6.2. 외부 인증 공급자를 사용하는 HCP 클러스터를 사용하여 ROSA 생성

절차

• OIDC_ID,SUBNET_IDS, OPERATOR_ROLES_PREFIX 변수를 사용하여 환경을 준비한 경우 클러스터를 생성할 때 해당 변수를 계속 사용할 수 있습니다. 예를 들어 다음 명령을 실행합니다.

  $ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS \
     --oidc-config-id=$OIDC_ID --cluster-name=<cluster_name> \
     --operator-roles-prefix=$OPERATOR_ROLES_PREFIX \
     --external-auth-providers-enabled

  Copy to Clipboard Toggle word wrap

• 환경 변수를 설정하지 않은 경우 다음 명령을 실행합니다.

  $ rosa create cluster --cluster-name=<cluster_name> --sts --mode=auto \
      --hosted-cp --operator-roles-prefix <operator-role-prefix> \
      --oidc-config-id <ID-of-OIDC-configuration> \
      --external-auth-providers-enabled \
      --subnet-ids=<public-subnet-id>,<private-subnet-id>

  Copy to Clipboard Toggle word wrap

검증

• 다음 명령을 실행하여 클러스터 세부 정보에 외부 인증이 활성화되어 있는지 확인합니다.

  $ rosa describe cluster --cluster=<cluster_name>

  Copy to Clipboard Toggle word wrap

  Name:                       rosa-ext-test
  Display Name:               rosa-ext-test
  ID:                         <cluster_id>
  External ID:                <cluster_ext_id>
  Control Plane:              ROSA Service Hosted
  OpenShift Version:          4.18.0
  Channel Group:              stable
  DNS:                        <dns>
  AWS Account:                <AWS_id>
  AWS Billing Account:        <AWS_id>
  API URL:                    <ocm_api>
  Console URL:
  Region:                     us-east-1
  Availability:
   - Control Plane:           MultiAZ
   - Data Plane:              SingleAZ
  
  Nodes:
   - Compute (desired):       2
   - Compute (current):       0
  Network:
   - Type:                    OVNKubernetes
   - Service CIDR:            <service_cidr>
   - Machine CIDR:            <machine_cidr>
   - Pod CIDR:                <pod_cidr>
   - Host Prefix:             /23
   - Subnets:                 <subnet_ids>
  EC2 Metadata Http Tokens:   optional
  Role (STS) ARN:             arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Installer-Role
  Support Role ARN:           arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Support-Role
  Instance IAM Roles:
   - Worker:                  arn:aws:iam::<AWS_id>:role/<account_roles_prefix>-HCP-ROSA-Worker-Role
  Operator IAM Roles:
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cloud-network-config-controller-clo
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-capa-controller-manager
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-control-plane-operator
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kms-provider
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-kube-system-kube-controller-manager
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-image-registry-installer-cloud-cred
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-ingress-operator-cloud-credentials
   - arn:aws:iam::<AWS_id>:role/<operator_roles_prefix>-openshift-cluster-csi-drivers-ebs-cloud-crede
  Managed Policies:           Yes
  State:                      ready
  Private:                    No
  Created:                    Mar 29 2024 14:25:52 UTC
  User Workload Monitoring:   Enabled
  Details Page:               https://<url>
  OIDC Endpoint URL:          https://<endpoint> (Managed)
  Audit Log Forwarding:       Disabled
  External Authentication:    Enabled 

  1

  Copy to Clipboard Toggle word wrap

  1

  외부 인증 플래그가 활성화되어 있으며 이제 외부 인증 공급자를 생성할 수 있습니다.