Red Hat Summit3장. Preparing to deploy hosted control planes
3.1. Requirements for hosted control planes
In the context of hosted control planes, a management cluster is an OpenShift Container Platform cluster where the HyperShift Operator is deployed and where the control planes for hosted clusters are hosted.
The control plane is associated with a hosted cluster and runs as pods in a single namespace. When the cluster service consumer creates a hosted cluster, it creates a worker node that is independent of the control plane.
The following requirements apply to hosted control planes:
- In order to run the HyperShift Operator, your management cluster needs at least three worker nodes.
-
You must open the firewall port
53on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to allow the Domain Name Service (DNS) protocol to work as expected. - You can run both the management cluster and the worker nodes on-premise, such as on a bare-metal platform or on OpenShift Virtualization. In addition, you can run both the management cluster and the worker nodes on cloud infrastructure, such as Amazon Web Services (AWS).
-
If you use a mixed infrastructure, such as running the management cluster on AWS and your worker nodes on-premise, or running your worker nodes on AWS and your management cluster on-premise, you must use the
PublicAndPrivatepublishing strategy and follow the latency requirements in the support matrix. - In Bare Metal Host (BMH) deployments, where the Bare Metal Operator starts machines, the hosted control plane must be able to reach baseboard management controllers (BMCs). If your security profile does not permit the Cluster Baremetal Operator to access the network where the BMHs have their BMCs in order to enable Redfish automation, you can use BYO ISO support. However, in BYO mode, OpenShift Container Platform cannot automate the powering on of BMHs.
3.1.1. Support matrix for hosted control planes
Because multicluster engine for Kubernetes Operator includes the HyperShift Operator, releases of hosted control planes align with releases of multicluster engine Operator. The support matrix includes details about supported clusters, platforms, and architectures, as well as information about updates and technology preview features.
For more information, see OpenShift Operator Life Cycles.
3.1.1.1. Management cluster support
Any supported OpenShift Container Platform cluster can be a management cluster.
A single-node OpenShift Container Platform cluster is not supported as a management cluster. If you have resource constraints, you can share infrastructure between a standalone OpenShift Container Platform control plane and hosted control planes. For more information, see "Shared infrastructure between hosted and standalone control planes".
The following table maps multicluster engine Operator versions to the management cluster versions that support them:
| Management cluster version | Supported multicluster engine Operator version |
|---|---|
| 4.14 - 4.17 | 2.6 |
| 4.15 - 4.17 | 2.7 |
| 4.16 - 4.18 | 2.8 |
| 4.17 - 4.19 | 2.9 |
| 4.18 - 4.20 | 2.10 |
| 4.19 - 4.21 | 2.11 |
3.1.1.2. Hosted cluster support
For hosted clusters, no direct relationship exists between the management cluster version and the hosted cluster version. The hosted cluster version depends on the HyperShift Operator that is included with your multicluster engine Operator version.
Ensure a maximum latency of 200 ms between the management cluster and hosted clusters. This requirement is especially important for mixed infrastructure deployments, such as when your management cluster is on AWS and your compute nodes are on-premise.
The following table shows the hosted cluster versions that you can create by using the HyperShift Operator that is associated with a version of multicluster engine Operator:
Although the HyperShift Operator supports the hosted cluster versions in the following table, multicluster engine Operator supports only as far back as 2 versions earlier than the current version. For example, if the current hosted cluster version is 4.21, multicluster engine Operator supports as far back as version 4.19. If you want to use a hosted cluster version that is earlier than one of the versions that multicluster engine Operator supports, you can detach your hosted clusters from multicluster engine Operator to be unmanaged, or you can use an earlier version of multicluster engine Operator. For instructions to detach your hosted clusters from multicluster engine Operator, see Removing a cluster from management (RHACM documentation). For more information about multicluster engine Operator support, see The multicluster engine for Kubernetes operator 2.11 Support Matrix (Red Hat Knowledgebase).
| Hosted cluster version | HyperShift Operator in multicluster engine Operator 2.6 | HyperShift Operator in multicluster engine Operator 2.7 | HyperShift Operator in multicluster engine Operator 2.8 | HyperShift Operator in multicluster engine Operator 2.9 | HyperShift Operator in multicluster engine Operator 2.10 | HyperShift Operator in multicluster engine Operator 2.11 |
|---|---|---|---|---|---|---|
| 4.14 | Yes | Yes | Yes | Yes | Yes | Yes |
| 4.15 | Yes | Yes | Yes | Yes | Yes | Yes |
| 4.16 | Yes | Yes | Yes | Yes | Yes | Yes |
| 4.17 | No | Yes | Yes | Yes | Yes | Yes |
| 4.18 | No | No | Yes | Yes | Yes | Yes |
| 4.19 | No | No | No | Yes | Yes | Yes |
| 4.20 | No | No | No | No | Yes | Yes |
| 4.21 | No | No | No | No | No | Yes |
3.1.1.3. Hosted cluster platform support
A hosted cluster supports only one infrastructure platform. For example, you cannot create multiple node pools on different infrastructure platforms.
The following table indicates which OpenShift Container Platform versions are supported for each platform of hosted control planes.
For IBM Power and IBM Z:
- You must run the control plane on machine types that are based on 64-bit x86 architecture or s390x architecture
- You must run node pools on IBM Power or IBM Z
In the following table, the management cluster version is the OpenShift Container Platform version where the multicluster engine Operator is enabled:
| Hosted cluster platform | Management cluster version | Hosted cluster version |
|---|---|---|
| Amazon Web Services | 4.16 - 4.21 | 4.16 - 4.21 |
| IBM Power | 4.17 - 4.21 | 4.17 - 4.21 |
| IBM Z | 4.17 - 4.21 | 4.17 - 4.21 |
| OpenShift Virtualization | 4.14 - 4.21 | 4.14 - 4.21 |
| Bare metal | 4.14 - 4.21 | 4.14 - 4.21 |
| Non-bare-metal agent machines (Technology Preview) | 4.16 - 4.21 | 4.16 - 4.21 |
| Red Hat OpenStack Platform (RHOSP) (Technology Preview) | 4.19 - 4.21 | 4.19 - 4.21 |
3.1.1.4. Multi-architecture support
The following tables indicate the support status for hosted control planes on multiple architectures. If an architecture is not listed, it is not yet fully supported.
| Platform | Control planes | Compute nodes | OpenShift Container Platform version support | Status |
|---|---|---|---|---|
| AWS | 64-bit x86 | 64-bit x86 | 4.16 - 4.21 | General Availability |
| AWS | 64-bit x86 | ARM64 | 4.17 - 4.21 | General Availability |
| AWS | ARM64 | ARM64 | 4.17 - 4.21 | General Availability |
| AWS | ARM64 | 64-bit x86 | 4.17 - 4.21 | General Availability |
| Bare metal (Agent platform) | 64-bit x86 | 64-bit x86 | 4.14 - 4.21 | General Availability |
| Bare metal (Agent platform) | 64-bit x86 | ARM64 | 4.21 | General Availability |
| IBM Power | 64-bit x86 | ppc64le | 4.17 - 4.21 | General Availability |
| IBM Z | 64-bit x86 | s390x | 4.17 - 4.21 | General Availability |
| IBM Z | s390x | s390x | 4.20 - 4.21 | General Availability |
| Non-bare-metal Agent machines | 64-bit x86 | 64-bit x86 | 4.16 - 4.21 | Technology Preview |
| OpenShift Virtualization | 64-bit x86 | 64-bit x86 | 4.14 - 4.21 | General Availability |
| OpenShift Virtualization | s390x | s390x | 4.21 | Technology Preview |
| Red Hat OpenStack Platform (RHOSP) | 64-bit x86 | 64-bit x86 | 4.19 - 4.21 | Technology Preview |
3.1.1.5. Updates of multicluster engine Operator
When you update to another version of the multicluster engine Operator, your hosted cluster can continue to run if the HyperShift Operator that is included in the version of multicluster engine Operator supports the hosted cluster version. The following table shows which hosted cluster versions are supported on which updated multicluster engine Operator versions.
Although the HyperShift Operator supports the hosted cluster versions in the following table, multicluster engine Operator supports only as far back as 2 versions earlier than the current version. For example, if the current hosted cluster version is 4.21, multicluster engine Operator supports as far back as version 4.19. If you want to use a hosted cluster version that is earlier than one of the versions that multicluster engine Operator supports, you can detach your hosted clusters from multicluster engine Operator to be unmanaged, or you can use an earlier version of multicluster engine Operator. For instructions to detach your hosted clusters from multicluster engine Operator, see Removing a cluster from management (RHACM documentation). For more information about multicluster engine Operator support, see The multicluster engine for Kubernetes operator 2.11 Support Matrix (Red Hat Knowledgebase).
| Updated multicluster engine Operator version | Supported hosted cluster version |
|---|---|
| Updated from 2.5 to 2.6 | OpenShift Container Platform 4.14 - 4.15 |
| Updated from 2.6 to 2.7 | OpenShift Container Platform 4.14 - 4.16 |
| Updated from 2.7 to 2.8 | OpenShift Container Platform 4.14 - 4.17 |
| Updated from 2.8 to 2.9 | OpenShift Container Platform 4.14 - 4.18 |
| Updated from 2.9 to 2.10 | OpenShift Container Platform 4.14 - 4.19 |
| Updated from 2.10 to 2.11 | OpenShift Container Platform 4.14 - 4.20 |
For example, if you have an OpenShift Container Platform 4.18 hosted cluster on the management cluster and you update from multicluster engine Operator 2.8 to 2.9, the hosted cluster can continue to run.
3.1.1.6. Technology Preview features
For a list of features in this release that have a Technology Preview status, see the "Technology Preview features status" section of the Hosted control planes release notes.
3.1.2. FIPS-enabled hosted clusters
The binaries for hosted control planes are FIPs-compliant, with the exception of the hosted control planes command-line interface, hcp.
If you want to deploy a FIPS-enabled hosted cluster, you must use a FIPS-enabled management cluster. To enable FIPS mode for your management cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode.
When running RHEL or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.
After you set up your management cluster in FIPS mode, the hosted cluster creation process runs on that management cluster.
3.1.3. CIDR ranges for hosted control planes
To successfully deploy hosted control planes on OpenShift Container Platform, define the network environment by using specific Classless Inter-Domain Routing (CIDR) subnet ranges.
The following Classless Inter-Domain Routing (CIDR) subnet ranges are the default settings for hosted control planes:
-
v4InternalSubnet: 100.65.0.0/16 (OVN-Kubernetes) -
clusterNetwork: 10.132.0.0/14 (pod network) -
serviceNetwork: 172.31.0.0/16
By using one of the default subnet ranges, you can avoid CIDR overlap with the management cluster and avoid connectivity issues. However, you can use other CIDR subnet ranges if they do not overlap with the management cluster.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}