Chapter 13. Installation configuration parameters for Google Cloud

The API version for the install-config.yaml content. The current version is v1. The installation program might also support older API versions.

Value: String

The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the baseDomain and metadata.name parameter values that uses the <metadata.name>.<baseDomain> format.

Value: A fully-qualified domain or subdomain name, such as example.com.

Kubernetes resource ObjectMeta, from which only the name parameter is consumed.

Value: Object

The name of the cluster. DNS records for the cluster are all subdomains of {{.metadata.name}}.{{.baseDomain}}.

Value: String of lowercase letters, hyphens (-), and periods (.), such as dev.

The configuration for the specific platform upon which to perform the installation: aws, baremetal, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}. For additional information about platform.<platform> parameters, consult the table for your specific platform that follows.

Value: Object

Get a pull secret from Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io.

Value:

{
   "auths":{
      "cloud.openshift.com":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      }
   }
}

{
   "auths":{
      "cloud.openshift.com":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      }
   }
}

The configuration for the cluster network.

Value: Object

The Red Hat OpenShift Networking network plugin to install.

Value:OVNKubernetes. OVNKubernetes is a Container Network Interface (CNI) plugin for Linux networks and hybrid networks that contain both Linux and Windows servers. The default value is OVNKubernetes.

The IP address blocks for pods.

The default value is 10.128.0.0/14 with a host prefix of /23.

If you specify multiple IP address blocks, the blocks must not overlap.

Value: An array of objects. For example:

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23

Required if you use networking.clusterNetwork. An IP address block.

An IPv4 network.

Value: An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between 0 and 32.

The subnet prefix length to assign to each individual node. For example, if hostPrefix is set to 23 then each node is assigned a /23 subnet out of the given cidr. A hostPrefix value of 23 provides 510 (2^(32 - 23) - 2) pod IP addresses.

Value: A subnet prefix.

The default value is 23.

The IP address block for services. The default value is 172.30.0.0/16.

The OVN-Kubernetes network plugins supports only a single IP address block for the service network.

Value: An array with an IP address block in CIDR format. For example:

networking:
  serviceNetwork:
   - 172.30.0.0/16

networking:
  serviceNetwork:
   - 172.30.0.0/16

The IP address blocks for machines.

If you specify multiple IP address blocks, the blocks must not overlap.

Value: An array of objects. For example:

networking:
  machineNetwork:
  - cidr: 10.0.0.0/16

networking:
  machineNetwork:
  - cidr: 10.0.0.0/16

Required if you use networking.machineNetwork. An IP address block. The default value is 10.0.0.0/16 for all platforms other than libvirt and IBM Power® Virtual Server. For libvirt, the default value is 192.168.126.0/24. For IBM Power® Virtual Server, the default value is 192.168.0.0/24.

Value: An IP network block in CIDR notation.

For example, 10.0.0.0/16.

Configures the IPv4 join subnet that is used internally by ovn-kubernetes. This subnet must not overlap with any other subnet that OpenShift Container Platform is using, including the node network. The size of the subnet must be larger than the number of nodes. You cannot change the value after installation.

Value: An IP network block in CIDR notation. The default value is 100.64.0.0/16.

A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle might also be used when a proxy has been configured.

Value: String

Controls the installation of optional core cluster components. You can reduce the footprint of your OpenShift Container Platform cluster by disabling optional components. For more information, see the "Cluster capabilities" page in Installing.

Value: String array

Selects an initial set of optional capabilities to enable. Valid values are None, v4.11, v4.12 and vCurrent. The default value is vCurrent.

Value: String

Extends the set of optional capabilities beyond what you specify in baselineCapabilitySet. You can specify multiple capabilities in this parameter.

Value: String array

Enables workload partitioning, which isolates OpenShift Container Platform services, cluster management workloads, and infrastructure pods to run on a reserved set of CPUs. You can only enable workload partitioning during installation. You cannot disable it after installation. While this field enables workload partitioning, it does not configure workloads to use specific CPUs. For more information, see the Workload partitioning page in the Scalability and Performance section.

Value: None or AllNodes. None is the default value.

The configuration for the machines that comprise the compute nodes.

Value: Array of MachinePool objects.

Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are amd64 and arm64.

Value: String

Whether to enable or disable simultaneous multithreading, or hyperthreading, on compute machines. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores.

Value: Enabled or Disabled

Required if you use compute. The name of the machine pool.

Value: worker

Required if you use compute. Use this parameter to specify the cloud provider to host the worker machines. This parameter value must match the controlPlane.platform parameter value.

Value:aws, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}

The number of compute machines, which are also known as worker machines, to provision.

Value: A positive integer greater than or equal to 2. The default value is 3.

Enables the cluster for a feature set. A feature set is a collection of OpenShift Container Platform features that are not enabled by default. For more information about enabling a feature set during installation, see "Enabling features using feature gates".

Value: String. The name of the feature set to enable, such as TechPreviewNoUpgrade.

The configuration for the machines that form the control plane.

Value: Array of MachinePool objects.

Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are amd64 and arm64.

Value: String

Whether to enable or disable simultaneous multithreading, or hyperthreading, on control plane machines. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores.

Value: Enabled or Disabled

Required if you use controlPlane. The name of the machine pool.

Value: master

Required if you use controlPlane. Use this parameter to specify the cloud provider that hosts the control plane machines. This parameter value must match the compute.platform parameter value.

Value:aws, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}

The number of control plane machines to provision.

Value: Supported values are 3, or 1 when deploying single-node OpenShift.

The OpenShift Container Platform cluster requires a name for arbiter nodes. For example, arbiter.

The replicas parameter sets the number of arbiter nodes for the OpenShift Container Platform cluster. You cannot set this field to a value that is greater than 1.

The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported.

Value: Mint, Passthrough, Manual or an empty string ("").

Enable or disable FIPS mode. The default is false (disabled). If you enable FIPS mode, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that RHCOS provides instead.

Value: false or true

Sources and repositories for the release-image content.

Value: Array of objects. Includes a source and, optionally, mirrors, as described in the following rows of this table.

Required if you use imageContentSources. Specify the repository that users refer to, for example, in image pull specifications.

Value: String

Specify one or more repositories that might also contain the same images.

Value: Array of strings

How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes.

Value:Internal or External. To deploy a private cluster that cannot be accessed from the internet, set the publish parameter to Internal. The default value is External.

The SSH key to authenticate access to your cluster machines.

Value: For example, sshKey: ssh-ed25519 AAAA...

Optional. By default, the installation program downloads and installs the Red Hat Enterprise Linux CoreOS (RHCOS) image that is used to boot control plane machines. You can override the default behavior by specifying the location of a custom RHCOS image that the installation program is to use for control plane machines only. Control plane machines do not contribute to licensing costs when using the default image. But, if you apply a Google Cloud Marketplace image for a control plane machine, usage costs do apply.

Value: String. The name of Google Cloud project where the image is located.

The name of the custom RHCOS image that the installation program is to use to boot control plane machines. If you use controlPlane.platform.gcp.osImage.project, this field is required.

Value: String. The name of the RHCOS image.

Optional. By default, the installation program downloads and installs the RHCOS image that is used to boot compute machines. You can override the default behavior by specifying the location of a custom RHCOS image that the installation program is to use for compute machines only.

Value: String. The name of Google Cloud project where the image is located.

The name of the custom RHCOS image that the installation program is to use to boot compute machines. If you use compute.platform.gcp.osImage.project, this field is required.

Value: String. The name of the RHCOS image.

Specifies the email address of a Google Cloud service account to be used during installations. This service account is used to provision compute machines.

Value: String. The email address of the service account.

The name of the existing Virtual Private Cloud (VPC) where you want to deploy your cluster. If you want to deploy your cluster into a shared VPC, you must set platform.gcp.networkProjectID with the name of the Google Cloud project that contains the shared VPC.

Value: String.

Optional. The name of the Google Cloud project that contains the shared VPC where you want to deploy your cluster.

Value: String.

The name of the Google Cloud project where the installation program installs the cluster.

Value: String.

The name of the private DNS zone. This parameter is only used during shared VPC installations. You can use a private DNS zone in a service project that is distinct from the projects specified by the projectID or networkProjectID parameters.

Value: String.

The ID of the project that contains the private zone from the privateZone.name parameter.

Value: String.

Enables user-provisioned DNS instead of the default cluster-provisioned DNS solution. If you use this feature, you must provide your own DNS solution that includes records for api.<cluster_name>.<base_domain>. and *.apps.<cluster_name>.<base_domain>..

Value: Enabled or Disabled. The default value is Disabled. userProvisionedDNS is a Technology Preview feature.

The name of the Google Cloud region that hosts your cluster.

Value: Any valid region name, such as us-central1.

The name of the existing subnet where you want to deploy your control plane machines.

Value: The subnet name.

The name of the existing subnet where you want to deploy your compute machines.

Value: The subnet name.

The availability zones where the installation program creates machines.

Value: A list of valid Google Cloud availability zones, such as us-central1-a, in a YAML sequence.

The size of the disk in gigabytes (GB).

Value: Any size between 16 GB and 65536 GB.

The Google Cloud disk type.

Value: The default disk type for all machines. Valid values are pd-balanced, pd-ssd, pd-standard, or hyperdisk-balanced. The default value is pd-ssd. Control plane machines cannot use the pd-standard disk type, so if you specify pd-standard as the default machine platform disk type, you must specify a different disk type using the controlPlane.platform.gcp.osDisk.diskType parameter.

Optional. By default, the installation program downloads and installs the RHCOS image that is used to boot control plane and compute machines. You can override the default behavior by specifying the location of a custom RHCOS image that the installation program is to use for both types of machines.

Value: String. The name of Google Cloud project where the image is located.

The name of the custom RHCOS image that the installation program is to use to boot control plane and compute machines. If you use platform.gcp.defaultMachinePlatform.osImage.project, this field is required.

Value: String. The name of the RHCOS image.

Optional. Additional network tags to add to the control plane and compute machines.

Value: One or more strings, for example network-tag1.

The Google Cloud machine type for control plane and compute machines.

Value: The Google Cloud machine type, for example n1-standard-4.

The name of the customer managed encryption key to be used for machine disk encryption.

Value: The encryption key name.

The name of the Key Management Service (KMS) key ring to which the KMS key belongs.

Value: The KMS key ring name.

The Google Cloud location in which the KMS key ring exists.

Value: The Google Cloud location.

The ID of the project in which the KMS key ring exists. This value defaults to the value of the platform.gcp.projectID parameter if it is not set.

Value: The Google Cloud project ID.

The Google Cloud service account used for the encryption request for control plane and compute machines. If absent, the Compute Engine default service account is used. For more information about Google Cloud service accounts, see Google’s documentation on service accounts.

Value: The Google Cloud service account email, for example <service_account_name>@<project_id>.iam.gserviceaccount.com.

Whether to enable Shielded VM secure boot for all machines in the cluster. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google’s documentation on Shielded VMs.

Value: Enabled or Disabled. The default value is Disabled.

Whether to use Confidential VMs for all machines in the cluster. Confidential VMs provide encryption for data during processing. For more information on Confidential computing, see Google’s documentation about Confidential Computing.

Supported values are:

If you specify any value other than Disabled, you must set platform.gcp.defaultMachinePlatform.onHostMaintenance to Terminate, and you must specify a region and machine type that support Confidential Computing. For more information, see Google’s documentation about Supported configurations.

Value: String.

Specifies the behavior of all VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to Terminate. Confidential VMs do not support live VM migration.

Value: Terminate or Migrate. The default value is Migrate.

The name of the customer managed encryption key to be used for control plane machine disk encryption.

Value: The encryption key name.

For control plane machines, the name of the KMS key ring to which the KMS key belongs.

Value: The KMS key ring name.

For control plane machines, the Google Cloud location in which the key ring exists. For more information about KMS locations, see Google’s documentation on Cloud KMS locations.

Value: The Google Cloud location for the key ring.

For control plane machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set.

Value: The Google Cloud project ID.

The Google Cloud service account used for the encryption request for control plane machines. If absent, the Compute Engine default service account is used. For more information about Google Cloud service accounts, see Google’s documentation on service accounts.

Value: The Google Cloud service account email, for example <service_account_name>@<project_id>.iam.gserviceaccount.com.

The size of the disk in gigabytes (GB). This value applies to control plane machines.

Value: Any integer between 16 and 65536.

The Google Cloud disk type for control plane machines.

Value: Valid values are pd-balanced, pd-ssd, or hyperdisk-balanced. The default value is pd-ssd.

Optional. Additional network tags to add to the control plane machines. If set, this parameter overrides the platform.gcp.defaultMachinePlatform.tags parameter for control plane machines.

Value: One or more strings, for example control-plane-tag1.

The Google Cloud machine type for control plane machines. If set, this parameter overrides the platform.gcp.defaultMachinePlatform.type parameter.

Value: The Google Cloud machine type, for example n1-standard-4.

The availability zones where the installation program creates control plane machines.

Value: A list of valid Google Cloud availability zones, such as us-central1-a, in a YAML sequence.

Whether to enable Shielded VM secure boot for control plane machines. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google’s documentation on Shielded VMs.

Value: Enabled or Disabled. The default value is Disabled.

Whether to use Confidential VMs for control plane machines. Confidential VMs provide encryption for data during processing. For more information on Confidential computing, see Google’s documentation about Confidential Computing.

Supported values are:

If you specify any value other than Disabled, you must set controlPlane.platform.gcp.defaultMachinePlatform.onHostMaintenance to Terminate.

Value: String.

Specifies the behavior of control plane VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to Terminate. Confidential VMs do not support live VM migration.

Value: Terminate or Migrate. The default value is Migrate.

Specifies the email address of a Google Cloud service account to be used during installations. This service account is used to provision control plane machines.

Value: String. The email address of the service account.

The name of the customer managed encryption key to be used for compute machine disk encryption.

Value: The encryption key name.

For compute machines, the name of the KMS key ring to which the KMS key belongs.

Value: The KMS key ring name.

For compute machines, the Google Cloud location in which the key ring exists. For more information about KMS locations, see Google’s documentation on Cloud KMS locations.

Value: The Google Cloud location for the key ring.

For compute machines, the ID of the project in which the KMS key ring exists. This value defaults to the VM project ID if not set.

Value: The Google Cloud project ID.

The Google Cloud service account used for the encryption request for compute machines. If this value is not set, the Compute Engine default service account is used. For more information about Google Cloud service accounts, see Google’s documentation on service accounts.

Value: The Google Cloud service account email, for example <service_account_name>@<project_id>.iam.gserviceaccount.com.

The size of the disk in gigabytes (GB). This value applies to compute machines.

Value: Any integer between 16 and 65536.

The Google Cloud disk type for compute machines.

Value: Valid values are pd-balanced, pd-ssd, pd-standard, or hyperdisk-balanced. The default value is pd-ssd.

Optional. Additional network tags to add to the compute machines. If set, this parameter overrides the platform.gcp.defaultMachinePlatform.tags parameter for compute machines.

Value: One or more strings, for example compute-network-tag1.

The Google Cloud machine type for compute machines. If set, this parameter overrides the platform.gcp.defaultMachinePlatform.type parameter.

Value: The Google Cloud machine type, for example n1-standard-4.

The availability zones where the installation program creates compute machines.

Value: A list of valid Google Cloud availability zones, such as us-central1-a, in a YAML sequence.

Whether to enable Shielded VM secure boot for compute machines. Shielded VMs have additional security protocols such as secure boot, firmware and integrity monitoring, and rootkit protection. For more information on Shielded VMs, see Google’s documentation on Shielded VMs.

Value: Enabled or Disabled. The default value is Disabled.

Whether to use Confidential VMs for compute machines. Confidential VMs provide encryption for data during processing. For more information on Confidential computing, see Google’s documentation on Confidential computing.

Supported values are:

If you specify any value other than Disabled, you must set compute.platform.gcp.onHostMaintenance to Terminate.

Value: String.

Specifies the behavior of compute VMs during a host maintenance event, such as a software or hardware update. For Confidential VMs, this parameter must be set to Terminate. Confidential VMs do not support live VM migration.

Value: Terminate or Migrate. The default value is Migrate.