Red Hat Summit이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 2. Configuring a Google Cloud project
Before you can install OpenShift Container Platform, you must configure a Google Cloud project to host it. You can configure custom roles and permissions, DNS configuration, and manage your own Google Cloud firewall rules.
2.1. Creating a Google Cloud project
To install OpenShift Container Platform, you must create a project in your Google Cloud account to host the cluster.
Procedure
Create a project to host your OpenShift Container Platform cluster. See Creating and Managing Projects in the Google Cloud documentation.
ImportantYour Google Cloud project must use the Premium Network Service Tier if you are using installer-provisioned infrastructure. The Standard Network Service Tier is not supported for clusters installed using the installation program. The installation program configures internal load balancing for the
api-int.<cluster_name>.<base_domain>URL; the Premium Tier is required for internal load balancing.
2.2. Enabling API services in Google Cloud
Your Google Cloud project requires access to several API services to complete OpenShift Container Platform installation.
Prerequisites
- You created a project to host your cluster.
Procedure
Enable the following required API services in the project that hosts your cluster. You may also enable optional API services which are not required for installation. See Enabling services in the Google Cloud documentation.
Expand Table 2.1. Required API services API service Console service name Compute Engine API
compute.googleapis.comCloud Resource Manager API
cloudresourcemanager.googleapis.comCloud DNS API
dns.googleapis.comIAM Service Account Credentials API
iamcredentials.googleapis.comIdentity and Access Management (IAM) API
iam.googleapis.comService Usage API
serviceusage.googleapis.comExpand Table 2.2. Optional API services API service Console service name Google Cloud APIs
cloudapis.googleapis.comService Management API
servicemanagement.googleapis.comGoogle Cloud Storage JSON API
storage-api.googleapis.comCloud Storage
storage-component.googleapis.com
2.3. Configuring DNS for Google Cloud
To install OpenShift Container Platform, the Google Cloud account you use must have a dedicated public hosted zone in the same project that you host the OpenShift Container Platform cluster. This zone must be authoritative for the domain. The DNS service provides cluster DNS resolution and name lookup for external connections to the cluster.
Procedure
Identify your domain, or subdomain, and registrar. You can transfer an existing domain and registrar or obtain a new one through Google Cloud or another source.
NoteIf you purchase a new domain, it can take time for the relevant DNS changes to propagate. For more information about purchasing domains through Google, see Google Domains.
Create a public hosted zone for your domain or subdomain in your Google Cloud project. See Creating public zones in the Google Cloud documentation.
Use an appropriate root domain, such as
openshiftcorp.com, or subdomain, such asclusters.openshiftcorp.com.Extract the new authoritative name servers from the hosted zone records. See Look up your Cloud DNS name servers in the Google Cloud documentation.
You typically have four name servers.
- Update the registrar records for the name servers that your domain uses. For example, if you registered your domain to Google Domains, see the following topic in the Google Domains Help: How to switch to custom name servers.
- If you migrated your root domain to Google Cloud DNS, migrate your DNS records. See Migrating to Cloud DNS in the Google Cloud documentation.
- If you use a subdomain, follow your company’s procedures to add its delegation records to the parent domain. This process might include a request to your company’s IT department or the division that controls the root domain and DNS services for your company.
2.4. Google Cloud account limits
The OpenShift Container Platform cluster uses a number of Google Cloud components, but the default Quotas do not affect your ability to install a default OpenShift Container Platform cluster.
A default cluster, which contains three compute and three control plane machines, uses the following resources. Note that some resources are required only during the bootstrap process and are removed after the cluster deploys.
| Service | Component | Location | Total resources required | Resources removed after bootstrap |
|---|---|---|---|---|
| Service account | IAM | Global | 6 | 1 |
| Firewall rules | Compute | Global | 11 | 1 |
| Forwarding rules | Compute | Global | 2 | 0 |
| In-use global IP addresses | Compute | Global | 4 | 1 |
| Health checks | Compute | Global | 3 | 0 |
| Images | Compute | Global | 1 | 0 |
| Networks | Compute | Global | 2 | 0 |
| Static IP addresses | Compute | Region | 4 | 1 |
| Routers | Compute | Global | 1 | 0 |
| Routes | Compute | Global | 2 | 0 |
| Subnetworks | Compute | Global | 2 | 0 |
| Target pools | Compute | Global | 3 | 0 |
| CPUs | Compute | Region | 28 | 4 |
| Persistent disk SSD (GB) | Compute | Region | 896 | 128 |
If any of the quotas are insufficient during installation, the installation program displays an error that states both which quota was exceeded and the region.
Be sure to consider your actual cluster size, planned cluster growth, and any usage from other clusters that are associated with your account. The CPU, static IP addresses, and persistent disk SSD (storage) quotas are the ones that are most likely to be insufficient.
If you plan to deploy your cluster in one of the following regions, you will exceed the maximum storage quota and are likely to exceed the CPU quota limit:
-
asia-east2 -
asia-northeast2 -
asia-south1 -
australia-southeast1 -
europe-north1 -
europe-west2 -
europe-west3 -
europe-west6 -
northamerica-northeast1 -
southamerica-east1 -
us-west2
You can increase resource quotas from the Google Cloud console, but you might need to file a support ticket. Be sure to plan your cluster size early so that you can allow time to resolve the support ticket before you install your OpenShift Container Platform cluster.
2.5. Creating a service account in Google Cloud
OpenShift Container Platform requires a Google Cloud service account that provides authentication and authorization to access data in the Google APIs. If you do not have an existing IAM service account that contains the required roles in your project, you must create one.
To reduce the scope of permissions granted to the main service account in your Google Cloud project while still being able to use the Google Cloud Container Storage Interface (CSI) Driver Operator, you can transfer the control of permissions from the project-wide service account to the control plane and compute node service accounts instead, thus reducing the scope of the permission. For more information, see Section Reducing permissions while using the Google Cloud CSI Driver Operator.
Prerequisites
- You created a project to host your cluster.
Procedure
- Create a service account in the project that you use to host your OpenShift Container Platform cluster. See Creating a service account in the Google Cloud documentation.
Grant the service account the appropriate permissions. You can either grant the individual permissions that follow or assign the
Ownerrole to it. See Granting roles to a service account for specific resources.NoteWhile making the service account an owner of the project is the easiest way to gain the required permissions, it means that service account has complete control over the project. You must determine if the risk that comes from offering that power is acceptable.
You can create the service account key in JSON format, or attach the service account to a Google Cloud virtual machine. See Creating service account keys and Creating and enabling service accounts for instances in the Google Cloud documentation.
NoteIf you use a virtual machine with an attached service account to create your cluster, you must set
credentialsMode: Manualin theinstall-config.yamlfile before installation.
2.5.1. Required Google Cloud roles
When you attach the Owner role to the service account that you create, you grant that service account all permissions, including those that are required to install OpenShift Container Platform. If your organization’s security policies require a more restrictive set of permissions, you can create a service account with the following permissions. If you deploy your cluster into an existing virtual private cloud (VPC), the service account does not require certain networking permissions, which are noted in the following lists:
Required roles for the installation program
- Compute Admin
- Role Administrator
- Security Admin
- Service Account Admin
- Service Account Key Admin
- Service Account User
- Storage Admin
Required roles for creating network resources during installation
- DNS Administrator
Required roles for using the Cloud Credential Operator in passthrough mode
- Compute Load Balancer Admin
- Tag User
The following roles are applied to the service accounts that the control plane and compute machines use:
| Account | Roles |
|---|---|
| Control Plane |
|
|
| |
|
| |
|
| |
|
| |
| Compute |
|
|
| |
|
|
2.5.2. Required Google Cloud permissions for installer-provisioned infrastructure
When you attach the Owner role to the service account that you create, you grant that service account all permissions, including those that are required to install OpenShift Container Platform. If your organization’s security policies require a more restrictive set of permissions, you can create custom roles with the necessary permissions.
The following permissions are required for the installer-provisioned infrastructure for creating and deleting the OpenShift Container Platform cluster.
Example 2.1. Required permissions for creating network resources
-
compute.addresses.create -
compute.addresses.createInternal -
compute.addresses.delete -
compute.addresses.get -
compute.addresses.list -
compute.addresses.use -
compute.addresses.useInternal compute.firewalls.create- This permission is not required if you install into an existing VPC and manage your own firewall rules. See the Managing your own firewall rules section.
compute.firewalls.delete- This permission is not required if you install into an existing VPC and manage your own firewall rules. See the Managing your own firewall rules section.
-
compute.firewalls.get -
compute.firewalls.list -
compute.forwardingRules.create -
compute.forwardingRules.get -
compute.forwardingRules.list -
compute.forwardingRules.setLabels -
compute.globalAddresses.create -
compute.globalAddresses.get -
compute.globalAddresses.use -
compute.globalForwardingRules.create -
compute.globalForwardingRules.get -
compute.globalForwardingRules.setLabels -
compute.networks.create -
compute.networks.get -
compute.networks.list -
compute.networks.updatePolicy -
compute.networks.use -
compute.routers.create -
compute.routers.get -
compute.routers.list -
compute.routers.update -
compute.routes.list -
compute.subnetworks.create -
compute.subnetworks.get -
compute.subnetworks.list -
compute.subnetworks.use -
compute.subnetworks.useExternalIp
Example 2.2. Required permissions for creating load balancer resources
-
compute.backendServices.create -
compute.backendServices.get -
compute.backendServices.list -
compute.backendServices.update -
compute.backendServices.use -
compute.regionBackendServices.create -
compute.regionBackendServices.get -
compute.regionBackendServices.list -
compute.regionBackendServices.update -
compute.regionBackendServices.use -
compute.targetPools.addInstance -
compute.targetPools.create -
compute.targetPools.get -
compute.targetPools.list -
compute.targetPools.removeInstance -
compute.targetPools.use -
compute.targetTcpProxies.create -
compute.targetTcpProxies.get -
compute.targetTcpProxies.use
Example 2.3. Required permissions for creating DNS resources
-
dns.changes.create -
dns.changes.get -
dns.managedZones.create -
dns.managedZones.get -
dns.managedZones.list -
dns.networks.bindPrivateDNSZone -
dns.resourceRecordSets.create -
dns.resourceRecordSets.list
Example 2.4. Required permissions for creating Service Account resources
-
iam.serviceAccountKeys.create -
iam.serviceAccountKeys.delete -
iam.serviceAccountKeys.get -
iam.serviceAccountKeys.list iam.serviceAccounts.actAs-
This permission can be limited to act as the control plane and compute service accounts. Alternatively, you may grant the service account that the installation program uses the
iam.serviceAccountUserrole on the control plane and compute service accounts.
-
This permission can be limited to act as the control plane and compute service accounts. Alternatively, you may grant the service account that the installation program uses the
-
iam.serviceAccounts.create -
iam.serviceAccounts.delete -
iam.serviceAccounts.get -
iam.serviceAccounts.list -
resourcemanager.projects.get -
resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy-
This permission is not required if you use
credentialsMode: Manualand supply your own service accounts for compute and control plane nodes.
-
This permission is not required if you use
Example 2.5. Required permissions for creating compute resources
-
compute.disks.create -
compute.disks.get -
compute.disks.list -
compute.disks.setLabels -
compute.instanceGroups.create -
compute.instanceGroups.delete -
compute.instanceGroups.get -
compute.instanceGroups.list -
compute.instanceGroups.update -
compute.instanceGroups.use -
compute.instances.create -
compute.instances.delete -
compute.instances.get -
compute.instances.list -
compute.instances.setLabels -
compute.instances.setMetadata -
compute.instances.setServiceAccount -
compute.instances.setTags -
compute.instances.use -
compute.machineTypes.get -
compute.machineTypes.list
Example 2.6. Required for creating storage resources
-
storage.buckets.create -
storage.buckets.delete -
storage.buckets.get -
storage.buckets.list -
storage.objects.create -
storage.objects.delete -
storage.objects.get -
storage.objects.list
Example 2.7. Required permissions for creating health check resources
-
compute.healthChecks.create -
compute.healthChecks.get -
compute.healthChecks.list -
compute.healthChecks.useReadOnly -
compute.httpHealthChecks.create -
compute.httpHealthChecks.get -
compute.httpHealthChecks.list -
compute.httpHealthChecks.useReadOnly -
compute.regionHealthChecks.create -
compute.regionHealthChecks.get -
compute.regionHealthChecks.useReadOnly
Example 2.8. Required permissions to get Google Cloud zone and region related information
-
compute.globalOperations.get -
compute.regionOperations.get -
compute.regions.get -
compute.regions.list -
compute.zoneOperations.get -
compute.zones.get -
compute.zones.list
Example 2.9. Required permissions for checking services and quotas
-
monitoring.timeSeries.list -
serviceusage.quotas.get -
serviceusage.services.list
Example 2.10. Required IAM permissions for installation
-
iam.roles.create -
iam.roles.get -
iam.roles.update
Example 2.11. Required permissions when authenticating without a service account key
-
iam.serviceAccounts.signBlob
Example 2.12. Required permissions when providing Key Management Service (KMS) key rings
-
cloudkms.keyRings.list
Example 2.13. Optional Images permissions for installation
-
compute.images.list
Example 2.14. Optional permission for running gather bootstrap
-
compute.instances.getSerialPortOutput
Example 2.15. Required permissions for deleting network resources
-
compute.addresses.delete -
compute.addresses.deleteInternal -
compute.addresses.list -
compute.addresses.setLabels -
compute.firewalls.delete -
compute.firewalls.list -
compute.forwardingRules.delete -
compute.forwardingRules.list -
compute.globalAddresses.delete -
compute.globalAddresses.list -
compute.globalForwardingRules.delete -
compute.globalForwardingRules.list -
compute.networks.delete -
compute.networks.list -
compute.networks.updatePolicy -
compute.routers.delete -
compute.routers.list -
compute.routes.list -
compute.subnetworks.delete -
compute.subnetworks.list
Example 2.16. Required permissions for deleting load balancer resources
-
compute.backendServices.delete -
compute.backendServices.list -
compute.regionBackendServices.delete -
compute.regionBackendServices.list -
compute.targetPools.delete -
compute.targetPools.list -
compute.targetTcpProxies.delete -
compute.targetTcpProxies.list
Example 2.17. Required permissions for deleting DNS resources
-
dns.changes.create -
dns.managedZones.delete -
dns.managedZones.get -
dns.managedZones.list -
dns.resourceRecordSets.delete -
dns.resourceRecordSets.list
Example 2.18. Required permissions for deleting Service Account resources
-
iam.serviceAccounts.delete -
iam.serviceAccounts.get -
iam.serviceAccounts.list -
resourcemanager.projects.getIamPolicy
Example 2.19. Required permissions for deleting compute resources
-
compute.disks.delete -
compute.disks.list -
compute.instanceGroups.delete -
compute.instanceGroups.list -
compute.instances.delete -
compute.instances.list -
compute.instances.stop -
compute.machineTypes.list
Example 2.20. Required for deleting storage resources
-
storage.buckets.delete -
storage.buckets.getIamPolicy -
storage.buckets.list -
storage.objects.delete -
storage.objects.list
Example 2.21. Required permissions for deleting health check resources
-
compute.healthChecks.delete -
compute.healthChecks.list -
compute.httpHealthChecks.delete -
compute.httpHealthChecks.list -
compute.regionHealthChecks.delete -
compute.regionHealthChecks.list
Example 2.22. Required Images permissions for deletion
-
compute.images.list
2.5.3. Required Google Cloud permissions for shared VPC installations
When you are installing a cluster to a shared VPC, you must configure the service account for both the host project and the service project.
You can use granular permissions for a Cloud Credential Operator that operates in either Manual or Mint credentials mode. For more information about the minimum permissions required for a standard installation that is configured with either of these credentials modes, see "Required Google Cloud permissions for installer-provisioned infrastructure".
You cannot use granular permissions in Passthrough credentials mode. For more information about the minimum roles required, see "Required Google Cloud roles".
If you are not installing to a shared Virtual Private Cloud (VPC), you can skip the procedure.
When installing a cluster on shared Virtual Private Cloud (VPC) infrastructure and you want to manually create credentials, grant the compute.subnetworks.use permission on the host project to the credentials that the Machine API Operator uses.
Ensure that the host project applies one of the following configurations to the service account, noting that the permissions for creating and deleting firewalls are not required if you manage your own firewall rules:
Example 2.23. Required permissions for creating firewalls in the host project
-
projects/<host-project>/roles/dns.networks.bindPrivateDNSZone -
roles/compute.networkAdmin -
roles/compute.securityAdmin
Example 2.24. Required permissions for deleting firewalls in the host project
-
compute.firewalls.delete -
compute.networks.updatePolicy
Example 2.25. Required minimal permissions
-
projects/<host-project>/roles/dns.networks.bindPrivateDNSZone -
roles/compute.networkUser
If you do not supply a service account for control plane nodes in the install-config.yaml file, grant the following permissions to the service account in the host project. If you do not supply a service account for compute nodes in the install-config.yaml file, grant the following permissions to the service account in the host project for cluster destruction. If you do supply service accounts for control plane and compute nodes, you do not need to grant the following permissions.
-
resourcemanager.projects.getIamPolicy -
resourcemanager.projects.setIamPolicy
The following permissions are required when you select a separate project for the location of the DNS zone or zones. These permissions are also required when the DNS zone or zones are located in a third project.
Example 2.26. Required minimal permissions for provisioning DNS resources in a separate project
-
dns.changes.create -
dns.changes.get -
dns.managedZones.create -
dns.managedZones.delete -
dns.managedZones.get -
dns.managedZones.list -
dns.managedZones.update -
dns.resourceRecordSets.create -
dns.resourceRecordSets.delete -
dns.resourceRecordSets.list
2.5.4. Required Google Cloud permissions for user-provided service accounts
When you are installing a cluster, the compute and control plane nodes require their own service accounts. By default, the installation program creates a service account for the control plane and compute nodes. The service account that the installation program uses requires the roles and permissions that are listed in the Creating a service account in Google Cloud section, as well as the resourcemanager.projects.getIamPolicy and resourcemanager.projects.setIamPolicy permissions. These permissions should be applied to the service account in the host project. If this approach does not meet the security requirements of your organization, you can provide a service account email address for the control plane or compute nodes in the install-config.yaml file. For more information, see the Installation configuration parameters for Google Cloud page. If you provide a service account for control plane nodes during an installation into a shared VPC, you must grant that service account the roles/compute.networkUser role in the host project. If you want the installation program to automatically create firewall rules when you supply the control plane service account, you must grant that service account the roles/compute.networkAdmin and roles/compute.securityAdmin roles in the host project. If you only supply the roles/compute.networkUser role, you must create the firewall rules manually.
The following roles are required for user-provided service accounts for control plane and compute nodes respectively.
Example 2.27. Required roles for control plane nodes
-
roles/compute.instanceAdmin -
roles/compute.networkAdmin -
roles/compute.securityAdmin -
roles/storage.admin
Example 2.28. Required roles for compute nodes
-
roles/compute.viewer -
roles/storage.admin -
roles/artifactregistry.reader
2.6. Managing your own firewall rules
You can manage your own firewall rules when installing a cluster on Google Cloud into an existing VPC by enabling the firewallRulesManagement parameter in the install-config.yaml file. You can limit the permissions that you grant to the installation program by managing your own firewall rules.
If you manage your own firewall rules, you must continue to manage them through the lifetime of the cluster. If you create a new service, create a new firewall rule that permits traffic on the service port, from the desired source addresses to the compute nodes. An example rule is described in the table below.
If you want to manage your own firewall rules, you must create the following rules before installation:
| Rule Name | Protocol:Port | Source | Destination |
|---|---|---|---|
| bootstrap-in-ssh |
|
|
|
| api |
|
|
|
| health-checks |
|
|
|
| etcd |
|
|
|
| control-plane |
|
|
|
| internal-network |
icmp, |
|
|
| internal-cluster |
|
|
|
| ingress-k8s-fw |
|
|
|
| ingress-k8s-http-hc |
|
|
|
|
|
|
|
|
where:
<allowed_external_cidr>-
Specifies a network CIDR of the machines that you want to grant access to your cluster. For a public cluster, this would typically be
0.0.0.0/0. For a private cluster, access might be restricted to the cluster machine network. <control_plane_node_tags>-
Specifies the network tags that apply to the control plane machines in your cluster. These tags must be specified in the
install-config.yamlfile you use to deploy the cluster. <compute_node_tags>-
Specifies the network tags that apply to the compute machines in your cluster. These tags must be specified in the
install-config.yamlfile you use to deploy the cluster. <internal_network_cidr>- Specifies the network CIDR of the machine network that contains all the machines in your cluster.
<sample_rule_name>- Specifies the name of a custom rule added after installation, for example if you create a new service in your cluster. You can add multiple custom rules as needed.
<service_port>-
Specifies the port or port range of the service you created, and the network protocol, such as TCP or UDP. If you create a service using
oc expose, you can find the service port and protocol by running the commandoc get service <service_name> -o jsonpath='{.spec.ports[0].port}', where<service_name>is the name of the service you created.
After installation, you can reduce the port range of the ingress-k8s-http-hc and internal-cluster rules from tcp:30000-32767 to the individual port that the ingress load balancer service uses, which is not known before installation. You can determine the service port by running the following command after installation:
oc get svc router-default -n openshift-ingress -o jsonpath='{.spec.ports[*].nodePort}'
$ oc get svc router-default -n openshift-ingress -o jsonpath='{.spec.ports[*].nodePort}'2.7. Supported Google Cloud regions
You can deploy an OpenShift Container Platform cluster to the following Google Cloud regions:
-
africa-south1(Johannesburg, South Africa) -
asia-east1(Changhua County, Taiwan) -
asia-east2(Hong Kong) -
asia-northeast1(Tokyo, Japan) -
asia-northeast2(Osaka, Japan) -
asia-northeast3(Seoul, South Korea) -
asia-south1(Mumbai, India) -
asia-south2(Delhi, India) -
asia-southeast1(Jurong West, Singapore) -
asia-southeast2(Jakarta, Indonesia) -
australia-southeast1(Sydney, Australia) -
australia-southeast2(Melbourne, Australia) -
europe-central2(Warsaw, Poland) -
europe-north1(Hamina, Finland) -
europe-southwest1(Madrid, Spain) -
europe-west1(St. Ghislain, Belgium) -
europe-west2(London, England, UK) -
europe-west3(Frankfurt, Germany) -
europe-west4(Eemshaven, Netherlands) -
europe-west6(Zürich, Switzerland) -
europe-west8(Milan, Italy) -
europe-west9(Paris, France) -
europe-west12(Turin, Italy) -
me-central1(Doha, Qatar, Middle East) -
me-central2(Dammam, Saudi Arabia, Middle East) -
me-west1(Tel Aviv, Israel) -
northamerica-northeast1(Montréal, Québec, Canada) -
northamerica-northeast2(Toronto, Ontario, Canada) -
southamerica-east1(São Paulo, Brazil) -
southamerica-west1(Santiago, Chile) -
us-central1(Council Bluffs, Iowa, USA) -
us-east1(Moncks Corner, South Carolina, USA) -
us-east4(Ashburn, Northern Virginia, USA) -
us-east5(Columbus, Ohio) -
us-south1(Dallas, Texas) -
us-west1(The Dalles, Oregon, USA) -
us-west2(Los Angeles, California, USA) -
us-west3(Salt Lake City, Utah, USA) -
us-west4(Las Vegas, Nevada, USA)
To determine which machine type instances are available by region and zone, see the Google documentation.
2.8. Next steps
- Install an OpenShift Container Platform cluster on Google Cloud. You can install a customized cluster or quickly install a cluster with default options.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}