete an identity provider named exauth-1
from a cluster named mycluster
.
$ rosa delete external-auth-provider exauth-1 --cluster=mycluster
8.2.7.4. delete idp
Deletes a specific identity provider (IDP) from a cluster.
Syntax
$ rosa delete idp --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster from which the IDP will be deleted. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Example
Delete an identity provider named github
from a cluster named mycluster
.
$ rosa delete idp github --cluster=mycluster
8.2.7.5. delete ingress
Deletes a non-default application router (ingress) from a cluster.
Syntax
$ rosa delete ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster from which the ingress will be deleted. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Examples
Delete an ingress with the ID a1b2
from a cluster named mycluster
.
$ rosa delete ingress --cluster=mycluster a1b2
Delete a secondary ingress with the subdomain name apps2
from a cluster named mycluster
.
$ rosa delete ingress --cluster=mycluster apps2
8.2.7.6. delete kubeletconfig
Delete a custom KubeletConfig
object from a cluster.
Syntax
$ rosa delete kubeletconfig --cluster=<cluster_name|cluster_id> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which you want to delete the |
-h, --help | Shows help for this command. |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-y, --yes |
Automatically answers |
8.2.7.7. delete machinepool
Deletes a machine pool from a cluster.
Syntax
$ rosa delete machinepool --cluster=<cluster_name> | <cluster_id> <machine_pool_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the machine pool will be deleted from. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--interactive | Enables interactive mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Example
Delete the machine pool with the ID mp-1
from a cluster named mycluster
.
$ rosa delete machinepool --cluster=mycluster mp-1
8.2.8. Install and uninstall add-ons
This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.
8.2.8.1. install addon
Installs a managed service add-on on a cluster.
Syntax
$ rosa install addon --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster where the add-on will be installed. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Uses a specific AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Example
Add the dbaas-operator
add-on installation to a cluster named mycluster
.
$ rosa install addon --cluster=mycluster dbaas-operator
8.2.8.2. uninstall addon
Uninstalls a managed service add-on from a cluster.
Syntax
$ rosa uninstall addon --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the add-on will be uninstalled from. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Uses a specific AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Example
Remove the dbaas-operator
add-on installation from a cluster named mycluster
.
$ rosa uninstall addon --cluster=mycluster dbaas-operator
8.2.9. List and describe objects
This section describes the list
and describe
commands for clusters and resources.
8.2.9.1. list addon
List the managed service add-on installations.
Syntax
$ rosa list addons --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to list the add-ons for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.2.9.2. List break glass credentials
List all of the break glass credentials for a cluster.
Syntax
$ rosa list break-glass-credential [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> | Required. The name or ID of the cluster to which the break glass credentials have been added. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the break glass credentials for a cluster named mycluster
.
$ rosa list break-glass-credential --cluster=mycluster
8.2.9.3. list clusters
List all of your clusters.
Syntax
$ rosa list clusters [arguments]
Option | Definition |
---|---|
--count |
The number (integer) of clusters to display. Default: |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.2.9.4. list external-auth-provider
List any external authentication providers for a cluster.
Syntax
$ rosa list external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID string of the cluster that the external authentication provider will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile string from your credentials file. |
Example
List any external authentication providers for a cluster named mycluster
.
$ rosa list external-auth-provider --cluster=mycluster
8.2.9.5. list idps
List all of the identity providers (IDPs) for a cluster.
Syntax
$ rosa list idps --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the IDPs will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all identity providers (IDPs) for a cluster named mycluster
.
$ rosa list idps --cluster=mycluster
8.2.9.6. list ingresses
List all of the API and ingress endpoints for a cluster.
Syntax
$ rosa list ingresses --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the IDPs will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all API and ingress endpoints for a cluster named mycluster
.
$ rosa list ingresses --cluster=mycluster
8.2.9.7. list instance-types
List all of the available instance types for use with ROSA. Availability is based on the account’s AWS quota.
Syntax
$ rosa list instance-types [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--output |
The output format. Allowed formats are |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all instance types.
$ rosa list instance-types
8.2.9.8. list kubeletconfigs
List the KubeletConfig
objects configured on a cluster.
Syntax
$ rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the machine pools will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
Example
List all of the KubeletConfig
objects on a cluster named mycluster
.
$ rosa list kubeletconfigs --cluster=mycluster
8.2.9.9. list machinepools
List the machine pools configured on a cluster.
Syntax
$ rosa list machinepools --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the machine pools will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the machine pools on a cluster named mycluster
.
$ rosa list machinepools --cluster=mycluster
8.2.9.10. list regions
List all of the available regions for the current AWS account.
Syntax
$ rosa list regions [arguments]
Option | Definition |
---|---|
--multi-az | Lists regions that provide support for multiple availability zones. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the available regions.
$ rosa list regions
8.2.9.11. list upgrades
List all available and scheduled cluster version upgrades.
Syntax
$ rosa list upgrades --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the available upgrades will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the available upgrades for a cluster named mycluster
.
$ rosa list upgrades --cluster=mycluster
8.2.9.12. list users
List the cluster administrator and dedicated administrator users for a specified cluster.
Syntax
$ rosa list users --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the cluster administrators will be listed for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the cluster administrators and dedicated administrators for a cluster named mycluster
.
$ rosa list users --cluster=mycluster
8.2.9.13. list versions
List all of the OpenShift versions that are available for creating a cluster.
Syntax
$ rosa list versions [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
List all of the OpenShift Container Platform versions.
$ rosa list versions
8.2.9.14. describe admin
Show the details of a specified cluster-admin
user and a command to log in to the cluster.
Syntax
$ rosa describe admin --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to which the cluster-admin belongs. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Describe the cluster-admin
user for a cluster named mycluster
.
$ rosa describe admin --cluster=mycluster
8.2.9.15. describe addon
Show the details of a managed service add-on.
Syntax
$ rosa describe addon <addon_id> | <addon_name> [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Describe an add-on named dbaas-operator
.
$ rosa describe addon dbaas-operator
8.2.9.16. describe break glass credential
Shows the details for a break glass credential for a specific cluster.
Syntax
$ rosa describe break-glass-credential --id=<break_glass_credential_id> --cluster=<cluster_name>| <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
--id | Required: The ID (string) of the break glass credential. |
--kubeconfig | Optional: Retrieves the kubeconfig from the break glass credential. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.2.9.17. describe cluster
Shows the details for a cluster.
Syntax
$ rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--get-role-policy-bindings | Lists the policies that are attached to the STS roles assigned to the cluster. |
Example
Describe a cluster named mycluster
.
$ rosa describe cluster --cluster=mycluster
8.2.9.18. describe kubeletconfig
Show the details of a custom KubeletConfig
object.
Syntax
$ rosa describe kubeletconfig --cluster=<cluster_name|cluster_id> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which you want to view the |
-h, --help | Shows help for this command. |
--name |
Optional. Specifies the name of the |
-o, --output string | -o, --output string |
8.2.9.19. describe machinepool
Describes a specific machine pool configured on a cluster.
Syntax
$ rosa describe machinepool --cluster=[<cluster_name>|<cluster_id>] --machinepool=<machinepool_name> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
--machinepool | Required: The name or ID (string) of the machinepool. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Describe a machine pool named mymachinepool
on a cluster named mycluster
.
$ rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool
8.2.10. Revoke objects
This section describes the revoke
commands for clusters and resources.
8.2.10.1. revoke-break-glass-credential
Revokes all break glass credentials from a specified hosted control plane cluster with external authentication enabled.
Syntax
$ rosa revoke break-glass-credential --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster from which the break glass credentials will be deleted. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Example
Revoke the break glass credentials from a cluster named mycluster
.
$ rosa revoke break-glass-credential --cluster=mycluster
8.2.11. Upgrade and delete upgrade for objects
This section describes the upgrade
command usage for objects.
8.2.11.1. upgrade cluster
Schedule a cluster upgrade.
Syntax
$ rosa upgrade cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the upgrade will be scheduled for. |
--interactive | Enables interactive mode. |
--version | The version (string) of OpenShift Container Platform that the cluster will be upgraded to. |
--schedule-date |
The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format: |
--schedule-time |
The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format: |
--node-drain-grace-period [1] |
Sets a grace period (string) for how long the pod disruption budget-protected workloads are respected during upgrades. After this grace period, any workloads protected by pod disruption budgets that have not been successfully drained from a node will be forcibly evicted. Default: |
--control-plane [2] | Upgrades the cluster’s hosted control plane. |
- Classic clusters only
- ROSA with HCP clusters only
Option | Definition |
---|---|
--help | Shows help for this command. |
Examples
Interactively schedule an upgrade on a cluster named mycluster
.
$ rosa upgrade cluster --cluster=mycluster --interactive
Schedule a cluster upgrade within the hour on a cluster named mycluster
.
$ rosa upgrade cluster --cluster=mycluster --version 4.5.20
8.2.11.2. delete cluster upgrade
Cancel a scheduled cluster upgrade.
Syntax
$ rosa delete upgrade --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster that the upgrade will be cancelled for. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--yes |
Automatically answers |
8.2.11.3. upgrade machinepool
Upgrades a specific machine pool configured on a ROSA with HCP cluster.
The upgrade
command for machinepools applies to ROSA with HCP clusters only.
Syntax
$ rosa upgrade machinepool --cluster=<cluster_name> <machinepool_name>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
--schedule-date |
The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format: |
--schedule-time |
The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format: |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Upgrade a machine pool on a cluster named mycluster
.
$ rosa upgrade machinepool --cluster=mycluster
8.2.11.4. delete machinepool upgrade
Cancel a scheduled machinepool upgrade.
Syntax
$ rosa delete upgrade --cluster=<cluster_name> <machinepool_name>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
8.2.11.5. upgrade roles
Upgrades roles configured on a cluster.
Syntax
$ rosa upgrade roles --cluster=<cluster_id>
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Upgrade roles on a cluster named mycluster
.
$ rosa upgrade roles --cluster=mycluster
8.3. Checking account and version information with the ROSA CLI
Use the following commands to check your account and version information.
8.3.1. whoami
Display information about your AWS and Red Hat accounts by using the following command syntax:
Syntax
$ rosa whoami [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
$ rosa whoami
8.3.2. version
Display the version of your rosa
CLI by using the following command syntax:
Syntax
$ rosa version [arguments]
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
$ rosa version
8.4. Checking logs with the ROSA CLI
Use the following commands to check your install and uninstall logs.
8.4.1. logs install
Show the cluster install logs by using the following command syntax:
Syntax
$ rosa logs install --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | Required: The name or ID (string) of the cluster to get logs for. |
--tail |
The number (integer) of lines to get from the end of the log. Default: |
--watch | Watches for changes after getting the logs. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Show the last 100 install log lines for a cluster named mycluster
:
$ rosa logs install mycluster --tail=100
Show the install logs for a cluster named mycluster
:
$ rosa logs install --cluster=mycluster
8.4.2. logs uninstall
Show the cluster uninstall logs by using the following command syntax:
Syntax
$ rosa logs uninstall --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster | The name or ID (string) of the cluster to get logs for. |
--tail |
The number (integer) of lines to get from the end of the log. Default: |
--watch | Watches for changes after getting the logs. |
Option | Definition |
---|---|
--help | Shows help for this command. |
--debug | Enables debug mode. |
--profile | Specifies an AWS profile (string) from your credentials file. |
Example
Show the last 100 uninstall logs for a cluster named mycluster
:
$ rosa logs uninstall --cluster=mycluster --tail=100
8.5. Least privilege permissions for ROSA CLI commands
You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command line interface (CLI).
Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.
The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see Common commands and arguments.
For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.
8.5.1. Least privilege permissions for common ROSA CLI commands
The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
8.5.1.1. Create a managed OpenID Connect (OIDC) provider
Run the following command with the specified permissions to create your managed OIDC provider by using auto
mode.
Input
$ rosa create oidc-config --mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateOidcConfig", "Effect": "Allow", "Action": [ "iam:TagOpenIDConnectProvider", "iam:CreateOpenIDConnectProvider" ], "Resource": "*" } ] }
8.5.1.2. Create an unmanaged OpenID Connect provider
Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto
mode.
Input
$ rosa create oidc-config --mode auto --managed=false
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:TagOpenIDConnectProvider", "iam:ListRoleTags", "iam:ListRoles", "iam:CreateOpenIDConnectProvider", "s3:CreateBucket", "s3:PutObject", "s3:PutBucketTagging", "s3:PutBucketPolicy", "s3:PutObjectTagging", "s3:PutBucketPublicAccessBlock", "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource": "*" } ] }
8.5.1.3. List your account roles
Run the following command with the specified permissions to list your account roles.
Input
$ rosa list account-roles
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListAccountRoles", "Effect": "Allow", "Action": [ "iam:ListRoleTags", "iam:ListRoles" ], "Resource": "*" } ] }
8.5.1.4. List your Operator roles
Run the following command with the specified permissions to list your Operator roles.
Input
$ rosa list operator-roles
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListOperatorRoles", "Effect": "Allow", "Action": [ "iam:ListRoleTags", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:ListPolicyTags" ], "Resource": "*" } ] }
8.5.1.5. List your OIDC providers
Run the following command with the specified permissions to list your OIDC providers.
Input
$ rosa list oidc-providers
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ListOidcProviders", "Effect": "Allow", "Action": [ "iam:ListOpenIDConnectProviders", "iam:ListOpenIDConnectProviderTags" ], "Resource": "*" } ] }
8.5.1.6. Verify your quota
Run the following command with the specified permissions to verify your quota.
Input
$ rosa verify quota
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VerifyQuota", "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeAccountLimits", "servicequotas:ListServiceQuotas" ], "Resource": "*" } ] }
8.5.1.7. Delete your managed OIDC configuration
Run the following command with the specified permissions to delete your managed OIDC configuration by using auto
mode.
Input
$ rosa delete oidc-config -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteOidcConfig", "Effect": "Allow", "Action": [ "iam:ListOpenIDConnectProviders", "iam:DeleteOpenIDConnectProvider" ], "Resource": "*" } ] }
8.5.1.8. Delete your unmanaged OIDC configuration
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto
mode.
Input
$ rosa delete oidc-config -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:ListOpenIDConnectProviders", "iam:DeleteOpenIDConnectProvider", "secretsmanager:DeleteSecret", "s3:ListBucket", "s3:DeleteObject", "s3:DeleteBucket" ], "Resource": "*" } ] }
8.5.2. Least privilege permissions for common ROSA with HCP CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.
8.5.2.1. Create a cluster
Run the following command with the specified permissions to create ROSA with HCP clusters.
Input
$ rosa create cluster --hosted-cp
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateCluster", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListAttachedRolePolicies", "iam:ListRoles", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeAvailabilityZones" ], "Resource": "*" } ] }
8.5.2.2. Create your account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles by using auto
mode.
Input
$ rosa create account-roles --mode auto --hosted-cp
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAccountRoles", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:UpdateAssumeRolePolicy", "iam:ListRoleTags", "iam:GetPolicy", "iam:TagRole", "iam:ListRoles", "iam:CreateRole", "iam:AttachRolePolicy", "iam:ListPolicyTags" ], "Resource": "*" } ] }
8.5.2.3. Delete your account roles
Run the following command with the specified permissions to delete the account roles in auto
mode.
Input
$ rosa delete account-roles -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteAccountRoles", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:DeleteRole", "iam:ListRolePolicies" ], "Resource": "*" } ] }
8.5.2.4. Delete your Operator roles
Run the following command with the specified permissions to delete your Operator roles in auto
mode.
Input
$ rosa delete operator-roles -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "DeleteOperatorRoles", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:DeleteRole" ], "Resource": "*" } ] }
8.5.3. Least privilege permissions for common ROSA Classic CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.
8.5.3.1. Create a cluster
Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
Input
$ rosa create cluster
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateCluster", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListRoleTags", "iam:ListRoles" ], "Resource": "*" } ] }
8.5.3.2. Create account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
Input
$ rosa create account-roles --mode auto --classic
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAccountOperatorRoles", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:UpdateAssumeRolePolicy", "iam:ListRoleTags", "iam:GetPolicy", "iam:TagRole", "iam:ListRoles", "iam:CreateRole", "iam:AttachRolePolicy", "iam:TagPolicy", "iam:CreatePolicy", "iam:ListPolicyTags" ], "Resource": "*" } ] }
8.5.3.3. Delete your account roles
Run the following command with the specified permissions to delete the account roles in auto
mode.
Input
$ rosa delete account-roles -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetPolicy", "iam:ListPolicyVersions", "iam:DeletePolicy" ], "Resource": "*" } ] }
8.5.3.4. Delete your Operator roles
Run the following command with the specified permissions to delete the Operator roles in auto
mode.
Input
$ rosa delete operator-roles -–mode auto
Policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "iam:GetRole", "iam:ListInstanceProfilesForRole", "iam:DetachRolePolicy", "iam:ListAttachedRolePolicies", "iam:ListRoles", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetPolicy", "iam:ListPolicyVersions", "iam:DeletePolicy" ], "Resource": "*" } ] }
8.5.4. ROSA CLI commands with no required permissions
The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.
Command | Input |
---|---|
list cluster |
|
list versions |
|
describe cluster |
|
create admin |
|
list users |
|
list upgrades |
|
list OIDC configuration |
|
list identity providers |
|
list ingresses |
|
8.5.5. Additional resources
- For more information about AWS roles, see IAM roles.
- For more information about AWS policies and permissions, see Policies and permissions in IAM.