Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 5. Deploying Red Hat OpenShift Service on AWS clusters using FIPS encryption

Deploying a Red Hat OpenShift Service on AWS cluster using Federal Information Processing Standards (FIPS) encryption ensures that sensitive data is protected using validated cryptographic modules.

5.1. Creating the account-wide STS roles and policies
Copia collegamento

Account-wide roles, like, account-roles in the ROSA command-line interface (CLI) (rosa) are required to create or manage Red Hat OpenShift Service on AWS clusters. Create these roles by using the ROSA CLI (rosa), regardless of whether you typically use OpenShift Cluster Manager or the ROSA CLI to create and manage your clusters. Before you create your Red Hat OpenShift Service on AWS cluster, you must create the required account-wide roles and policies.

Note

Specific AWS-managed policies for Red Hat OpenShift Service on AWS must be attached to each role. Customer-managed policies must not be used with these required account roles. For more information regarding AWS-managed policies for Red Hat OpenShift Service on AWS clusters, see AWS managed policies for Red Hat OpenShift Service on AWS.

Prerequisites

  • You have completed the AWS prerequisites for Red Hat OpenShift Service on AWS.
  • You have available AWS service quotas.
  • You have enabled the Red Hat OpenShift Service on AWS in the AWS Console.
  • You have installed and configured the latest ROSA command-line interface (CLI) (rosa) on your installation host.
  • You have logged in to your Red Hat account by using the ROSA CLI.

Procedure

  1. If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command: 

    $ export PREFIX=<custom_prefix>; rosa create account-roles --hosted-cp --prefix $PREFIX

    When using FIPS encryption, you need to set a custom prefix instead of using the default ManagedOpenShift prefix.

5.2. Creating an AWS VPC using the ROSA CLI
Copia collegamento

The rosa create network command is available in v.1.2.48 or later of the ROSA CLI. The command uses AWS CloudFormation to create a VPC and associated networking components necessary to install a Red Hat OpenShift Service on AWS cluster. CloudFormation is a native AWS infrastructure-as-code tool and is compatible with the AWS CLI.

If you do not specify a template, CloudFormation uses a default template that creates resources with the following parameters:

Expand
VPC parameterValue

Availability zones

1

Region

us-east-1

VPC CIDR

10.0.0.0/16

You can create and customize CloudFormation templates to use with the rosa create network command. See the additional resources of this section for information on the default VPC template.

Prerequisites

  • You have configured your AWS account
  • You have configured your Red Hat accounts
  • You have installed the ROSA CLI and configured it to the latest version

Procedure

  1. Create an AWS VPC using the default CloudFormations template by running the following command: 

    $ rosa create network

  2. Optional: Customize your VPC by specifying additional parameters.

    You can use the --param flag to specify changes to the default VPC template. The following example command specifies custom values for region, Name, AvailabilityZoneCount and VpcCidr. 

    $ rosa create network --param Region=us-east-2 --param Name=quickstart-stack --param AvailabilityZoneCount=3 --param VpcCidr=10.0.0.0/16

    The command takes about 5 minutes to run and provides regular status updates from AWS as resources are created. If there is an issue with CloudFormation, a rollback is attempted. For all other errors that are encountered, please follow the error message instructions or contact AWS support.

Verification

  • When completed, you receive a summary of the created resources: 

    INFO[0140] Resources created in stack:
INFO[0140] Resource: AttachGateway, Type: AWS::EC2::VPCGatewayAttachment, ID: <gateway_id>
INFO[0140] Resource: EC2VPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: EcrApiVPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: EcrDkrVPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: ElasticIP1, Type: AWS::EC2::EIP, ID: <IP>
INFO[0140] Resource: ElasticIP2, Type: AWS::EC2::EIP, ID: <IP>
INFO[0140] Resource: InternetGateway, Type: AWS::EC2::InternetGateway, ID: igw-016e1a71b9812464e
INFO[0140] Resource: KMSVPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: NATGateway1, Type: AWS::EC2::NatGateway, ID: <nat-gateway_id>
INFO[0140] Resource: PrivateRoute, Type: AWS::EC2::Route, ID: <route_id>
INFO[0140] Resource: PrivateRouteTable, Type: AWS::EC2::RouteTable, ID: <route_id>
INFO[0140] Resource: PrivateSubnetRouteTableAssociation1, Type: AWS::EC2::SubnetRouteTableAssociation, ID: <route_id>
INFO[0140] Resource: PublicRoute, Type: AWS::EC2::Route, ID: <route_id>
INFO[0140] Resource: PublicRouteTable, Type: AWS::EC2::RouteTable, ID: <route_id>
INFO[0140] Resource: PublicSubnetRouteTableAssociation1, Type: AWS::EC2::SubnetRouteTableAssociation, ID: <route_id>
INFO[0140] Resource: S3VPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: STSVPCEndpoint, Type: AWS::EC2::VPCEndpoint, ID: <vpce_id>
INFO[0140] Resource: SecurityGroup, Type: AWS::EC2::SecurityGroup, ID: <security-group_id>
INFO[0140] Resource: SubnetPrivate1, Type: AWS::EC2::Subnet, ID: <private_subnet_id-1>
INFO[0140] Resource: SubnetPublic1, Type: AWS::EC2::Subnet, ID: <public_subnet_id-1>
INFO[0140] Resource: VPC, Type: AWS::EC2::VPC, ID: <vpc_id>
INFO[0140] Stack rosa-network-stack-5555 created
    • The <private_subnet_id-1> and <public_subnet_id-1> subnet IDs are used to create your cluster when using the rosa create cluster command.
    • The network stack name (rosa-network-stack-5555) is used to delete the resource later.

5.3. Creating an OpenID Connect configuration
Copia collegamento

Red Hat OpenShift Service on AWS clusters use OIDC and the AWS Security Token Service (STS) to authenticate Operator access to AWS resources they require to perform their functions. Each production cluster requires its own OIDC configuration. When creating a Red Hat OpenShift Service on AWS cluster, you can create the OpenID Connect (OIDC) configuration before creating your cluster.

Prerequisites

  • You have completed the AWS prerequisites for Red Hat OpenShift Service on AWS.
  • You have installed and configured the latest ROSA command-line interface (CLI) (rosa) on your installation host.

Procedure

  1. To create your OIDC configuration alongside the AWS resources, run the following command: 

    $ rosa create oidc-config --mode=auto --yes

    This command returns the following information.

    For example: 

    ? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
I: Setting up managed OIDC configuration
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
	rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
? Create the OIDC provider? Yes
I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'

    When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for --mode auto, otherwise you must determine these values based on aws CLI output for --mode manual.

  2. Optional: you can save the OIDC configuration ID as a variable to use later. Run the following command to save the variable: 

    $ export OIDC_ID=<oidc_config_id>
    <oidc_config_id>
    In this example output, the OIDC configuration ID is 13cdr6b.

    • View the value of the variable by running the following command: 

      $ echo $OIDC_ID

      For example: 

      13cdr6b

Verification

  • You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command: 

    $ rosa list oidc-config

    For example: 

    ID                                MANAGED  ISSUER URL                                                             SECRET ARN
2330dbs0n8m3chkkr25gkkcd8pnj3lk2  true     https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
233hvnrjoqu14jltk6lhbhf2tj11f8un  false    https://oidc-r7u1.s3.us-east-1.amazonaws.com                           aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN

5.4. Creating Operator roles and policies
Copia collegamento

When you deploy a Red Hat OpenShift Service on AWS cluster, you must create the Operator IAM roles. The cluster Operators use the Operator roles and policies to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage and external access to a cluster.

Prerequisites

  • You have completed the AWS prerequisites for Red Hat OpenShift Service on AWS.
  • You have installed and configured the latest ROSA command-line interface (CLI) (rosa) on your installation host.
  • You created the account-wide AWS roles.

Procedure

  1. To create your Operator roles, run the following command: 

    $ rosa create operator-roles --hosted-cp --prefix=$PREFIX --oidc-config-id=$OIDC_ID

    The Operator roles are now created and ready to use for creating your Red Hat OpenShift Service on AWS cluster.

Verification

  • You can list the Operator roles associated with your Red Hat OpenShift Service on AWS account. Run the following command: 

    $ rosa list operator-roles

    For example: 

    I: Fetching operator roles
ROLE PREFIX  AMOUNT IN BUNDLE
<prefix>      8
? Would you like to detail a specific prefix Yes
? Operator Role Prefix: <prefix>
ROLE NAME                                                         ROLE ARN                                                                                         VERSION  MANAGED
<prefix>-kube-system-capa-controller-manager                       arn:aws:iam::4540112244:role/<prefix>-kube-system-capa-controller-manager                       4.13     No
<prefix>-kube-system-control-plane-operator                        arn:aws:iam::4540112244:role/<prefix>-kube-system-control-plane-operator                        4.13     No
<prefix>-kube-system-kms-provider                                  arn:aws:iam::4540112244:role/<prefix>-kube-system-kms-provider                                  4.13     No
<prefix>-kube-system-kube-controller-manager                       arn:aws:iam::4540112244:role/<prefix>-kube-system-kube-controller-manager                       4.13     No
<prefix>-openshift-cloud-network-config-controller-cloud-credenti  arn:aws:iam::4540112244:role/<prefix>-openshift-cloud-network-config-controller-cloud-credenti  4.13     No
<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials       arn:aws:iam::4540112244:role/<prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials       4.13     No
<prefix>-openshift-image-registry-installer-cloud-credentials      arn:aws:iam::4540112244:role/<prefix>-openshift-image-registry-installer-cloud-credentials      4.13     No
<prefix>-openshift-ingress-operator-cloud-credentials              arn:aws:iam::4540112244:role/<prefix>-openshift-ingress-operator-cloud-credentials              4.13     No

    After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.

5.5. Create an AWS KMS encryption key
Copia collegamento

Using your AWS account and the aws CLI tool, you can create an AWS KMS encryption key to encypt your resources.

Procedure

  1. Set the AWS region where you installed your VPC by running the following command:

    Note

    You should use the same region where you installed your VPC. 

    $ AWS_REGION=<aws_region>

  2. Create a custom AWS customer-managed KMS key by running the following command: 

    $ KMS_ARN=$(aws kms create-key --region $AWS_REGION --description 'Custom ROSA Encryption Key' --tags TagKey=red-hat,TagValue=true --query KeyMetadata.Arn --output text)

    This command saves the Amazon Resource Name (ARN) output of this custom key for further steps.

    Note

    Customers must provide the --tags TagKey=red-hat,TagValue=true argument that is required for a customer KMS key.

  3. Verify the KMS key has been created by running the following command: 

    $ echo $KMS_ARN

  4. Set your AWS account ID to an environment variable by running the following command: 

    $ AWS_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)

  5. Create your AWS key policy by running the following command.

    Note

    If you use the default prefix, you need to modify the following code sample where you see {PREFIX}- to ManagedOpenShift-. 

    cat << EOF > rosa-key-policy.json
{
    "Version": "2012-10-17",
    "Id": "key-rosa-policy-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${AWS_ACCOUNT}:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow ROSA use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-openshift-cluster-csi-drivers-ebs-cloud-credentials",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-kube-system-kms-provider"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role",
                    "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-openshift-cluster-csi-drivers-ebs-cloud-credentials"
                ]
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}
EOF

  6. Confirm the details of the policy file created by running the following command: 

    $ cat rosa-key-policy.json

  7. Apply the newly generated key policy to the custom KMS key by running the following command: 

    aws kms put-key-policy --key-id $KMS_ARN --policy file://rosa-key-policy.json --policy-name default

    You can now create your cluster using this AWS KMS encryption key.

You can create a Red Hat OpenShift Service on AWS cluster with Federal Information Processing Standards (FIPS) encryption that uses a customer-provided KMS key to encrypt either node root volumes, the etcd database, or both. A different KMS key ARN can be provided for each option.

Note

Red Hat OpenShift Service on AWS does not automatically configure the default storage class to encrypt persistent volumes with the customer-provided KMS key. This is something that can be configured in-cluster after installation.

Procedure

  1. Verify the KMS key has been created by running the following command: 

    $ echo $KMS_ARN

  2. Confirm the details of the policy file created by running the following command: 

    $ cat rosa-key-policy.json

  3. Create the cluster by running the following command:

    Note

    If your cluster name is longer than 15 characters, it will contain an autogenerated domain prefix as a sub-domain for your provisioned cluster on *.openshiftapps.com.

    To customize the subdomain, use the --domain-prefix flag. The domain prefix cannot be longer than 15 characters, must be unique, and cannot be changed after cluster creation. 

    $ rosa create cluster \
--cluster-name ${PREFIX}-test \
--hosted-cp \
--machine-cidr 10.0.0.0/16 \
--oidc-config-id $OIDC_CONFIG \
--mode auto \
--region $AWS_REGION \
--replicas 2 \
--operator-roles-prefix $PREFIX \
--installer-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Installer-Role" \
--support-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Support-Role" \
--worker-iam-role-arn "arn:aws:iam::${AWS_ACCOUNT}:role/${PREFIX}-HCP-ROSA-Worker-Role" \
--subnet-ids <subnet-ids> \
--etcd-encryption \
--etcd-encryption-kms-arn $KMS_ARN \
--fips

    where:

    --subnet-ids
    These subnet IDs should be at least one private subnet ID and public subnet ID.
    --kms-key-arn
    This KMS key ARN is used to encrypt all worker node root volumes. It is not required if only etcd database encryption is needed.
    --etcd-encryption-kms-arn
    This KMS key ARN is used to encrypt the etcd database. The etcd database is always encrypted by default with an AES cipher block, but can be encrypted instead with a KMS key. It is not required if only node root volume encryption is needed.

Verification

  1. Log in to your cluster as an admin user.

  2. Set the node name as a variable by running the following command: 

    $ NODE=$(oc get nodes --no-headers | awk '$2=="Ready"{print $1; exit}')

  3. Check your cluster’s FIPS status by running the following command: 

    $ oc debug node/${NODE} --to-namespace=default -- chroot /host bash -c 'set -x; \
fips-mode-setup --check; \
update-crypto-policies --show; \
cat /etc/system-fips; \
cat /proc/sys/crypto/fips_enabled; \
sysctl crypto.fips_enabled'

    Example output

    Starting pod/ip-10-0-1-162us-east-2computeinternal-debug-86cnb ...
To use host binaries, run `chroot /host`
+ fips-mode-setup --check
FIPS mode is enabled.
+ update-crypto-policies --show
FIPS
+ cat /etc/system-fips
# FIPS module installation complete
+ cat /proc/sys/crypto/fips_enabled
1
+ sysctl crypto.fips_enabled
crypto.fips_enabled = 1

Removing debug pod ...

Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima