Este conteúdo não está disponível no idioma selecionado.
Machine management
Adding and maintaining cluster machines
Abstract
Chapter 1. Overview of machine management
You can use machine management to flexibly work with underlying infrastructure such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), Red Hat OpenStack Platform (RHOSP), and VMware vSphere to manage the OpenShift Container Platform cluster. You can control the cluster and perform auto-scaling, such as scaling up and down the cluster based on specific workload policies.
It is important to have a cluster that adapts to changing workloads. The OpenShift Container Platform cluster can horizontally scale up and down when the load increases or decreases.
			Machine management is implemented as a custom resource definition (CRD). A CRD object defines a new unique object Kind in the cluster and enables the Kubernetes API server to handle the object’s entire lifecycle.
		
The Machine API Operator provisions the following resources:
- 
					MachineSet
- 
					Machine
- 
					ClusterAutoscaler
- 
					MachineAutoscaler
- 
					MachineHealthCheck
1.1. Machine API overview
The Machine API is a combination of primary resources that are based on the upstream Cluster API project and custom OpenShift Container Platform resources.
For OpenShift Container Platform 4.20 clusters, the Machine API performs all node host provisioning management actions after the cluster installation finishes. Because of this system, OpenShift Container Platform 4.20 offers an elastic, dynamic provisioning method on top of public or private cloud infrastructure.
The two primary resources are:
- Machines
- 
							A fundamental unit that describes the host for a node. A machine has a providerSpecspecification, which describes the types of compute nodes that are offered for different cloud platforms. For example, a machine type for a compute node might define a specific machine type and required metadata.
- Machine sets
- MachineSetresources are groups of compute machines. Compute machine sets are to compute machines as replica sets are to pods. If you need more compute machines or must scale them down, you change the- replicasfield on the- MachineSetresource to meet your compute need.Warning- Control plane machines cannot be managed by compute machine sets. - Control plane machine sets provide management capabilities for supported control plane machines that are similar to what compute machine sets provide for compute machines. - For more information, see “Managing control plane machines". 
The following custom resources add more capabilities to your cluster:
- Machine autoscaler
- The - MachineAutoscalerresource automatically scales compute machines in a cloud. You can set the minimum and maximum scaling boundaries for nodes in a specified compute machine set, and the machine autoscaler maintains that range of nodes.- The - MachineAutoscalerobject takes effect after a- ClusterAutoscalerobject exists. Both- ClusterAutoscalerand- MachineAutoscalerresources are made available by the- ClusterAutoscalerOperatorobject.
- Cluster autoscaler
- This resource is based on the upstream cluster autoscaler project. In the OpenShift Container Platform implementation, it is integrated with the Machine API by extending the compute machine set API. You can use the cluster autoscaler to manage your cluster in the following ways: - Set cluster-wide scaling limits for resources such as cores, nodes, memory, and GPU
- Set the priority so that the cluster prioritizes pods and new nodes are not brought online for less important pods
- Set the scaling policy so that you can scale up nodes but not scale them down
 
- Machine health check
- 
							The MachineHealthCheckresource detects when a machine is unhealthy, deletes it, and, on supported platforms, makes a new machine.
In OpenShift Container Platform version 3.11, you could not roll out a multi-zone architecture easily because the cluster did not manage machine provisioning. Beginning with OpenShift Container Platform version 4.1, this process is easier. Each compute machine set is scoped to a single zone, so the installation program sends out compute machine sets across availability zones on your behalf. And then because your compute is dynamic, and in the face of a zone failure, you always have a zone for when you must rebalance your machines. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability. The autoscaler provides best-effort balancing over the life of a cluster.
1.2. Managing compute machines
As a cluster administrator, you can perform the following actions:
- Create a compute machine set for the following cloud providers: 
- Create a machine set for a bare metal deployment: Creating a compute machine set on bare metal
- Manually scale a compute machine set by adding or removing a machine from the compute machine set.
- 
						Modify a compute machine set through the MachineSetYAML configuration file.
- Delete a machine.
- Create infrastructure compute machine sets.
- Configure and deploy a machine health check to automatically fix damaged machines in a machine pool.
1.3. Managing control plane machines
As a cluster administrator, you can perform the following actions:
- Update your control plane configuration with a control plane machine set for the following cloud providers: 
- Configure and deploy a machine health check to automatically recover unhealthy control plane machines.
1.4. Applying autoscaling to an OpenShift Container Platform cluster
You can automatically scale your OpenShift Container Platform cluster to ensure flexibility for changing workloads. To autoscale your cluster, you must first deploy a cluster autoscaler, and then deploy a machine autoscaler for each compute machine set.
- The cluster autoscaler increases and decreases the size of the cluster based on deployment needs.
- The machine autoscaler adjusts the number of machines in the compute machine sets that you deploy in your OpenShift Container Platform cluster.
1.5. Adding compute machines on user-provisioned infrastructure
User-provisioned infrastructure is an environment where you can deploy infrastructure such as compute, network, and storage resources that host the OpenShift Container Platform. You can add compute machines to a cluster on user-provisioned infrastructure during or after the installation process.
Chapter 2. Managing compute machines with the Machine API
2.1. Creating a compute machine set on AWS
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Amazon Web Services (AWS). For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.1.1. Sample YAML for a compute machine set custom resource on AWS
					The sample YAML defines a compute machine set that runs in the us-east-1a Amazon Web Services (AWS) Local Zone and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the infrastructure ID, role node label, and zone.
- 3
- Specify the role node label to add.
- 4
- Specify a valid Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for your AWS zone for your OpenShift Container Platform nodes. If you want to use an AWS Marketplace image, you must complete the OpenShift Container Platform subscription from the AWS Marketplace to obtain an AMI ID for your region.oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 5
- Specify the zone name, for example,us-east-1a.
- 6
- Specify the region, for example,us-east-1.
- 7
- Specify the infrastructure ID and zone.
- 8
- Optional: Specify custom tag data for your cluster. For example, you might add an admin contact email address by specifying aname:valuepair ofEmail:admin-email@example.com.NoteCustom tags can also be specified during installation in the install-config.ymlfile. If theinstall-config.ymlfile and the machine set include a tag with the samenamedata, the value for the tag from the machine set takes priority over the value for the tag in theinstall-config.ymlfile.
2.1.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If you need compute machine sets in other availability zones, repeat this process to create more compute machine sets.
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.1.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.1.4. Assigning machines to placement groups for Elastic Fabric Adapter instances by using machine sets
You can configure a machine set to deploy machines on Elastic Fabric Adapter (EFA) instances within an existing AWS placement group.
EFA instances do not require placement groups, and you can use placement groups for purposes other than configuring an EFA. This example uses both to demonstrate a configuration that can improve network performance for machines within the specified placement group.
Prerequisites
- You created a placement group in the AWS console. Note- Ensure that the rules and limitations for the type of placement group that you create are compatible with your intended use case. 
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify an instance type that supports EFAs.
- 2
- Specify theEFAnetwork interface type.
- 3
- Specify the zone, for example,us-east-1a.
- 4
- Specify the region, for example,us-east-1.
- 5
- Specify the name of the existing AWS placement group to deploy machines in.
- 6
- Optional: Specify the partition number of the existing AWS placement group to deploy machines in.
 
Verification
- In the AWS console, find a machine that the machine set created and verify the following in the machine properties: - 
									The placement group field has the value that you specified for the placementGroupNameparameter in the machine set.
- 
									The partition number field has the value that you specified for the placementGroupPartitionparameter in the machine set.
- The interface type field indicates that it uses an EFA.
 
- 
									The placement group field has the value that you specified for the 
2.1.5. Machine set options for the Amazon EC2 Instance Metadata Service
You can use machine sets to create machines that use a specific version of the Amazon EC2 Instance Metadata Service (IMDS). Machine sets can create machines that allow the use of both IMDSv1 and IMDSv2 or machines that require the use of IMDSv2.
To use IMDSv2 on AWS clusters that were created with OpenShift Container Platform version 4.6 or earlier, you must update your boot image. For more information, see "Updated boot images".
To deploy new compute machines with your preferred IMDS configuration, create a compute machine set YAML file with the appropriate values. You can also edit an existing machine set to create new machines with your preferred IMDS configuration when the machine set is scaled up.
Before configuring a machine set to create machines that require IMDSv2, ensure that any workloads that interact with the AWS metadata service support IMDSv2.
2.1.5.1. Configuring IMDS by using machine sets
						You can specify whether to require the use of IMDSv2 by adding or editing the value of metadataServiceOptions.authentication in the machine set YAML file for your machines.
					
Prerequisites
- To use IMDSv2, your AWS cluster must have been created with OpenShift Container Platform version 4.7 or later.
Procedure
- Add or edit the following lines under the - providerSpecfield:- providerSpec: value: metadataServiceOptions: authentication: Required- providerSpec: value: metadataServiceOptions: authentication: Required- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- To require IMDSv2, set the parameter value toRequired. To allow the use of both IMDSv1 and IMDSv2, set the parameter value toOptional. If no value is specified, both IMDSv1 and IMDSv2 are allowed.
 
2.1.6. Machine sets that deploy machines as Dedicated Instances
You can create a machine set running on AWS that deploys machines as Dedicated Instances. Dedicated Instances run in a virtual private cloud (VPC) on hardware that is dedicated to a single customer. These Amazon EC2 instances are physically isolated at the host hardware level. The isolation of Dedicated Instances occurs even if the instances belong to different AWS accounts that are linked to a single payer account. However, other instances that are not dedicated can share hardware with Dedicated Instances if they belong to the same AWS account.
Instances with either public or dedicated tenancy are supported by the Machine API. Instances with public tenancy run on shared hardware. Public tenancy is the default tenancy. Instances with dedicated tenancy run on single-tenant hardware.
2.1.6.1. Creating Dedicated Instances by using machine sets
						You can run a machine that is backed by a Dedicated Instance by using Machine API integration. Set the tenancy field in your machine set YAML file to launch a Dedicated Instance on AWS.
					
Procedure
- Specify a dedicated tenancy under the - providerSpecfield:- providerSpec: placement: tenancy: dedicated- providerSpec: placement: tenancy: dedicated- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.1.7. Machine sets that deploy machines as Spot Instances
You can save on costs by creating a compute machine set running on AWS that deploys machines as non-guaranteed Spot Instances. Spot Instances utilize unused AWS EC2 capacity and are less expensive than On-Demand Instances. You can use Spot Instances for workloads that can tolerate interruptions, such as batch or stateless, horizontally scalable workloads.
AWS EC2 can terminate a Spot Instance at any time. AWS gives a two-minute warning to the user when an interruption occurs. OpenShift Container Platform begins to remove the workloads from the affected instances when AWS issues the termination warning.
Interruptions can occur when using Spot Instances for the following reasons:
- The instance price exceeds your maximum price
- The demand for Spot Instances increases
- The supply of Spot Instances decreases
					When AWS terminates an instance, a termination handler running on the Spot Instance node deletes the machine resource. To satisfy the compute machine set replicas quantity, the compute machine set creates a machine that requests a Spot Instance.
				
2.1.7.1. Creating Spot Instances by using compute machine sets
						You can launch a Spot Instance on AWS by adding spotMarketOptions to your compute machine set YAML file.
					
Procedure
- Add the following line under the - providerSpecfield:- providerSpec: value: spotMarketOptions: {}- providerSpec: value: spotMarketOptions: {}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can optionally set the - spotMarketOptions.maxPricefield to limit the cost of the Spot Instance. For example you can set- maxPrice: '2.50'.- If the - maxPriceis set, this value is used as the hourly maximum spot price. If it is not set, the maximum price defaults to charge up to the On-Demand Instance price.Note- It is strongly recommended to use the default On-Demand price as the - maxPricevalue and to not set the maximum price for Spot Instances.
2.1.8. Configuring Capacity Reservations by using machine sets
OpenShift Container Platform version 4.20 and later supports Capacity Reservations on Amazon Web Services clusters, including On-Demand Capacity Reservations and Capacity Blocks for ML.
You can configure a machine set to deploy machines on any available resources that match the parameters of a capacity request that you define. These parameters specify the instance type, region, and number of instances that you want to reserve. If your Capacity Reservation can accommodate the capacity request, the deployment succeeds.
For more information, including limitations and suggested use cases for this AWS offering, see On-Demand Capacity Reservations and Capacity Blocks for ML in the AWS documentation.
Prerequisites
- 
							You have access to the cluster with cluster-adminprivileges.
- 
							You installed the OpenShift CLI (oc).
- You purchased an On-Demand Capacity Reservation or Capacity Block for ML. For more information, see On-Demand Capacity Reservations and Capacity Blocks for ML in the AWS documentation.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the ID of the Capacity Block for ML or On-Demand Capacity Reservation that you want the machine set to deploy machines on.
- 2
- Specify the market type to use. The following values are valid:- CapacityBlock
- Use this market type with Capacity Blocks for ML.
- OnDemand
- Use this market type with On-Demand Capacity Reservations.
- Spot
- Use this market type with Spot Instances. This option is not compatible with Capacity Reservations.
 
 
Verification
- To verify machine deployment, list the machines that the machine set created by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_set_name>is the name of the compute machine set.- In the output, verify that the characteristics of the listed machines match the parameters of your Capacity Reservation. 
2.1.9. Adding a GPU node to an existing OpenShift Container Platform cluster
You can copy and modify a default compute machine set configuration to create a GPU-enabled machine set and machines for the AWS EC2 cloud provider.
For more information about the supported instance types, see the following NVIDIA documentation:
Procedure
- View the existing nodes, machines, and machine sets by running the following command. Note that each node is an instance of a machine definition with a specific AWS region and OpenShift Container Platform role. - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines and machine sets that exist in the - openshift-machine-apinamespace by running the following command. Each compute machine set is associated with a different availability zone within the AWS region. The installer automatically load balances compute machines across availability zones.- oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE preserve-dsoc12r4-ktjfc-worker-us-east-2a 1 1 1 1 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b 2 2 2 2 3d11h - NAME DESIRED CURRENT READY AVAILABLE AGE preserve-dsoc12r4-ktjfc-worker-us-east-2a 1 1 1 1 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b 2 2 2 2 3d11h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines that exist in the - openshift-machine-apinamespace by running the following command. At this time, there is only one compute machine per machine set, though a compute machine set could be scaled to add a node in a particular region and zone.- oc get machines -n openshift-machine-api | grep worker - $ oc get machines -n openshift-machine-api | grep worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - preserve-dsoc12r4-ktjfc-worker-us-east-2a-dts8r Running m5.xlarge us-east-2 us-east-2a 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b-dkv7w Running m5.xlarge us-east-2 us-east-2b 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b-k58cw Running m5.xlarge us-east-2 us-east-2b 3d11h - preserve-dsoc12r4-ktjfc-worker-us-east-2a-dts8r Running m5.xlarge us-east-2 us-east-2a 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b-dkv7w Running m5.xlarge us-east-2 us-east-2b 3d11h preserve-dsoc12r4-ktjfc-worker-us-east-2b-k58cw Running m5.xlarge us-east-2 us-east-2b 3d11h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make a copy of one of the existing compute - MachineSetdefinitions and output the result to a JSON file by running the following command. This will be the basis for the GPU-enabled compute machine set definition.- oc get machineset preserve-dsoc12r4-ktjfc-worker-us-east-2a -n openshift-machine-api -o json > <output_file.json> - $ oc get machineset preserve-dsoc12r4-ktjfc-worker-us-east-2a -n openshift-machine-api -o json > <output_file.json>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file and make the following changes to the new - MachineSetdefinition:- 
									Replace workerwithgpu. This will be the name of the new machine set.
- Change the instance type of the new - MachineSetdefinition to- g4dn, which includes an NVIDIA Tesla T4 GPU. To learn more about AWS- g4dninstance types, see Accelerated Computing.- jq .spec.template.spec.providerSpec.value.instanceType preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json - $ jq .spec.template.spec.providerSpec.value.instanceType preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json "g4dn.xlarge"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - <output_file.json>file is saved as- preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json.
 
- 
									Replace 
- Update the following fields in - preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json:- 
									.metadata.nameto a name containinggpu.
- 
									.spec.selector.matchLabels["machine.openshift.io/cluster-api-machineset"]to match the new.metadata.name.
- 
									.spec.template.metadata.labels["machine.openshift.io/cluster-api-machineset"]to match the new.metadata.name.
- 
									.spec.template.spec.providerSpec.value.instanceTypetog4dn.xlarge.
 
- 
									
- To verify your changes, perform a - diffof the original compute definition and the new GPU-enabled node definition by running the following command:- oc -n openshift-machine-api get preserve-dsoc12r4-ktjfc-worker-us-east-2a -o json | diff preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json - - $ oc -n openshift-machine-api get preserve-dsoc12r4-ktjfc-worker-us-east-2a -o json | diff preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json -- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the GPU-enabled compute machine set from the definition by running the following command: - oc create -f preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json - $ oc create -f preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a.json- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - machineset.machine.openshift.io/preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a created - machineset.machine.openshift.io/preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a created- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the machine set you created by running the following command: - oc -n openshift-machine-api get machinesets | grep gpu - $ oc -n openshift-machine-api get machinesets | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The MachineSet replica count is set to - 1so a new- Machineobject is created automatically.- Example output - preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a 1 1 1 1 4m21s - preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a 1 1 1 1 4m21s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the - Machineobject that the machine set created by running the following command:- oc -n openshift-machine-api get machines | grep gpu - $ oc -n openshift-machine-api get machines | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a running g4dn.xlarge us-east-2 us-east-2a 4m36s - preserve-dsoc12r4-ktjfc-worker-gpu-us-east-2a running g4dn.xlarge us-east-2 us-east-2a 4m36s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Note that there is no need to specify a namespace for the node. The node definition is cluster scoped.
2.1.10. Deploying the Node Feature Discovery Operator
After the GPU-enabled node is created, you need to discover the GPU-enabled node so it can be scheduled. To do this, install the Node Feature Discovery (NFD) Operator. The NFD Operator identifies hardware device features in nodes. It solves the general problem of identifying and cataloging hardware resources in the infrastructure nodes so they can be made available to OpenShift Container Platform.
Procedure
- Install the Node Feature Discovery Operator from the software catalog in the OpenShift Container Platform console.
- 
							After installing the NFD Operator, select Node Feature Discovery from the installed Operators list and select Create instance. This installs the nfd-masterandnfd-workerpods, onenfd-workerpod for each compute node, in theopenshift-nfdnamespace.
- Verify that the Operator is installed and running by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Browse to the installed Oerator in the console and select Create Node Feature Discovery.
- 
							Select Create to build a NFD custom resource. This creates NFD pods in the openshift-nfdnamespace that poll the OpenShift Container Platform nodes for hardware resources and catalogue them.
Verification
- After a successful build, verify that a NFD pod is running on each nodes by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The NFD Operator uses vendor PCI IDs to identify hardware in a node. NVIDIA uses the PCI ID - 10de.
- View the NVIDIA GPU discovered by the NFD Operator by running the following command: - oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci' - $ oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 10deappears in the node feature list for the GPU-enabled node. This mean the NFD Operator correctly identified the node from the GPU-enabled MachineSet.
2.2. Creating a compute machine set on Azure
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Microsoft Azure. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.2.1. Sample YAML for a compute machine set custom resource on Azure
					This sample YAML defines a compute machine set that runs in the 1 Microsoft Azure zone in a region and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the subnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the vnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the node label to add.
- 3
- Specify the infrastructure ID, node label, and region.
- 4
- Specify the image details for your compute machine set. If you want to use an Azure Marketplace image, see "Using the Azure Marketplace offering".
- 5
- Specify an image that is compatible with your instance type. The Hyper-V generation V2 images created by the installation program have a-gen2suffix, while V1 images have the same name without the suffix.
- 6
- Specify the region to place machines on.
- 7
- Optional: Specify custom tags in your machine set. Provide the tag name in<custom_tag_name>field and the corresponding tag value in<custom_tag_value>field.
- 8
- Specify the zone within your region to place machines on. Ensure that your region supports the zone that you specify.ImportantIf your region supports availability zones, you must specify the zone. Specifying the zone avoids volume node affinity failure when a pod requires a persistent volume attachment. To do this, you can create a compute machine set for each zone in the same region. 
2.2.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.2.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.2.4. Using the Azure Marketplace offering
You can create a machine set running on Azure that deploys machines that use the Azure Marketplace offering. To use this offering, you must first obtain the Azure Marketplace image. When obtaining your image, consider the following:
- 
							While the images are the same, the Azure Marketplace publisher is different depending on your region. If you are located in North America, specify redhatas the publisher. If you are located in EMEA, specifyredhat-limitedas the publisher.
- 
							The offer includes a rh-ocp-workerSKU and arh-ocp-worker-gen1SKU. Therh-ocp-workerSKU represents a Hyper-V generation version 2 VM image. The default instance types used in OpenShift Container Platform are version 2 compatible. If you plan to use an instance type that is only version 1 compatible, use the image associated with therh-ocp-worker-gen1SKU. Therh-ocp-worker-gen1SKU represents a Hyper-V version 1 VM image.
Installing images with the Azure marketplace is not supported on clusters with 64-bit ARM instances.
You should only modify the RHCOS image for compute machines to use an Azure Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your Azure bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the Azure Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- 
							You have installed the Azure CLI client (az).
- Your Azure account is entitled for the offer and you have logged into this account with the Azure CLI client.
Procedure
- Display all of the available OpenShift Container Platform images by running one of the following commands: - North America: - az vm image list --all --offer rh-ocp-worker --publisher redhat -o table - $ az vm image list --all --offer rh-ocp-worker --publisher redhat -o table- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker RedHat rh-ocp-worker RedHat:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker RedHat rh-ocp-worker-gen1 RedHat:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419 - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker RedHat rh-ocp-worker RedHat:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker RedHat rh-ocp-worker-gen1 RedHat:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image list --all --offer rh-ocp-worker --publisher redhat-limited -o table - $ az vm image list --all --offer rh-ocp-worker --publisher redhat-limited -o table- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker redhat-limited rh-ocp-worker redhat-limited:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker redhat-limited rh-ocp-worker-gen1 redhat-limited:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419 - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker redhat-limited rh-ocp-worker redhat-limited:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker redhat-limited rh-ocp-worker-gen1 redhat-limited:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Note- Use the latest image that is available for compute and control plane nodes. If required, your VMs are automatically upgraded as part of the installation process. 
- Inspect the image for your offer by running one of the following commands: - North America: - az vm image show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Review the terms of the offer by running one of the following commands: - North America: - az vm image terms show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image terms show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Accept the terms of the offering by running one of the following commands: - North America: - az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
							Record the image details of your offer, specifically the values for publisher,offer,sku, andversion.
- Add the following parameters to the - providerSpecsection of your machine set YAML file using the image details for your offer:- Sample - providerSpecimage values for Azure Marketplace machines- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2.5. Enabling Azure boot diagnostics
You can enable boot diagnostics on Azure machines that your machine set creates.
Prerequisites
- Have an existing Microsoft Azure cluster.
Procedure
- Add the - diagnosticsconfiguration that is applicable to your storage type to the- providerSpecfield in your machine set YAML file:- For an Azure Managed storage account: - providerSpec: diagnostics: boot: storageAccountType: AzureManaged- providerSpec: diagnostics: boot: storageAccountType: AzureManaged- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies an Azure Managed storage account.
 
- For an Azure Unmanaged storage account: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Only the Azure Blob Storage data service is supported. 
 
Verification
- On the Microsoft Azure portal, review the Boot diagnostics page for a machine deployed by the machine set, and verify that you can see the serial logs for the machine.
2.2.6. Machine sets that deploy machines as Spot VMs
You can save on costs by creating a compute machine set running on Azure that deploys machines as non-guaranteed Spot VMs. Spot VMs utilize unused Azure capacity and are less expensive than standard VMs. You can use Spot VMs for workloads that can tolerate interruptions, such as batch or stateless, horizontally scalable workloads.
Azure can terminate a Spot VM at any time. Azure gives a 30-second warning to the user when an interruption occurs. OpenShift Container Platform begins to remove the workloads from the affected instances when Azure issues the termination warning.
Interruptions can occur when using Spot VMs for the following reasons:
- The instance price exceeds your maximum price
- The supply of Spot VMs decreases
- Azure needs capacity back
					When Azure terminates an instance, a termination handler running on the Spot VM node deletes the machine resource. To satisfy the compute machine set replicas quantity, the compute machine set creates a machine that requests a Spot VM.
				
2.2.6.1. Creating Spot VMs by using compute machine sets
						You can launch a Spot VM on Azure by adding spotVMOptions to your compute machine set YAML file.
					
Procedure
- Add the following line under the - providerSpecfield:- providerSpec: value: spotVMOptions: {}- providerSpec: value: spotVMOptions: {}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can optionally set the - spotVMOptions.maxPricefield to limit the cost of the Spot VM. For example you can set- maxPrice: '0.98765'. If the- maxPriceis set, this value is used as the hourly maximum spot price. If it is not set, the maximum price defaults to- -1and charges up to the standard VM price.- Azure caps Spot VM prices at the standard price. Azure will not evict an instance due to pricing if the instance is set with the default - maxPrice. However, an instance can still be evicted due to capacity restrictions.
							It is strongly recommended to use the default standard VM price as the maxPrice value and to not set the maximum price for Spot VMs.
						
2.2.7. Machine sets that deploy machines on Ephemeral OS disks
You can create a compute machine set running on Azure that deploys machines on Ephemeral OS disks. Ephemeral OS disks use local VM capacity rather than remote Azure Storage. This configuration therefore incurs no additional cost and provides lower latency for reading, writing, and reimaging.
2.2.7.1. Creating machines on Ephemeral OS disks by using compute machine sets
You can launch machines on Ephemeral OS disks on Azure by editing your compute machine set YAML file.
Prerequisites
- Have an existing Microsoft Azure cluster.
Procedure
- Edit the custom resource (CR) by running the following command: - oc edit machineset <machine-set-name> - $ oc edit machineset <machine-set-name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine-set-name>is the compute machine set that you want to provision machines on Ephemeral OS disks.
- Add the following to the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- The implementation of Ephemeral OS disk support in OpenShift Container Platform only supports the - CacheDiskplacement type. Do not change the- placementconfiguration setting.
- Create a compute machine set using the updated configuration: - oc create -f <machine-set-config>.yaml - $ oc create -f <machine-set-config>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- 
								On the Microsoft Azure portal, review the Overview page for a machine deployed by the compute machine set, and verify that the Ephemeral OS diskfield is set toOS cache placement.
2.2.8. Machine sets that deploy machines with ultra disks as data disks
You can create a machine set running on Azure that deploys machines with ultra disks. Ultra disks are high-performance storage that are intended for use with the most demanding data workloads.
You can also create a persistent volume claim (PVC) that dynamically binds to a storage class backed by Azure ultra disks and mounts them to pods.
Data disks do not support the ability to specify disk throughput or disk IOPS. You can configure these properties by using PVCs.
2.2.8.1. Creating machines with ultra disks by using machine sets
You can deploy machines with ultra disks on Azure by editing your machine set YAML file.
Prerequisites
- Have an existing Microsoft Azure cluster.
Procedure
- Create a custom secret in the - openshift-machine-apinamespace using the- workerdata secret by running the following command:- oc -n openshift-machine-api \ get secret <role>-user-data \ --template='{{index .data.userData | base64decode}}' | jq > userData.txt- $ oc -n openshift-machine-api \ get secret <role>-user-data \- 1 - --template='{{index .data.userData | base64decode}}' | jq > userData.txt- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- In a text editor, open the - userData.txtfile and locate the final- }character in the file.- 
										On the immediately preceding line, add a ,.
- Create a new line after the - ,and add the following configuration details:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The configuration details for the disk that you want to attach to a node as an ultra disk.
- 2
- Specify thelunvalue that is defined in thedataDisksstanza of the machine set you are using. For example, if the machine set containslun: 0, specifylun0. You can initialize multiple data disks by specifying multiple"disks"entries in this configuration file. If you specify multiple"disks"entries, ensure that thelunvalue for each matches the value in the machine set.
- 3
- The configuration details for a new partition on the disk.
- 4
- Specify a label for the partition. You might find it helpful to use hierarchical names, such aslun0p1for the first partition oflun0.
- 5
- Specify the total size in MiB of the partition.
- 6
- Specify the filesystem to use when formatting a partition. Use the partition label to specify the partition.
- 7
- Specify asystemdunit to mount the partition at boot. Use the partition label to specify the partition. You can create multiple partitions by specifying multiple"partitions"entries in this configuration file. If you specify multiple"partitions"entries, you must specify asystemdunit for each.
- 8
- ForWhere, specify the value ofstorage.filesystems.path. ForWhat, specify the value ofstorage.filesystems.device.
 
 
- 
										On the immediately preceding line, add a 
- Extract the disabling template value to a file called - disableTemplating.txtby running the following command:- oc -n openshift-machine-api get secret <role>-user-data \ --template='{{index .data.disableTemplating | base64decode}}' | jq > disableTemplating.txt- $ oc -n openshift-machine-api get secret <role>-user-data \- 1 - --template='{{index .data.disableTemplating | base64decode}}' | jq > disableTemplating.txt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<role>withworker.
 
- Combine the - userData.txtfile and- disableTemplating.txtfile to create a data secret file by running the following command:- oc -n openshift-machine-api create secret generic <role>-user-data-x5 \ --from-file=userData=userData.txt \ --from-file=disableTemplating=disableTemplating.txt - $ oc -n openshift-machine-api create secret generic <role>-user-data-x5 \- 1 - --from-file=userData=userData.txt \ --from-file=disableTemplating=disableTemplating.txt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<role>-user-data-x5, specify the name of the secret. Replace<role>withworker.
 
- Copy an existing Azure - MachineSetcustom resource (CR) and edit it by running the following command:- oc edit machineset <machine_set_name> - $ oc edit machineset <machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_set_name>is the machine set that you want to provision machines with ultra disks.
- Add the following lines in the positions indicated: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a machine set using the updated configuration by running the following command: - oc create -f <machine_set_name>.yaml - $ oc create -f <machine_set_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Validate that the machines are created by running the following command: - oc get machines - $ oc get machines- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The machines should be in the - Runningstate.
- For a machine that is running and has a node attached, validate the partition by running the following command: - oc debug node/<node_name> -- chroot /host lsblk - $ oc debug node/<node_name> -- chroot /host lsblk- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this command, - oc debug node/<node_name>starts a debugging shell on the node- <node_name>and passes a command with- --. The passed command- chroot /hostprovides access to the underlying host OS binaries, and- lsblkshows the block devices that are attached to the host OS machine.
Next steps
- To use an ultra disk from within a pod, create a workload that uses the mount point. Create a YAML file similar to the following example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2.8.2. Troubleshooting resources for machine sets that enable ultra disks
Use the information in this section to understand and recover from issues you might encounter.
2.2.8.2.1. Incorrect ultra disk configuration
							If an incorrect configuration of the ultraSSDCapability parameter is specified in the machine set, the machine provisioning fails.
						
							For example, if the ultraSSDCapability parameter is set to Disabled, but an ultra disk is specified in the dataDisks parameter, the following error message appears:
						
StorageAccountType UltraSSD_LRS can be used only when additionalCapabilities.ultraSSDEnabled is set.
StorageAccountType UltraSSD_LRS can be used only when additionalCapabilities.ultraSSDEnabled is set.- To resolve this issue, verify that your machine set configuration is correct.
2.2.8.2.2. Unsupported disk parameters
If a region, availability zone, or instance size that is not compatible with ultra disks is specified in the machine set, the machine provisioning fails. Check the logs for the following error message:
failed to create vm <machine_name>: failure sending request for machine <machine_name>: cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Storage Account type 'UltraSSD_LRS' is not supported <more_information_about_why>."
failed to create vm <machine_name>: failure sending request for machine <machine_name>: cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Storage Account type 'UltraSSD_LRS' is not supported <more_information_about_why>."- To resolve this issue, verify that you are using this feature in a supported environment and that your machine set configuration is correct.
2.2.8.2.3. Unable to delete disks
If the deletion of ultra disks as data disks is not working as expected, the machines are deleted and the data disks are orphaned. You must delete the orphaned disks manually if desired.
2.2.9. Enabling customer-managed encryption keys for a machine set
You can supply an encryption key to Azure to encrypt data on managed disks at rest. You can enable server-side encryption with customer-managed keys by using the Machine API.
An Azure Key Vault, a disk encryption set, and an encryption key are required to use a customer-managed key. The disk encryption set must be in a resource group where the Cloud Credential Operator (CCO) has granted permissions. If not, an additional reader role is required to be granted on the disk encryption set.
Prerequisites
Procedure
- Configure the disk encryption set under the - providerSpecfield in your machine set YAML file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.2.10. Configuring trusted launch for Azure virtual machines by using machine sets
OpenShift Container Platform 4.20 supports trusted launch for Azure virtual machines (VMs). By editing the machine set YAML file, you can configure the trusted launch options that a machine set uses for machines that it deploys. For example, you can configure these machines to use UEFI security features such as Secure Boot or a dedicated virtual Trusted Platform Module (vTPM) instance.
Some feature combinations result in an invalid configuration.
| Secure Boot[1] | vTPM[2] | Valid configuration | 
|---|---|---|
| Enabled | Enabled | Yes | 
| Enabled | Disabled | Yes | 
| Enabled | Omitted | Yes | 
| Disabled | Enabled | Yes | 
| Omitted | Enabled | Yes | 
| Disabled | Disabled | No | 
| Omitted | Disabled | No | 
| Omitted | Omitted | No | 
- 
								Using the secureBootfield.
- 
								Using the virtualizedTrustedPlatformModulefield.
For more information about related features and functionality, see the Microsoft Azure documentation about Trusted launch for Azure virtual machines.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield to provide a valid configuration:- Sample valid configuration with UEFI Secure Boot and vTPM enabled - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- On the Azure portal, review the details for a machine deployed by the machine set and verify that the trusted launch options match the values that you configured.
2.2.11. Configuring Azure confidential virtual machines by using machine sets
OpenShift Container Platform 4.20 supports Azure confidential virtual machines (VMs).
Confidential VMs are currently not supported on 64-bit ARM architectures.
By editing the machine set YAML file, you can configure the confidential VM options that a machine set uses for machines that it deploys. For example, you can configure these machines to use UEFI security features such as Secure Boot or a dedicated virtual Trusted Platform Module (vTPM) instance.
For more information about related features and functionality, see the Microsoft Azure documentation about Confidential virtual machines.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies security profile settings for the managed disk when using a confidential VM.
- 2
- Enables encryption of the Azure VM Guest State (VMGS) blob. This setting requires the use of vTPM.
- 3
- Specifies security profile settings for the confidential VM.
- 4
- Enables the use of confidential VMs. This value is required for all valid configurations.
- 5
- Specifies which UEFI security features to use. This section is required for all valid configurations.
- 6
- Disables UEFI Secure Boot.
- 7
- Enables the use of a vTPM.
- 8
- Specifies an instance type that supports confidential VMs.
 
Verification
- On the Azure portal, review the details for a machine deployed by the machine set and verify that the confidential VM options match the values that you configured.
2.2.12. Accelerated Networking for Microsoft Azure VMs
Accelerated Networking uses single root I/O virtualization (SR-IOV) to provide Microsoft Azure VMs with a more direct path to the switch. This enhances network performance. This feature can be enabled during or after installation.
2.2.12.1. Limitations
Consider the following limitations when deciding whether to use Accelerated Networking:
- Accelerated Networking is only supported on clusters where the Machine API is operational.
- Although the minimum requirement for an Azure worker node is two vCPUs, Accelerated Networking requires an Azure VM size that includes at least four vCPUs. To satisfy this requirement, you can change the value of - vmSizein your machine set. For information about Azure VM sizes, see Microsoft Azure documentation.
- When this feature is enabled on an existing Azure cluster, only newly provisioned nodes are affected. Currently running nodes are not reconciled. To enable the feature on all nodes, you must replace each existing machine. This can be done for each machine individually, or by scaling the replicas down to zero, and then scaling back up to your desired number of replicas.
2.2.13. Configuring Capacity Reservation by using machine sets
OpenShift Container Platform version 4.20 and later supports on-demand Capacity Reservation with Capacity Reservation groups on Microsoft Azure clusters.
You can configure a machine set to deploy machines on any available resources that match the parameters of a capacity request that you define. These parameters specify the VM size, region, and number of instances that you want to reserve. If your Azure subscription quota can accommodate the capacity request, the deployment succeeds.
For more information, including limitations and suggested use cases for this Azure offering, see On-demand Capacity Reservation in the Microsoft Azure documentation.
You cannot change an existing Capacity Reservation configuration for a machine set. To use a different Capacity Reservation group, you must replace the machine set and the machines that the previous machine set deployed.
Prerequisites
- 
							You have access to the cluster with cluster-adminprivileges.
- 
							You installed the OpenShift CLI (oc).
- You created a Capacity Reservation group. For more information, see Create a Capacity Reservation in the Microsoft Azure documentation.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the ID of the Capacity Reservation group that you want the machine set to deploy machines on.
 
Verification
- To verify machine deployment, list the machines that the machine set created by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_set_name>is the name of the compute machine set.- In the output, verify that the characteristics of the listed machines match the parameters of your Capacity Reservation. 
2.2.14. Adding a GPU node to an existing OpenShift Container Platform cluster
You can copy and modify a default compute machine set configuration to create a GPU-enabled machine set and machines for the Azure cloud provider.
The following table lists the validated instance types:
| vmSize | NVIDIA GPU accelerator | Maximum number of GPUs | Architecture | 
|---|---|---|---|
| 
									 | V100 | 4 | x86 | 
| 
									 | T4 | 1 | x86 | 
| 
									 | A100 | 8 | x86 | 
By default, Azure subscriptions do not have a quota for the Azure instance types with GPU. Customers have to request a quota increase for the Azure instance families listed above.
Procedure
- View the machines and machine sets that exist in the - openshift-machine-apinamespace by running the following command. Each compute machine set is associated with a different availability zone within the Azure region. The installer automatically load balances compute machines across availability zones.- oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-worker-centralus1 1 1 1 1 6h9m myclustername-worker-centralus2 1 1 1 1 6h9m myclustername-worker-centralus3 1 1 1 1 6h9m - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-worker-centralus1 1 1 1 1 6h9m myclustername-worker-centralus2 1 1 1 1 6h9m myclustername-worker-centralus3 1 1 1 1 6h9m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make a copy of one of the existing compute - MachineSetdefinitions and output the result to a YAML file by running the following command. This will be the basis for the GPU-enabled compute machine set definition.- oc get machineset -n openshift-machine-api myclustername-worker-centralus1 -o yaml > machineset-azure.yaml - $ oc get machineset -n openshift-machine-api myclustername-worker-centralus1 -o yaml > machineset-azure.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the content of the machineset: - cat machineset-azure.yaml - $ cat machineset-azure.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - machineset-azure.yamlfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make a copy of the - machineset-azure.yamlfile by running the following command:- cp machineset-azure.yaml machineset-azure-gpu.yaml - $ cp machineset-azure.yaml machineset-azure-gpu.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Update the following fields in - machineset-azure-gpu.yaml:- 
									Change .metadata.nameto a name containinggpu.
- 
									Change .spec.selector.matchLabels["machine.openshift.io/cluster-api-machineset"]to match the new .metadata.name.
- 
									Change .spec.template.metadata.labels["machine.openshift.io/cluster-api-machineset"]to match the new.metadata.name.
- Change - .spec.template.spec.providerSpec.value.vmSizeto- Standard_NC4as_T4_v3.- Example - machineset-azure-gpu.yamlfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									Change 
- To verify your changes, perform a - diffof the original compute definition and the new GPU-enabled node definition by running the following command:- diff machineset-azure.yaml machineset-azure-gpu.yaml - $ diff machineset-azure.yaml machineset-azure-gpu.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the GPU-enabled compute machine set from the definition file by running the following command: - oc create -f machineset-azure-gpu.yaml - $ oc create -f machineset-azure-gpu.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - machineset.machine.openshift.io/myclustername-nc4ast4-gpu-worker-centralus1 created - machineset.machine.openshift.io/myclustername-nc4ast4-gpu-worker-centralus1 created- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines and machine sets that exist in the - openshift-machine-apinamespace by running the following command. Each compute machine set is associated with a different availability zone within the Azure region. The installer automatically load balances compute machines across availability zones.- oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE clustername-n6n4r-nc4ast4-gpu-worker-centralus1 1 1 1 1 122m clustername-n6n4r-worker-centralus1 1 1 1 1 8h clustername-n6n4r-worker-centralus2 1 1 1 1 8h clustername-n6n4r-worker-centralus3 1 1 1 1 8h - NAME DESIRED CURRENT READY AVAILABLE AGE clustername-n6n4r-nc4ast4-gpu-worker-centralus1 1 1 1 1 122m clustername-n6n4r-worker-centralus1 1 1 1 1 8h clustername-n6n4r-worker-centralus2 1 1 1 1 8h clustername-n6n4r-worker-centralus3 1 1 1 1 8h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines that exist in the - openshift-machine-apinamespace by running the following command. You can only configure one compute machine per set, although you can scale a compute machine set to add a node in a particular region and zone.- oc get machines -n openshift-machine-api - $ oc get machines -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the existing nodes, machines, and machine sets by running the following command. Note that each node is an instance of a machine definition with a specific Azure region and OpenShift Container Platform role. - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the list of compute machine sets: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-worker-centralus1 1 1 1 1 8h myclustername-worker-centralus2 1 1 1 1 8h myclustername-worker-centralus3 1 1 1 1 8h - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-worker-centralus1 1 1 1 1 8h myclustername-worker-centralus2 1 1 1 1 8h myclustername-worker-centralus3 1 1 1 1 8h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the GPU-enabled compute machine set from the definition file by running the following command: - oc create -f machineset-azure-gpu.yaml - $ oc create -f machineset-azure-gpu.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the list of compute machine sets: - oc get machineset -n openshift-machine-api - oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-nc4ast4-gpu-worker-centralus1 1 1 1 1 121m myclustername-worker-centralus1 1 1 1 1 8h myclustername-worker-centralus2 1 1 1 1 8h myclustername-worker-centralus3 1 1 1 1 8h - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-nc4ast4-gpu-worker-centralus1 1 1 1 1 121m myclustername-worker-centralus1 1 1 1 1 8h myclustername-worker-centralus2 1 1 1 1 8h myclustername-worker-centralus3 1 1 1 1 8h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the machine set you created by running the following command: - oc get machineset -n openshift-machine-api | grep gpu - $ oc get machineset -n openshift-machine-api | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The MachineSet replica count is set to - 1so a new- Machineobject is created automatically.- Example output - myclustername-nc4ast4-gpu-worker-centralus1 1 1 1 1 121m - myclustername-nc4ast4-gpu-worker-centralus1 1 1 1 1 121m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the - Machineobject that the machine set created by running the following command:- oc -n openshift-machine-api get machines | grep gpu - $ oc -n openshift-machine-api get machines | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - myclustername-nc4ast4-gpu-worker-centralus1-w9bqn Running Standard_NC4as_T4_v3 centralus 1 21m - myclustername-nc4ast4-gpu-worker-centralus1-w9bqn Running Standard_NC4as_T4_v3 centralus 1 21m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
There is no need to specify a namespace for the node. The node definition is cluster scoped.
2.2.15. Deploying the Node Feature Discovery Operator
After the GPU-enabled node is created, you need to discover the GPU-enabled node so it can be scheduled. To do this, install the Node Feature Discovery (NFD) Operator. The NFD Operator identifies hardware device features in nodes. It solves the general problem of identifying and cataloging hardware resources in the infrastructure nodes so they can be made available to OpenShift Container Platform.
Procedure
- Install the Node Feature Discovery Operator from the software catalog in the OpenShift Container Platform console.
- 
							After installing the NFD Operator, select Node Feature Discovery from the installed Operators list and select Create instance. This installs the nfd-masterandnfd-workerpods, onenfd-workerpod for each compute node, in theopenshift-nfdnamespace.
- Verify that the Operator is installed and running by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Browse to the installed Oerator in the console and select Create Node Feature Discovery.
- 
							Select Create to build a NFD custom resource. This creates NFD pods in the openshift-nfdnamespace that poll the OpenShift Container Platform nodes for hardware resources and catalogue them.
Verification
- After a successful build, verify that a NFD pod is running on each nodes by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The NFD Operator uses vendor PCI IDs to identify hardware in a node. NVIDIA uses the PCI ID - 10de.
- View the NVIDIA GPU discovered by the NFD Operator by running the following command: - oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci' - $ oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 10deappears in the node feature list for the GPU-enabled node. This mean the NFD Operator correctly identified the node from the GPU-enabled MachineSet.
2.2.15.1. Enabling Accelerated Networking on an existing Microsoft Azure cluster
						You can enable Accelerated Networking on Azure by adding acceleratedNetworking to your machine set YAML file.
					
Prerequisites
- Have an existing Microsoft Azure cluster where the Machine API is operational.
Procedure
- Add the following to the - providerSpecfield:- providerSpec: value: acceleratedNetworking: true vmSize: <azure-vm-size>- providerSpec: value: acceleratedNetworking: true- 1 - vmSize: <azure-vm-size>- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This line enables Accelerated Networking.
- 2
- Specify an Azure VM size that includes at least four vCPUs. For information about VM sizes, see Microsoft Azure documentation.
 
Next steps
- To enable the feature on currently running nodes, you must replace each existing machine. This can be done for each machine individually, or by scaling the replicas down to zero, and then scaling back up to your desired number of replicas.
Verification
- 
								On the Microsoft Azure portal, review the Networking settings page for a machine provisioned by the machine set, and verify that the Accelerated networkingfield is set toEnabled.
2.3. Creating a compute machine set on Azure Stack Hub
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Microsoft Azure Stack Hub. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.3.1. Sample YAML for a compute machine set custom resource on Azure Stack Hub
					This sample YAML defines a compute machine set that runs in the 1 Microsoft Azure zone in a region and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1 5 7 13 15 16 17 20
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the subnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the vnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 11 18 19
- Specify the node label to add.
- 4 6 10
- Specify the infrastructure ID, node label, and region.
- 14
- Specify the region to place machines on.
- 21
- Specify the zone within your region to place machines on. Be sure that your region supports the zone that you specify.
- 12
- Specify the availability set for the cluster.
2.3.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
- Create an availability set in which to deploy Azure Stack Hub compute machines.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <availabilitySet>,- <clusterID>, and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.3.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.3.4. Enabling Azure boot diagnostics
You can enable boot diagnostics on Azure machines that your machine set creates.
Prerequisites
- Have an existing Microsoft Azure Stack Hub cluster.
Procedure
- Add the - diagnosticsconfiguration that is applicable to your storage type to the- providerSpecfield in your machine set YAML file:- For an Azure Managed storage account: - providerSpec: diagnostics: boot: storageAccountType: AzureManaged- providerSpec: diagnostics: boot: storageAccountType: AzureManaged- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies an Azure Managed storage account.
 
- For an Azure Unmanaged storage account: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Only the Azure Blob Storage data service is supported. 
 
Verification
- On the Microsoft Azure portal, review the Boot diagnostics page for a machine deployed by the machine set, and verify that you can see the serial logs for the machine.
2.3.5. Enabling customer-managed encryption keys for a machine set
You can supply an encryption key to Azure to encrypt data on managed disks at rest. You can enable server-side encryption with customer-managed keys by using the Machine API.
An Azure Key Vault, a disk encryption set, and an encryption key are required to use a customer-managed key. The disk encryption set must be in a resource group where the Cloud Credential Operator (CCO) has granted permissions. If not, an additional reader role is required to be granted on the disk encryption set.
Prerequisites
Procedure
- Configure the disk encryption set under the - providerSpecfield in your machine set YAML file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.4. Creating a compute machine set on GCP
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Google Cloud Platform (GCP). For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.4.1. Sample YAML for a compute machine set custom resource on GCP
					This sample YAML defines a compute machine set that runs in Google Cloud Platform (GCP) and creates nodes that are labeled with node-role.kubernetes.io/<role>: "", where <role> is the node label to add.
				
2.4.1.1. Values obtained by using the OpenShift CLI
In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI.
- Infrastructure ID
- The - <infrastructure_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Image path
- The - <path_to_image>string is the path to the image that was used to create the disk. If you have the OpenShift CLI installed, you can obtain the path to the image by running the following command:- oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.disks[0].image}{"\n"}' \ get machineset/<infrastructure_id>-worker-a- $ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.disks[0].image}{"\n"}' \ get machineset/<infrastructure_id>-worker-a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Sample GCP MachineSet values
- 1
- For<infrastructure_id>, specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster.
- 2
- For<node>, specify the node label to add.
- 3
- Specify the path to the image that is used in current compute machine sets.To use a GCP Marketplace image, specify the offer to use: - 
										OpenShift Container Platform: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-ocp-413-x86-64-202305021736
- 
										OpenShift Platform Plus: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-opp-413-x86-64-202305021736
- 
										OpenShift Kubernetes Engine: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-oke-413-x86-64-202305021736
 
- 
										OpenShift Container Platform: 
- 4
- Optional: Specify custom metadata in the form of akey:valuepair. For example use cases, see the GCP documentation for setting custom metadata.
- 5
- For<project_name>, specify the name of the GCP project that you use for your cluster.
- 6
- Specifies a single service account. Multiple service accounts are not supported.
2.4.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.4.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.4.4. Configuring persistent disk types by using machine sets
You can configure the type of persistent disk that a machine set deploys machines on by editing the machine set YAML file.
For more information about persistent disk types, compatibility, regional availability, and limitations, see the GCP Compute Engine documentation about persistent disks.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following line under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the persistent disk type. Valid values arepd-ssd,pd-standard, andpd-balanced. The default value ispd-standard.
 
Verification
- 
							Using the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Typefield matches the configured disk type.
2.4.5. Configuring Confidential VM by using machine sets
By editing the machine set YAML file, you can configure the Confidential VM options that a machine set uses for machines that it deploys.
For more information about Confidential VM features, functions, and compatibility, see the GCP Compute Engine documentation about Confidential VM.
Confidential VMs are currently not supported on 64-bit ARM architectures. If you use Confidential VM, you must ensure that you select a supported region. For details on supported regions and configurations, see the GCP Compute Engine documentation about supported zones.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify whether Confidential VM is enabled. The following values are valid:- Enabled
- Enables Confidential VM with a default selection of Confidential VM technology. The default selection is AMD Secure Encrypted Virtualization (AMD SEV). Important- The - Enabledvalue selects Confidential Computing with AMD Secure Encrypted Virtualization (AMD SEV), which is deprecated.
- Disabled
- Disables Confidential VM.
- AMDEncryptedVirtualizationNestedPaging
- Enables Confidential VM using AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP). AMD SEV-SNP supports n2d machines.
- AMDEncryptedVirtualization
- Enables Confidential VM using AMD SEV. AMD SEV supports c2d, n2d, and c3d machines. Important- The use of Confidential Computing with AMD Secure Encrypted Virtualization (AMD SEV) has been deprecated and will be removed in a future release. 
- IntelTrustedDomainExtensions
- Enables Confidential VM using Intel Trusted Domain Extensions (Intel TDX). Intel TDX supports n2d machines.
 
- 2
- Specify the behavior of the VM during a host maintenance event, such as a hardware or software update. For a machine that uses Confidential VM, this value must be set toTerminate, which stops the VM. Confidential VM does not support live VM migration.
- 3
- Specify a machine type that supports the Confidential VM option that you specified in theconfidentialComputefield.
 
Verification
- On the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Confidential VM options match the values that you configured.
2.4.6. Machine sets that deploy machines as preemptible VM instances
You can save on costs by creating a compute machine set running on GCP that deploys machines as non-guaranteed preemptible VM instances. Preemptible VM instances utilize excess Compute Engine capacity and are less expensive than normal instances. You can use preemptible VM instances for workloads that can tolerate interruptions, such as batch or stateless, horizontally scalable workloads.
					GCP Compute Engine can terminate a preemptible VM instance at any time. Compute Engine sends a preemption notice to the user indicating that an interruption will occur in 30 seconds. OpenShift Container Platform begins to remove the workloads from the affected instances when Compute Engine issues the preemption notice. An ACPI G3 Mechanical Off signal is sent to the operating system after 30 seconds if the instance is not stopped. The preemptible VM instance is then transitioned to a TERMINATED state by Compute Engine.
				
Interruptions can occur when using preemptible VM instances for the following reasons:
- There is a system or maintenance event
- The supply of preemptible VM instances decreases
- The instance reaches the end of the allotted 24-hour period for preemptible VM instances
					When GCP terminates an instance, a termination handler running on the preemptible VM instance node deletes the machine resource. To satisfy the compute machine set replicas quantity, the compute machine set creates a machine that requests a preemptible VM instance.
				
2.4.6.1. Creating preemptible VM instances by using compute machine sets
						You can launch a preemptible VM instance on GCP by adding preemptible to your compute machine set YAML file.
					
Procedure
- Add the following line under the - providerSpecfield:- providerSpec: value: preemptible: true- providerSpec: value: preemptible: true- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If - preemptibleis set to- true, the machine is labeled as an- interruptible-instanceafter the instance is launched.
2.4.7. Configuring Shielded VM options by using machine sets
By editing the machine set YAML file, you can configure the Shielded VM options that a machine set uses for machines that it deploys.
For more information about Shielded VM features and functionality, see the GCP Compute Engine documentation about Shielded VM.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- In this section, specify any Shielded VM options that you want.
- 2
- Specify whether integrity monitoring is enabled. Valid values areDisabledorEnabled.NoteWhen integrity monitoring is enabled, you must not disable virtual trusted platform module (vTPM). 
- 3
- Specify whether UEFI Secure Boot is enabled. Valid values areDisabledorEnabled.
- 4
- Specify whether vTPM is enabled. Valid values areDisabledorEnabled.
 
Verification
- Using the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Shielded VM options match the values that you configured.
2.4.8. Enabling customer-managed encryption keys for a machine set
Google Cloud Platform (GCP) Compute Engine allows users to supply an encryption key to encrypt data on disks at rest. The key is used to encrypt the data encryption key, not to encrypt the customer’s data. By default, Compute Engine encrypts this data by using Compute Engine keys.
You can enable encryption with a customer-managed key in clusters that use the Machine API. You must first create a KMS key and assign the correct permissions to a service account. The KMS key name, key ring name, and location are required to allow a service account to use your key.
						If you do not want to use a dedicated service account for the KMS encryption, the Compute Engine default service account is used instead. You must grant the default service account permission to access the keys if you do not use a dedicated service account. The Compute Engine default service account name follows the service-<project_number>@compute-system.iam.gserviceaccount.com pattern.
					
Procedure
- To allow a specific service account to use your KMS key and to grant the service account the correct IAM role, run the following command with your KMS key name, key ring name, and location: - gcloud kms keys add-iam-policy-binding <key_name> \ --keyring <key_ring_name> \ --location <key_ring_location> \ --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter - $ gcloud kms keys add-iam-policy-binding <key_name> \ --keyring <key_ring_name> \ --location <key_ring_location> \ --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the encryption key under the - providerSpecfield in your machine set YAML file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name of the customer-managed encryption key that is used for the disk encryption.
- 2
- The name of the KMS key ring that the KMS key belongs to.
- 3
- The GCP location in which the KMS key ring exists.
- 4
- Optional: The ID of the project in which the KMS key ring exists. If a project ID is not set, the machine setprojectIDin which the machine set was created is used.
- 5
- Optional: The service account that is used for the encryption request for the given KMS key. If a service account is not set, the Compute Engine default service account is used.
 - When a new machine is created by using the updated - providerSpecobject configuration, the disk encryption key is encrypted with the KMS key.
2.4.9. Enabling GPU support for a compute machine set
Google Cloud Platform (GCP) Compute Engine enables users to add GPUs to VM instances. Workloads that benefit from access to GPU resources can perform better on compute machines with this feature enabled. OpenShift Container Platform on GCP supports NVIDIA GPU models in the A2 and N1 machine series.
| Model name | GPU type | Machine types [1] | 
|---|---|---|
| NVIDIA A100 | 
									 | 
 | 
| NVIDIA K80 | 
									 | 
 | 
| NVIDIA P100 | 
									 | |
| NVIDIA P4 | 
									 | |
| NVIDIA T4 | 
									 | |
| NVIDIA V100 | 
									 | 
- For more information about machine types, including specifications, compatibility, regional availability, and limitations, see the GCP Compute Engine documentation about N1 machine series, A2 machine series, and GPU regions and zones availability.
You can define which supported GPU to use for an instance by using the Machine API.
You can configure machines in the N1 machine series to deploy with one of the supported GPU types. Machines in the A2 machine series come with associated GPUs, and cannot use guest accelerators.
GPUs for graphics workloads are not supported.
Procedure
- In a text editor, open the YAML file for an existing compute machine set or create a new one.
- Specify a GPU configuration under the - providerSpecfield in your compute machine set YAML file. See the following examples of valid configurations:- Example configuration for the A2 machine series - providerSpec: value: machineType: a2-highgpu-1g onHostMaintenance: Terminate restartPolicy: Always- providerSpec: value: machineType: a2-highgpu-1g- 1 - onHostMaintenance: Terminate- 2 - restartPolicy: Always- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example configuration for the N1 machine series - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the number of GPUs to attach to the machine.
- 2
- Specify the type of GPUs to attach to the machine. Ensure that the machine type and GPU type are compatible.
- 3
- Specify the machine type. Ensure that the machine type and GPU type are compatible.
- 4
- When using GPU support, you must setonHostMaintenancetoTerminate.
- 5
- Specify the restart policy for machines deployed by the compute machine set. Allowed values areAlwaysorNever.
 
2.4.10. Adding a GPU node to an existing OpenShift Container Platform cluster
You can copy and modify a default compute machine set configuration to create a GPU-enabled machine set and machines for the GCP cloud provider.
The following table lists the validated instance types:
| Instance type | NVIDIA GPU accelerator | Maximum number of GPUs | Architecture | 
|---|---|---|---|
| 
									 | A100 | 1 | x86 | 
| 
									 | T4 | 1 | x86 | 
Procedure
- 
							Make a copy of an existing MachineSet.
- 
							In the new copy, change the machine set nameinmetadata.nameand in both instances ofmachine.openshift.io/cluster-api-machineset.
- Change the instance type to add the following two lines to the newly copied - MachineSet:- machineType: a2-highgpu-1g onHostMaintenance: Terminate - machineType: a2-highgpu-1g onHostMaintenance: Terminate- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example - a2-highgpu-1g.jsonfile- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the existing nodes, machines, and machine sets by running the following command. Note that each node is an instance of a machine definition with a specific GCP region and OpenShift Container Platform role. - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines and machine sets that exist in the - openshift-machine-apinamespace by running the following command. Each compute machine set is associated with a different availability zone within the GCP region. The installer automatically load balances compute machines across availability zones.- oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-2pt9p-worker-a 1 1 1 1 8h myclustername-2pt9p-worker-b 1 1 1 1 8h myclustername-2pt9p-worker-c 1 1 8h myclustername-2pt9p-worker-f 0 0 8h - NAME DESIRED CURRENT READY AVAILABLE AGE myclustername-2pt9p-worker-a 1 1 1 1 8h myclustername-2pt9p-worker-b 1 1 1 1 8h myclustername-2pt9p-worker-c 1 1 8h myclustername-2pt9p-worker-f 0 0 8h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the machines that exist in the - openshift-machine-apinamespace by running the following command. You can only configure one compute machine per set, although you can scale a compute machine set to add a node in a particular region and zone.- oc get machines -n openshift-machine-api | grep worker - $ oc get machines -n openshift-machine-api | grep worker- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - myclustername-2pt9p-worker-a-mxtnz Running n2-standard-4 us-central1 us-central1-a 8h myclustername-2pt9p-worker-b-9pzzn Running n2-standard-4 us-central1 us-central1-b 8h myclustername-2pt9p-worker-c-6pbg6 Running n2-standard-4 us-central1 us-central1-c 8h - myclustername-2pt9p-worker-a-mxtnz Running n2-standard-4 us-central1 us-central1-a 8h myclustername-2pt9p-worker-b-9pzzn Running n2-standard-4 us-central1 us-central1-b 8h myclustername-2pt9p-worker-c-6pbg6 Running n2-standard-4 us-central1 us-central1-c 8h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make a copy of one of the existing compute - MachineSetdefinitions and output the result to a JSON file by running the following command. This will be the basis for the GPU-enabled compute machine set definition.- oc get machineset myclustername-2pt9p-worker-a -n openshift-machine-api -o json > <output_file.json> - $ oc get machineset myclustername-2pt9p-worker-a -n openshift-machine-api -o json > <output_file.json>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the JSON file to make the following changes to the new - MachineSetdefinition:- 
									Rename the machine set nameby inserting the substringgpuinmetadata.nameand in both instances ofmachine.openshift.io/cluster-api-machineset.
- Change the - machineTypeof the new- MachineSetdefinition to- a2-highgpu-1g, which includes an NVIDIA A100 GPU.- jq .spec.template.spec.providerSpec.value.machineType ocp_4.20_machineset-a2-highgpu-1g.json "a2-highgpu-1g" - jq .spec.template.spec.providerSpec.value.machineType ocp_4.20_machineset-a2-highgpu-1g.json "a2-highgpu-1g"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - <output_file.json>file is saved as- ocp_4.20_machineset-a2-highgpu-1g.json.
 
- 
									Rename the machine set 
- Update the following fields in - ocp_4.20_machineset-a2-highgpu-1g.json:- 
									Change .metadata.nameto a name containinggpu.
- 
									Change .spec.selector.matchLabels["machine.openshift.io/cluster-api-machineset"]to match the new.metadata.name.
- 
									Change .spec.template.metadata.labels["machine.openshift.io/cluster-api-machineset"]to match the new.metadata.name.
- 
									Change .spec.template.spec.providerSpec.value.MachineTypetoa2-highgpu-1g.
- Add the following line under - machineType: `"onHostMaintenance": "Terminate". For example:- "machineType": "a2-highgpu-1g", "onHostMaintenance": "Terminate", - "machineType": "a2-highgpu-1g", "onHostMaintenance": "Terminate",- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									Change 
- To verify your changes, perform a - diffof the original compute definition and the new GPU-enabled node definition by running the following command:- oc get machineset/myclustername-2pt9p-worker-a -n openshift-machine-api -o json | diff ocp_4.20_machineset-a2-highgpu-1g.json - - $ oc get machineset/myclustername-2pt9p-worker-a -n openshift-machine-api -o json | diff ocp_4.20_machineset-a2-highgpu-1g.json -- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the GPU-enabled compute machine set from the definition file by running the following command: - oc create -f ocp_4.20_machineset-a2-highgpu-1g.json - $ oc create -f ocp_4.20_machineset-a2-highgpu-1g.json- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - machineset.machine.openshift.io/myclustername-2pt9p-worker-gpu-a created - machineset.machine.openshift.io/myclustername-2pt9p-worker-gpu-a created- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the machine set you created by running the following command: - oc -n openshift-machine-api get machinesets | grep gpu - $ oc -n openshift-machine-api get machinesets | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The MachineSet replica count is set to - 1so a new- Machineobject is created automatically.- Example output - myclustername-2pt9p-worker-gpu-a 1 1 1 1 5h24m - myclustername-2pt9p-worker-gpu-a 1 1 1 1 5h24m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the - Machineobject that the machine set created by running the following command:- oc -n openshift-machine-api get machines | grep gpu - $ oc -n openshift-machine-api get machines | grep gpu- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - myclustername-2pt9p-worker-gpu-a-wxcr6 Running a2-highgpu-1g us-central1 us-central1-a 5h25m - myclustername-2pt9p-worker-gpu-a-wxcr6 Running a2-highgpu-1g us-central1 us-central1-a 5h25m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Note that there is no need to specify a namespace for the node. The node definition is cluster scoped.
2.4.11. Deploying the Node Feature Discovery Operator
After the GPU-enabled node is created, you need to discover the GPU-enabled node so it can be scheduled. To do this, install the Node Feature Discovery (NFD) Operator. The NFD Operator identifies hardware device features in nodes. It solves the general problem of identifying and cataloging hardware resources in the infrastructure nodes so they can be made available to OpenShift Container Platform.
Procedure
- Install the Node Feature Discovery Operator from the software catalog in the OpenShift Container Platform console.
- 
							After installing the NFD Operator, select Node Feature Discovery from the installed Operators list and select Create instance. This installs the nfd-masterandnfd-workerpods, onenfd-workerpod for each compute node, in theopenshift-nfdnamespace.
- Verify that the Operator is installed and running by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 1d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Browse to the installed Oerator in the console and select Create Node Feature Discovery.
- 
							Select Create to build a NFD custom resource. This creates NFD pods in the openshift-nfdnamespace that poll the OpenShift Container Platform nodes for hardware resources and catalogue them.
Verification
- After a successful build, verify that a NFD pod is running on each nodes by running the following command: - oc get pods -n openshift-nfd - $ oc get pods -n openshift-nfd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d - NAME READY STATUS RESTARTS AGE nfd-controller-manager-8646fcbb65-x5qgk 2/2 Running 7 (8h ago) 12d nfd-master-769656c4cb-w9vrv 1/1 Running 0 12d nfd-worker-qjxb2 1/1 Running 3 (3d14h ago) 12d nfd-worker-xtz9b 1/1 Running 5 (3d14h ago) 12d- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The NFD Operator uses vendor PCI IDs to identify hardware in a node. NVIDIA uses the PCI ID - 10de.
- View the NVIDIA GPU discovered by the NFD Operator by running the following command: - oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci' - $ oc describe node ip-10-0-132-138.us-east-2.compute.internal | egrep 'Roles|pci'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 10deappears in the node feature list for the GPU-enabled node. This mean the NFD Operator correctly identified the node from the GPU-enabled MachineSet.
2.5. Creating a compute machine set on IBM Cloud
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on IBM Cloud®. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.5.1. Sample YAML for a compute machine set custom resource on IBM Cloud
					This sample YAML defines a compute machine set that runs in a specified IBM Cloud® zone in a region and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1 5 7
- The infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 16
- The node label to add.
- 4 6 10
- The infrastructure ID, node label, and region.
- 11
- The custom Red Hat Enterprise Linux CoreOS (RHCOS) image that was used for cluster installation.
- 12
- The infrastructure ID and zone within your region to place machines on. Be sure that your region supports the zone that you specify.
- 13
- Specify the IBM Cloud® instance profile.
- 14
- Specify the region to place machines on.
- 15
- The resource group that machine resources are placed in. This is either an existing resource group specified at installation time, or an installer-created resource group named based on the infrastructure ID.
- 17
- The VPC name.
- 18
- Specify the zone within your region to place machines on. Be sure that your region supports the zone that you specify.
2.5.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.5.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.6. Creating a compute machine set on IBM Power Virtual Server
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on IBM Power® Virtual Server. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.6.1. Sample YAML for a compute machine set custom resource on IBM Power Virtual Server
					This sample YAML file defines a compute machine set that runs in a specified IBM Power® Virtual Server zone in a region and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1 5 7
- The infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9
- The node label to add.
- 4 6 10
- The infrastructure ID, node label, and region.
- 11
- The custom Red Hat Enterprise Linux CoreOS (RHCOS) image that was used for cluster installation.
- 12
- The infrastructure ID within your region to place machines on.
2.6.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.6.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.7. Creating a compute machine set on Nutanix
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Nutanix. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.7.1. Sample YAML for a compute machine set custom resource on Nutanix
					This sample YAML defines a Nutanix compute machine set that creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
2.7.1.1. Values obtained by using the OpenShift CLI
						In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI (oc).
					
- Infrastructure ID
- The - <infrastructure_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 1
- For<infrastructure_id>, specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster.
- 2
- Specify the node label to add.
- 3
- Specify the infrastructure ID, node label, and zone.
- 4
- Annotations for the cluster autoscaler.
- 5
- Specifies the boot type that the compute machines use. For more information about boot types, see Understanding UEFI, Secure Boot, and TPM in the Virtualized Environment. Valid values areLegacy,SecureBoot, orUEFI. The default isLegacy.NoteYou must use the Legacyboot type in OpenShift Container Platform 4.20.
- 6
- Specify one or more Nutanix Prism categories to apply to compute machines. This stanza requireskeyandvalueparameters for a category key-value pair that exists in Prism Central. For more information about categories, see Category management.
- 7
- Specify a Nutanix Prism Element cluster configuration. In this example, the cluster type isuuid, so there is auuidstanza.
- 8
- Specify the image to use. Use an image from an existing default compute machine set for the cluster.
- 9
- Specify the amount of memory for the cluster in Gi.
- 10
- Specify the Nutanix project that you use for your cluster. In this example, the project type isname, so there is anamestanza.
- 11
- Specify one or more UUID for the Prism Element subnet object. The CIDR IP address prefix for one of the specified subnets must contain the virtual IP addresses that the OpenShift Container Platform cluster uses. A maximum of 32 subnets for each Prism Element failure domain in the cluster is supported. All subnet UUID values must be unique.
- 12
- Specify the size of the system disk in Gi.
- 13
- Specify the name of the secret in the user data YAML file that is in theopenshift-machine-apinamespace. Use the value that installation program populates in the default compute machine set.
- 14
- Specify the number of vCPU sockets.
- 15
- Specify the number of vCPUs per socket.
2.7.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.7.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.7.4. Failure domains for Nutanix clusters
To add or update the failure domain configuration on a Nutanix cluster, you must make coordinated changes to several resources. The following actions are required:
- Modify the cluster infrastructure custom resource (CR).
- Modify the cluster control plane machine set CR.
- Modify or replace the compute machine set CRs.
For more information, see "Adding failure domains to an existing Nutanix cluster" in the Post-installation configuration content.
2.8. Creating a compute machine set on OpenStack
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on Red Hat OpenStack Platform (RHOSP). For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.8.1. Sample YAML for a compute machine set custom resource on RHOSP
					This sample YAML defines a compute machine set that runs on Red Hat OpenStack Platform (RHOSP) and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1 5 7 13 15 16 17 18
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 19
- Specify the node label to add.
- 4 6 10
- Specify the infrastructure ID and node label.
- 11
- To set a server group policy for the MachineSet, enter the value that is returned from creating a server group. For most deployments,anti-affinityorsoft-anti-affinitypolicies are recommended.
- 12
- Required for deployments to multiple networks. To specify multiple networks, add another entry in the networks array. Also, you must include the network that is used as theprimarySubnetvalue.
- 14
- Specify the RHOSP subnet that you want the endpoints of nodes to be published on. Usually, this is the same subnet that is used as the value ofmachinesSubnetin theinstall-config.yamlfile.
2.8.2. Sample YAML for a compute machine set custom resource that uses SR-IOV on RHOSP
If you configured your cluster for single-root I/O virtualization (SR-IOV), you can create compute machine sets that use that technology.
					This sample YAML defines a compute machine set that uses SR-IOV networks. The nodes that it creates are labeled with node-role.openshift.io/<node_role>: ""
				
					In this sample, infrastructure_id is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and node_role is the node label to add.
				
					The sample assumes two SR-IOV networks that are named "radio" and "uplink". The networks are used in port definitions in the spec.template.spec.providerSpec.value.ports list.
				
Only parameters that are specific to SR-IOV deployments are described in this sample. To review a more general sample, see "Sample YAML for a compute machine set custom resource on RHOSP".
An example compute machine set that uses SR-IOV networks
- 1 5
- Enter a network UUID for each port.
- 2 6
- Enter a subnet UUID for each port.
- 3 7
- The value of thevnicTypeparameter must bedirectfor each port.
- 4 8
- The value of theportSecurityparameter must befalsefor each port.You cannot set security groups and allowed address pairs for ports when port security is disabled. Setting security groups on the instance applies the groups to all ports that are attached to it. 
- 9
- The value of theconfigDriveparameter must betrue.
After you deploy compute machines that are SR-IOV-capable, you must label them as such. For example, from a command line, enter:
oc label node <NODE_NAME> feature.node.kubernetes.io/network-sriov.capable="true"
$ oc label node <NODE_NAME> feature.node.kubernetes.io/network-sriov.capable="true"
						Trunking is enabled for ports that are created by entries in the networks and subnets lists. The names of ports that are created from these lists follow the pattern <machine_name>-<nameSuffix>. The nameSuffix field is required in port definitions.
					
You can enable trunking for each port.
						Optionally, you can add tags to ports as part of their tags lists.
					
2.8.3. Sample YAML for SR-IOV deployments where port security is disabled
					To create single-root I/O virtualization (SR-IOV) ports on a network that has port security disabled, define a compute machine set that includes the ports as items in the spec.template.spec.providerSpec.value.ports list. This difference from the standard SR-IOV compute machine set is due to the automatic security group and allowed address pair configuration that occurs for ports that are created by using the network and subnet interfaces.
				
Ports that you define for machines subnets require:
- Allowed address pairs for the API and ingress virtual IP ports
- The compute security group
- Attachment to the machines network and subnet
Only parameters that are specific to SR-IOV deployments where port security is disabled are described in this sample. To review a more general sample, see Sample YAML for a compute machine set custom resource that uses SR-IOV on RHOSP".
An example compute machine set that uses SR-IOV networks and has port security disabled
						Trunking is enabled for ports that are created by entries in the networks and subnets lists. The names of ports that are created from these lists follow the pattern <machine_name>-<nameSuffix>. The nameSuffix field is required in port definitions.
					
You can enable trunking for each port.
						Optionally, you can add tags to ports as part of their tags lists.
					
2.8.4. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.8.5. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.9. Creating a compute machine set on vSphere
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on VMware vSphere. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.9.1. Sample YAML for a compute machine set custom resource on vSphere
					This sample YAML defines a compute machine set that runs on VMware vSphere and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI (oc) installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the infrastructure ID and node label.
- 3
- Specify the node label to add.
- 4
- Specify one or more data disk definitions. For more information, see "Configuring data disks by using machine sets".
- 5
- Specify the vSphere VM network to deploy the compute machine set to. This VM network must be where other compute machines reside in the cluster.
- 6
- Specify the vSphere VM template to use, such asuser-5ddjd-rhcos.
- 7
- Specify the vCenter datacenter to deploy the compute machine set on.
- 8
- Specify the vCenter datastore to deploy the compute machine set on.
- 9
- Specify the path to the vSphere VM folder in vCenter, such as/dc1/vm/user-inst-5ddjd.
- 10
- Specify the vSphere resource pool for your VMs.
- 11
- Specify the vCenter server IP or fully qualified domain name.
2.9.2. Minimum required vCenter privileges for compute machine set management
To manage compute machine sets in an OpenShift Container Platform cluster on vCenter, you must use an account with privileges to read, create, and delete the required resources. Using an account that has global administrative privileges is the simplest way to access all of the necessary permissions.
If you cannot use an account with global administrative privileges, you must create roles to grant the minimum required privileges. The following table lists the minimum vCenter roles and privileges that are required to create, scale, and delete compute machine sets and to delete machines in your OpenShift Container Platform cluster.
Example 2.1. Minimum vCenter roles and privileges required for compute machine set management
| vSphere object for role | When required | Required privileges | 
|---|---|---|
| vSphere vCenter | Always | 
										 | 
| vSphere vCenter Cluster | Always | 
										 | 
| vSphere datastore | Always | 
										 | 
| vSphere Port Group | Always | 
										 | 
| Virtual Machine Folder | Always | 
										 | 
| vSphere vCenter data center | If the installation program creates the virtual machine folder. | 
										 | 
| 
										1 The  | ||
The following table details the permissions and propagation settings that are required for compute machine set management.
Example 2.2. Required permissions and propagation settings
| vSphere object | Folder type | Propagate to children | Permissions required | 
|---|---|---|---|
| vSphere vCenter | Always | Not required | Listed required privileges | 
| vSphere vCenter data center | Existing folder | Not required | 
										 | 
| Installation program creates the folder | Required | Listed required privileges | |
| vSphere vCenter Cluster | Always | Required | Listed required privileges | 
| vSphere vCenter datastore | Always | Not required | Listed required privileges | 
| vSphere Switch | Always | Not required | 
										 | 
| vSphere Port Group | Always | Not required | Listed required privileges | 
| vSphere vCenter Virtual Machine Folder | Existing folder | Required | Listed required privileges | 
For more information about creating an account with only the required privileges, see vSphere Permissions and User Management Tasks in the vSphere documentation.
2.9.3. Requirements for clusters with user-provisioned infrastructure to use compute machine sets
To use compute machine sets on clusters that have user-provisioned infrastructure, you must ensure that you cluster configuration supports using the Machine API.
2.9.3.1. Obtaining the infrastructure ID
To create compute machine sets, you must be able to supply the infrastructure ID for your cluster.
Procedure
- To obtain the infrastructure ID for your cluster, run the following command: - oc get infrastructure cluster -o jsonpath='{.status.infrastructureName}'- $ oc get infrastructure cluster -o jsonpath='{.status.infrastructureName}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.9.3.2. Satisfying vSphere credentials requirements
						To use compute machine sets, the Machine API must be able to interact with vCenter. Credentials that authorize the Machine API components to interact with vCenter must exist in a secret in the openshift-machine-api namespace.
					
Procedure
- To determine whether the required credentials exist, run the following command: - oc get secret \ -n openshift-machine-api vsphere-cloud-credentials \ -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'- $ oc get secret \ -n openshift-machine-api vsphere-cloud-credentials \ -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - <vcenter-server>.password=<openshift-user-password> <vcenter-server>.username=<openshift-user> - <vcenter-server>.password=<openshift-user-password> <vcenter-server>.username=<openshift-user>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <vcenter-server>is the IP address or fully qualified domain name (FQDN) of the vCenter server and- <openshift-user>and- <openshift-user-password>are the OpenShift Container Platform administrator credentials to use.
- If the secret does not exist, create it by running the following command: - oc create secret generic vsphere-cloud-credentials \ -n openshift-machine-api \ --from-literal=<vcenter-server>.username=<openshift-user> --from-literal=<vcenter-server>.password=<openshift-user-password> - $ oc create secret generic vsphere-cloud-credentials \ -n openshift-machine-api \ --from-literal=<vcenter-server>.username=<openshift-user> --from-literal=<vcenter-server>.password=<openshift-user-password>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.9.3.3. Satisfying Ignition configuration requirements
						Provisioning virtual machines (VMs) requires a valid Ignition configuration. The Ignition configuration contains the machine-config-server address and a system trust bundle for obtaining further Ignition configurations from the Machine Config Operator.
					
						By default, this configuration is stored in the worker-user-data secret in the machine-api-operator namespace. Compute machine sets reference the secret during the machine creation process.
					
Procedure
- To determine whether the required secret exists, run the following command: - oc get secret \ -n openshift-machine-api worker-user-data \ -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'- $ oc get secret \ -n openshift-machine-api worker-user-data \ -o go-template='{{range $k,$v := .data}}{{printf "%s: " $k}}{{if not $v}}{{$v}}{{else}}{{$v | base64decode}}{{end}}{{"\n"}}{{end}}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The full output is omitted here, but should have this format.
 
- If the secret does not exist, create it by running the following command: - oc create secret generic worker-user-data \ -n openshift-machine-api \ --from-file=<installation_directory>/worker.ign - $ oc create secret generic worker-user-data \ -n openshift-machine-api \ --from-file=<installation_directory>/worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <installation_directory>is the directory that was used to store your installation assets during cluster installation.
2.9.4. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
						Clusters that are installed with user-provisioned infrastructure have a different networking stack than clusters with infrastructure that is provisioned by the installation program. As a result of this difference, automatic load balancer management is unsupported on clusters that have user-provisioned infrastructure. For these clusters, a compute machine set can only create worker and infra type machines.
					
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
- Have the necessary permissions to deploy VMs in your vCenter instance and have the required access to the datastore specified.
- If your cluster uses user-provisioned infrastructure, you have satisfied the specific Machine API requirements for that configuration.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
- If you are creating a compute machine set for a cluster that has user-provisioned infrastructure, note the following important values: - Example vSphere - providerSpecvalues- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name of the secret in theopenshift-machine-apinamespace that contains the required vCenter credentials.
- 2
- The collection of data disk definitions. For more information, see "Configuring data disks by using machine sets".
- 3
- The name of the RHCOS VM template for your cluster that was created during installation.
- 4
- The name of the secret in theopenshift-machine-apinamespace that contains the required Ignition configuration credentials.
- 5
- The IP address or fully qualified domain name (FQDN) of the vCenter server.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.9.5. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
2.9.6. Adding tags to machines by using machine sets
OpenShift Container Platform adds a cluster-specific tag to each virtual machine (VM) that it creates. The installation program uses these tags to select the VMs to delete when uninstalling a cluster.
In addition to the cluster-specific tags assigned to VMs, you can configure a machine set to add up to 10 additional vSphere tags to the VMs it provisions.
Prerequisites
- 
							You have access to an OpenShift Container Platform cluster installed on vSphere using an account with cluster-adminpermissions.
- You have access to the VMware vCenter console associated with your cluster.
- You have created a tag in the vCenter console.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- Use the vCenter console to find the tag ID for any tag that you want to add to your machines: - Log in to the vCenter console.
- From the Home menu, click Tags & Custom Attributes.
- Select a tag that you want to add to your machines.
- Use the browser URL for the tag that you select to identify the tag ID. - Example tag URL - https://vcenter.example.com/ui/app/tags/tag/urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL/permissions - https://vcenter.example.com/ui/app/tags/tag/urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL/permissions- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example tag ID - urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL - urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
2.9.7. Configuring multiple network interface controllers by using machine sets
OpenShift Container Platform clusters on VMware vSphere support connecting up to 10 network interface controllers (NICs) to a node. By configuring multiple NICs, you can provide dedicated network links in the node virtual machines (VMs) for uses such as storage or databases.
You can use machine sets to manage this configuration.
- If you want to use multiple NICs in a vSphere cluster that was not configured to do so during installation, you can use machine sets to implement this configuration.
- If your cluster was set up during installation to use multiple NICs, machine sets that you create can use your existing failure domain configuration.
- If your failure domain configuration changes, you can use machine sets to make updates that reflect those changes.
Prerequisites
- 
							You have administrator access to OpenShift CLI (oc) for an OpenShift Container Platform cluster on vSphere.
Procedure
- For a cluster that already uses multiple NICs, obtain the following values from the - Infrastructureresource by running the following command:- oc get infrastructure cluster -o=jsonpath={.spec.platformSpec.vsphere.failureDomains}- $ oc get infrastructure cluster -o=jsonpath={.spec.platformSpec.vsphere.failureDomains}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Expand - Table 2.3. Required network interface controller values - Infrastructureresource value- Placeholder value for sample machine set - Description - failureDomain.topology.networks[0]- <vm_network_name_1>- The name of the first NIC to use. - failureDomain.topology.networks[1]- <vm_network_name_2>- The name of the second NIC to use. - failureDomain.topology.networks[<n-1>]- <vm_network_name_n>- The name of the nth NIC to use. Collect the name of each NIC in the - Infrastructureresource.- failureDomain.topology.template- <vm_template_name>- The vSphere VM template to use. - failureDomain.topology.datacenter- <vcenter_data_center_name>- The vCenter data center to deploy the machine set on. - failureDomain.topology.datastore- <vcenter_datastore_name>- The vCenter datastore to deploy the machine set on. - failureDomain.topology.folder- <vcenter_vm_folder_path>- The path to the vSphere VM folder in vCenter, such as - /dc1/vm/user-inst-5ddjd.- failureDomain.topology.computeCluster+- /Resources- <vsphere_resource_pool>- The vSphere resource pool for your VMs. - failureDomain.server- <vcenter_server_ip>- The vCenter server IP or fully qualified domain name (FQDN). 
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Use a machine set configuration formatted like the following example. - 
									For a cluster that currently uses multiple NICs, use the values from the Infrastructureresource to populate the values in the machine set custom resource.
- For a cluster that is not using multiple NICs, populate the values you want to use in the machine set custom resource.
 - Sample machine set - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a list of up to 10 NICs to use.
- 2
- Specify the vSphere VM template to use, such asuser-5ddjd-rhcos.
- 3
- Specify the vCenter data center to deploy the machine set on.
- 4
- Specify the vCenter datastore to deploy the machine set on.
- 5
- Specify the path to the vSphere VM folder in vCenter, such as/dc1/vm/user-inst-5ddjd.
- 6
- Specify the vSphere resource pool for your VMs.
- 7
- Specify the vCenter server IP or fully qualified domain name (FQDN).
 
- 
									For a cluster that currently uses multiple NICs, use the values from the 
2.9.8. Configuring data disks by using machine sets
OpenShift Container Platform clusters on VMware vSphere support adding up to 29 disks to the virtual machine (VM) controller.
Configuring vSphere data disks is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
By configuring data disks, you can attach disks to VMs and use them to store data for etcd, container images, and other uses. Separating data can help avoid filling the primary disk so that important activities such as upgrades have the resources that they require.
Adding data disks attaches them to the VM and mounts them to the location that RHCOS designates.
Prerequisites
- 
							You have administrator access to OpenShift CLI (oc) for an OpenShift Container Platform cluster on vSphere.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a collection of 1-29 data disk definitions. This sample configuration shows the formatting to include two data disk definitions.
- 2
- Specify the name of the data disk. The name must meet the following requirements:- Start and end with an alphanumeric character
- 
											Consist only of alphanumeric characters, hyphens (-), and underscores (_)
- Have a maximum length of 80 characters
 
- 3
- Specify the data disk provisioning method. This value defaults to the vSphere default storage policy if not set. Valid values areThin,Thick, andEagerlyZeroed.
- 4
- Specify the size of the data disk in GiB. The maximum size is 16384 GiB.
 
2.10. Creating a compute machine set on bare metal
You can create a different compute machine set to serve a specific purpose in your OpenShift Container Platform cluster on bare metal. For example, you might create infrastructure machine sets and related machines so that you can move supporting workloads to the new machines.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'2.10.1. Sample YAML for a compute machine set custom resource on bare metal
					This sample YAML defines a compute machine set that runs on bare metal and creates nodes that are labeled with node-role.kubernetes.io/<role>: "".
				
					In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <role> is the node label to add.
				
- 1 3 5
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI (oc) installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 4 8
- Specify the infrastructure ID and node label.
- 6 7 9
- Specify the node label to add.
- 10
- Edit thechecksumURL to use the API VIP address.
- 11
- Edit theurlURL to use the API VIP address.
2.10.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
2.10.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
Chapter 3. Manually scaling a compute machine set
You can add or remove an instance of a machine in a compute machine set.
If you need to modify aspects of a compute machine set outside of scaling, see Modifying a compute machine set.
3.1. Prerequisites
- 
						If you enabled the cluster-wide proxy and scale up compute machines not included in networking.machineNetwork[].cidrfrom the installation configuration, you must add the compute machines to the Proxy object’snoProxyfield to prevent connection issues.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
					Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
				
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'3.2. Scaling a compute machine set manually
To add or remove an instance of a machine in a compute machine set, you can manually scale the compute machine set.
This guidance is relevant to fully automated, installer-provisioned infrastructure installations. Customized, user-provisioned infrastructure installations do not have compute machine sets.
Prerequisites
- 
						Install an OpenShift Container Platform cluster and the occommand line.
- 
						Log in to ocas a user withcluster-adminpermission.
Procedure
- View the compute machine sets that are in the cluster by running the following command: - oc get machinesets.machine.openshift.io -n openshift-machine-api - $ oc get machinesets.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The compute machine sets are listed in the form of - <clusterid>-worker-<aws-region-az>.
- View the compute machines that are in the cluster by running the following command: - oc get machines.machine.openshift.io -n openshift-machine-api - $ oc get machines.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Set the annotation on the compute machine that you want to delete by running the following command: - oc annotate machines.machine.openshift.io/<machine_name> -n openshift-machine-api machine.openshift.io/delete-machine="true" - $ oc annotate machines.machine.openshift.io/<machine_name> -n openshift-machine-api machine.openshift.io/delete-machine="true"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Scale the compute machine set by running one of the following commands: - oc scale --replicas=2 machinesets.machine.openshift.io <machineset> -n openshift-machine-api - $ oc scale --replicas=2 machinesets.machine.openshift.io <machineset> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Or: - oc edit machinesets.machine.openshift.io <machineset> -n openshift-machine-api - $ oc edit machinesets.machine.openshift.io <machineset> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Tip- You can alternatively apply the following YAML to scale the compute machine set: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You can scale the compute machine set up or down. It takes several minutes for the new machines to be available. Important- By default, the machine controller tries to drain the node that is backed by the machine until it succeeds. In some situations, such as with a misconfigured pod disruption budget, the drain operation might not be able to succeed. If the drain operation fails, the machine controller cannot proceed removing the machine. - You can skip draining the node by annotating - machine.openshift.io/exclude-node-drainingin a specific machine.
Verification
- Verify the deletion of the intended machine by running the following command: - oc get machines.machine.openshift.io - $ oc get machines.machine.openshift.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
3.3. The compute machine set deletion policy
				Random, Newest, and Oldest are the three supported deletion options. The default is Random, meaning that random machines are chosen and deleted when scaling compute machine sets down. The deletion policy can be set according to the use case by modifying the particular compute machine set:
			
spec: deletePolicy: <delete_policy> replicas: <desired_replica_count>
spec:
  deletePolicy: <delete_policy>
  replicas: <desired_replica_count>
				Specific machines can also be prioritized for deletion by adding the annotation machine.openshift.io/delete-machine=true to the machine of interest, regardless of the deletion policy.
			
					By default, the OpenShift Container Platform router pods are deployed on workers. Because the router is required to access some cluster resources, including the web console, do not scale the worker compute machine set to 0 unless you first relocate the router pods.
				
Custom compute machine sets can be used for use cases requiring that services run on specific nodes and that those services are ignored by the controller when the worker compute machine sets are scaling down. This prevents service disruption.
Chapter 4. Modifying a compute machine set
You can modify a compute machine set, such as adding labels, changing the instance type, or changing block storage.
If you need to scale a compute machine set without making other changes, see Manually scaling a compute machine set.
4.1. Modifying a compute machine set by using the CLI
You can modify the configuration of a compute machine set, and then propagate the changes to the machines in your cluster by using the CLI.
				By updating the compute machine set configuration, you can enable features or change the properties of the machines it creates. When you modify a compute machine set, your changes only apply to compute machines that are created after you save the updated MachineSet custom resource (CR). The changes do not affect existing machines.
			
					Changes made in the underlying cloud provider are not reflected in the Machine or MachineSet CRs. To adjust instance configuration in cluster-managed infrastructure, use the cluster-side resources.
				
You can replace the existing machines with new ones that reflect the updated configuration by scaling the compute machine set to create twice the number of replicas and then scaling it down to the original number of replicas.
If you need to scale a compute machine set without making other changes, you do not need to delete the machines.
					By default, the OpenShift Container Platform router pods are deployed on compute machines. Because the router is required to access some cluster resources, including the web console, do not scale the compute machine set to 0 unless you first relocate the router pods.
				
The output examples in this procedure use the values for an AWS cluster.
Prerequisites
- Your OpenShift Container Platform cluster uses the Machine API.
- 
						You are logged in to the cluster as an administrator by using the OpenShift CLI (oc).
Procedure
- List the compute machine sets in your cluster by running the following command: - oc get machinesets.machine.openshift.io -n openshift-machine-api - $ oc get machinesets.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME DESIRED CURRENT READY AVAILABLE AGE <compute_machine_set_name_1> 1 1 1 1 55m <compute_machine_set_name_2> 1 1 1 1 55m - NAME DESIRED CURRENT READY AVAILABLE AGE <compute_machine_set_name_1> 1 1 1 1 55m <compute_machine_set_name_2> 1 1 1 1 55m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit a compute machine set by running the following command: - oc edit machinesets.machine.openshift.io <machine_set_name> \ -n openshift-machine-api - $ oc edit machinesets.machine.openshift.io <machine_set_name> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Note the value of the - spec.replicasfield, because you need it when scaling the machine set to apply the changes.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The examples in this procedure show a compute machine set that has areplicasvalue of2.
 
- Update the compute machine set CR with the configuration options that you want and save your changes.
- List the machines that are managed by the updated compute machine set by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for an AWS cluster - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Running m6i.xlarge us-west-1 us-west-1a 4h - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Running m6i.xlarge us-west-1 us-west-1a 4h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For each machine that is managed by the updated compute machine set, set the - deleteannotation by running the following command:- oc annotate machine.machine.openshift.io/<machine_name_original_1> \ -n openshift-machine-api \ machine.openshift.io/delete-machine="true" - $ oc annotate machine.machine.openshift.io/<machine_name_original_1> \ -n openshift-machine-api \ machine.openshift.io/delete-machine="true"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To create replacement machines with the new configuration, scale the compute machine set to twice the number of replicas by running the following command: - oc scale --replicas=4 \ machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api - $ oc scale --replicas=4 \- 1 - machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The original example value of2is doubled to4.
 
- List the machines that are managed by the updated compute machine set by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for an AWS cluster - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_updated_1> Provisioned m6i.xlarge us-west-1 us-west-1a 55s <machine_name_updated_2> Provisioning m6i.xlarge us-west-1 us-west-1a 55s - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Running m6i.xlarge us-west-1 us-west-1a 4h <machine_name_updated_1> Provisioned m6i.xlarge us-west-1 us-west-1a 55s <machine_name_updated_2> Provisioning m6i.xlarge us-west-1 us-west-1a 55s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new machines are in the - Runningphase, you can scale the compute machine set to the original number of replicas.
- To remove the machines that were created with the old configuration, scale the compute machine set to the original number of replicas by running the following command: - oc scale --replicas=2 \ machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api - $ oc scale --replicas=2 \- 1 - machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The original example value of2.
 
Verification
- To verify that a machine created by the updated machine set has the correct configuration, examine the relevant fields in the CR for one of the new machines by running the following command: - oc describe machine.machine.openshift.io <machine_name_updated_1> \ -n openshift-machine-api - $ oc describe machine.machine.openshift.io <machine_name_updated_1> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify that the compute machines without the updated configuration are deleted, list the machines that are managed by the updated compute machine set by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output while deletion is in progress for an AWS cluster - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Deleting m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Deleting m6i.xlarge us-west-1 us-west-1a 4h <machine_name_updated_1> Running m6i.xlarge us-west-1 us-west-1a 5m41s <machine_name_updated_2> Running m6i.xlarge us-west-1 us-west-1a 5m41s - NAME PHASE TYPE REGION ZONE AGE <machine_name_original_1> Deleting m6i.xlarge us-west-1 us-west-1a 4h <machine_name_original_2> Deleting m6i.xlarge us-west-1 us-west-1a 4h <machine_name_updated_1> Running m6i.xlarge us-west-1 us-west-1a 5m41s <machine_name_updated_2> Running m6i.xlarge us-west-1 us-west-1a 5m41s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output when deletion is complete for an AWS cluster - NAME PHASE TYPE REGION ZONE AGE <machine_name_updated_1> Running m6i.xlarge us-west-1 us-west-1a 6m30s <machine_name_updated_2> Running m6i.xlarge us-west-1 us-west-1a 6m30s - NAME PHASE TYPE REGION ZONE AGE <machine_name_updated_1> Running m6i.xlarge us-west-1 us-west-1a 6m30s <machine_name_updated_2> Running m6i.xlarge us-west-1 us-west-1a 6m30s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - end::MAPI[] 
Chapter 5. Machine phases and lifecycle
Machines move through a lifecycle that has several defined phases. Understanding the machine lifecycle and its phases can help you verify whether a procedure is complete or troubleshoot undesired behavior. In OpenShift Container Platform, the machine lifecycle is consistent across all supported cloud providers.
5.1. Machine phases
As a machine moves through its lifecycle, it passes through different phases. Each phase is a basic representation of the state of the machine.
- Provisioning
- There is a request to provision a new machine. The machine does not yet exist and does not have an instance, a provider ID, or an address.
- Provisioned
- 
							The machine exists and has a provider ID or an address. The cloud provider has created an instance for the machine. The machine has not yet become a node and the status.nodeRefsection of the machine object is not yet populated.
- Running
- 
							The machine exists and has a provider ID or address. Ignition has run successfully and the cluster machine approver has approved a certificate signing request (CSR). The machine has become a node and the status.nodeRefsection of the machine object contains node details.
- Deleting
- 
							There is a request to delete the machine. The machine object has a DeletionTimestampfield that indicates the time of the deletion request.
- Failed
- There is an unrecoverable problem with the machine. This can happen, for example, if the cloud provider deletes the instance for the machine.
5.2. The machine lifecycle
The lifecycle begins with the request to provision a machine and continues until the machine no longer exists.
The machine lifecycle proceeds in the following order. Interruptions due to errors or lifecycle hooks are not included in this overview.
- There is a request to provision a new machine for one of the following reasons: - A cluster administrator scales a machine set such that it requires additional machines.
- An autoscaling policy scales machine set such that it requires additional machines.
- A machine that is managed by a machine set fails or is deleted and the machine set creates a replacement to maintain the required number of machines.
 
- 
						The machine enters the Provisioningphase.
- The infrastructure provider creates an instance for the machine.
- 
						The machine has a provider ID or address and enters the Provisionedphase.
- The Ignition configuration file is processed.
- The kubelet issues a certificate signing request (CSR).
- The cluster machine approver approves the CSR.
- 
						The machine becomes a node and enters the Runningphase.
- An existing machine is slated for deletion for one of the following reasons: - 
								A user with cluster-adminpermissions uses theoc delete machinecommand.
- 
								The machine gets a machine.openshift.io/delete-machineannotation.
- The machine set that manages the machine marks it for deletion to reduce the replica count as part of reconciliation.
- The cluster autoscaler identifies a node that is unnecessary to meet the deployment needs of the cluster.
- A machine health check is configured to replace an unhealthy machine.
 
- 
								A user with 
- 
						The machine enters the Deletingphase, in which it is marked for deletion but is still present in the API.
- The machine controller removes the instance from the infrastructure provider.
- 
						The machine controller deletes the Nodeobject.
5.3. Determining the phase of a machine
				You can find the phase of a machine by using the OpenShift CLI (oc) or by using the web console. You can use this information to verify whether a procedure is complete or to troubleshoot undesired behavior.
			
5.3.1. Determining the phase of a machine by using the CLI
					You can find the phase of a machine by using the OpenShift CLI (oc).
				
Prerequisites
- 
							You have access to an OpenShift Container Platform cluster using an account with cluster-adminpermissions.
- 
							You have installed the ocCLI.
Procedure
- List the machines on the cluster by running the following command: - oc get machine -n openshift-machine-api - $ oc get machine -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The - PHASEcolumn of the output contains the phase of each machine.
5.3.2. Determining the phase of a machine by using the web console
You can find the phase of a machine by using the OpenShift Container Platform web console.
Prerequisites
- 
							You have access to an OpenShift Container Platform cluster using an account with cluster-adminpermissions.
Procedure
- 
							Log in to the web console as a user with the cluster-adminrole.
- Navigate to Compute → Machines.
- On the Machines page, select the name of the machine that you want to find the phase of.
- On the Machine details page, select the YAML tab.
- In the YAML block, find the value of the - status.phasefield.- Example YAML snippet - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- In this example, the phase isRunning.
 
Chapter 6. Deleting a machine
You can delete a specific machine.
6.1. Deleting a specific machine
You can delete a specific machine.
Do not delete a control plane machine unless your cluster uses a control plane machine set.
Prerequisites
- Install an OpenShift Container Platform cluster.
- 
						Install the OpenShift CLI (oc).
- 
						Log in to ocas a user withcluster-adminpermission.
Procedure
- View the machines that are in the cluster by running the following command: - oc get machine -n openshift-machine-api - $ oc get machine -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The command output contains a list of machines in the - <clusterid>-<role>-<cloud_region>format.
- Identify the machine that you want to delete.
- Delete the machine by running the following command: - oc delete machine <machine> -n openshift-machine-api - $ oc delete machine <machine> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- By default, the machine controller tries to drain the node that is backed by the machine until it succeeds. In some situations, such as with a misconfigured pod disruption budget, the drain operation might not be able to succeed. If the drain operation fails, the machine controller cannot proceed removing the machine. - You can skip draining the node by annotating - machine.openshift.io/exclude-node-drainingin a specific machine.- If the machine that you delete belongs to a machine set, a new machine is immediately created to satisfy the specified number of replicas. 
6.2. Lifecycle hooks for the machine deletion phase
				Machine lifecycle hooks are points in the reconciliation lifecycle of a machine where the normal lifecycle process can be interrupted. In the machine Deleting phase, these interruptions provide the opportunity for components to modify the machine deletion process.
			
6.2.1. Terminology and definitions
To understand the behavior of lifecycle hooks for the machine deletion phase, you must understand the following concepts:
- Reconciliation
- Reconciliation is the process by which a controller attempts to make the real state of the cluster and the objects that it comprises match the requirements in an object specification.
- Machine controller
- The machine controller manages the reconciliation lifecycle for a machine. For machines on cloud platforms, the machine controller is the combination of an OpenShift Container Platform controller and a platform-specific actuator from the cloud provider. - In the context of machine deletion, the machine controller performs the following actions: - Drain the node that is backed by the machine.
- Delete the machine instance from the cloud provider.
- 
										Delete the Nodeobject.
 
- Lifecycle hook
- A lifecycle hook is a defined point in the reconciliation lifecycle of an object where the normal lifecycle process can be interrupted. Components can use a lifecycle hook to inject changes into the process to accomplish a desired outcome. - There are two lifecycle hooks in the machine - Deletingphase:- 
										preDrainlifecycle hooks must be resolved before the node that is backed by the machine can be drained.
- 
										preTerminatelifecycle hooks must be resolved before the instance can be removed from the infrastructure provider.
 
- 
										
- Hook-implementing controller
- A hook-implementing controller is a controller, other than the machine controller, that can interact with a lifecycle hook. A hook-implementing controller can do one or more of the following actions: - Add a lifecycle hook.
- Respond to a lifecycle hook.
- Remove a lifecycle hook.
 - Each lifecycle hook has a single hook-implementing controller, but a hook-implementing controller can manage one or more hooks. 
6.2.2. Machine deletion processing order
					In OpenShift Container Platform 4.20, there are two lifecycle hooks for the machine deletion phase: preDrain and preTerminate. When all hooks for a given lifecycle point are removed, reconciliation continues as normal.
				
Figure 6.1. Machine deletion flow
					The machine Deleting phase proceeds in the following order:
				
- An existing machine is slated for deletion for one of the following reasons: - 
									A user with cluster-adminpermissions uses theoc delete machinecommand.
- 
									The machine gets a machine.openshift.io/delete-machineannotation.
- The machine set that manages the machine marks it for deletion to reduce the replica count as part of reconciliation.
- The cluster autoscaler identifies a node that is unnecessary to meet the deployment needs of the cluster.
- A machine health check is configured to replace an unhealthy machine.
 
- 
									A user with 
- 
							The machine enters the Deletingphase, in which it is marked for deletion but is still present in the API.
- If a - preDrainlifecycle hook exists, the hook-implementing controller that manages it does a specified action.- Until all - preDrainlifecycle hooks are satisfied, the machine status condition- Drainableis set to- False.
- 
							There are no unresolved preDrainlifecycle hooks and the machine status conditionDrainableis set toTrue.
- The machine controller attempts to drain the node that is backed by the machine. - 
									If draining fails, Drainedis set toFalseand the machine controller attempts to drain the node again.
- 
									If draining succeeds, Drainedis set toTrue.
 
- 
									If draining fails, 
- 
							The machine status condition Drainedis set toTrue.
- If a - preTerminatelifecycle hook exists, the hook-implementing controller that manages it does a specified action.- Until all - preTerminatelifecycle hooks are satisfied, the machine status condition- Terminableis set to- False.
- 
							There are no unresolved preTerminatelifecycle hooks and the machine status conditionTerminableis set toTrue.
- The machine controller removes the instance from the infrastructure provider.
- 
							The machine controller deletes the Nodeobject.
6.2.3. Deletion lifecycle hook configuration
The following YAML snippets demonstrate the format and placement of deletion lifecycle hook configurations within a machine set:
YAML snippet demonstrating a preDrain lifecycle hook
YAML snippet demonstrating a preTerminate lifecycle hook
6.2.3.1. Example lifecycle hook configuration
The following example demonstrates the implementation of multiple fictional lifecycle hooks that interrupt the machine deletion process:
Example configuration for lifecycle hooks
6.2.4. Machine deletion lifecycle hook examples for Operator developers
Operators can use lifecycle hooks for the machine deletion phase to modify the machine deletion process. The following examples demonstrate possible ways that an Operator can use this functionality.
6.2.4.1. Example use cases for preDrain lifecycle hooks
- Proactively replacing machines
- 
									An Operator can use a preDrainlifecycle hook to ensure that a replacement machine is successfully created and joined to the cluster before removing the instance of a deleted machine. This can mitigate the impact of disruptions during machine replacement or of replacement instances that do not initialize promptly.
- Implementing custom draining logic
- An Operator can use a - preDrainlifecycle hook to replace the machine controller draining logic with a different draining controller. By replacing the draining logic, the Operator would have more flexibility and control over the lifecycle of the workloads on each node.- For example, the machine controller drain libraries do not support ordering, but a custom drain provider could provide this functionality. By using a custom drain provider, an Operator could prioritize moving mission-critical applications before draining the node to ensure that service interruptions are minimized in cases where cluster capacity is limited. 
6.2.4.2. Example use cases for preTerminate lifecycle hooks
- Verifying storage detachment
- 
									An Operator can use a preTerminatelifecycle hook to ensure that storage that is attached to a machine is detached before the machine is removed from the infrastructure provider.
- Improving log reliability
- After a node is drained, the log exporter daemon requires some time to synchronize logs to the centralized logging system. - A logging Operator can use a - preTerminatelifecycle hook to add a delay between when the node drains and when the machine is removed from the infrastructure provider. This delay would provide time for the Operator to ensure that the main workloads are removed and no longer adding to the log backlog. When no new data is being added to the log backlog, the log exporter can catch up on the synchronization process, thus ensuring that all application logs are captured.
6.2.5. Quorum protection with machine lifecycle hooks
For OpenShift Container Platform clusters that use the Machine API Operator, the etcd Operator uses lifecycle hooks for the machine deletion phase to implement a quorum protection mechanism.
					By using a preDrain lifecycle hook, the etcd Operator can control when the pods on a control plane machine are drained and removed. To protect etcd quorum, the etcd Operator prevents the removal of an etcd member until it migrates that member onto a new node within the cluster.
				
This mechanism allows the etcd Operator precise control over the members of the etcd quorum and allows the Machine API Operator to safely create and remove control plane machines without specific operational knowledge of the etcd cluster.
6.2.5.1. Control plane deletion with quorum protection processing order
When a control plane machine is replaced on a cluster that uses a control plane machine set, the cluster temporarily has four control plane machines. When the fourth control plane node joins the cluster, the etcd Operator starts a new etcd member on the replacement node. When the etcd Operator observes that the old control plane machine is marked for deletion, it stops the etcd member on the old node and promotes the replacement etcd member to join the quorum of the cluster.
						The control plane machine Deleting phase proceeds in the following order:
					
- A control plane machine is slated for deletion.
- 
								The control plane machine enters the Deletingphase.
- To satisfy the - preDrainlifecycle hook, the etcd Operator takes the following actions:- 
										The etcd Operator waits until a fourth control plane machine is added to the cluster as an etcd member. This new etcd member has a state of Runningbut notreadyuntil it receives the full database update from the etcd leader.
- When the new etcd member receives the full database update, the etcd Operator promotes the new etcd member to a voting member and removes the old etcd member from the cluster.
 - After this transition is complete, it is safe for the old etcd pod and its data to be removed, so the - preDrainlifecycle hook is removed.
- 
										The etcd Operator waits until a fourth control plane machine is added to the cluster as an etcd member. This new etcd member has a state of 
- 
								The control plane machine status condition Drainableis set toTrue.
- The machine controller attempts to drain the node that is backed by the control plane machine. - 
										If draining fails, Drainedis set toFalseand the machine controller attempts to drain the node again.
- 
										If draining succeeds, Drainedis set toTrue.
 
- 
										If draining fails, 
- 
								The control plane machine status condition Drainedis set toTrue.
- 
								If no other Operators have added a preTerminatelifecycle hook, the control plane machine status conditionTerminableis set toTrue.
- The machine controller removes the instance from the infrastructure provider.
- 
								The machine controller deletes the Nodeobject.
YAML snippet demonstrating the etcd quorum protection preDrain lifecycle hook
Chapter 7. Applying autoscaling to an OpenShift Container Platform cluster
Applying autoscaling to an OpenShift Container Platform cluster involves deploying a cluster autoscaler and then deploying machine autoscalers for each machine type in your cluster.
You can configure the cluster autoscaler only in clusters where the Machine API Operator is operational.
7.1. About the cluster autoscaler
The cluster autoscaler adjusts the size of an OpenShift Container Platform cluster to meet its current deployment needs. It uses declarative, Kubernetes-style arguments to provide infrastructure management that does not rely on objects of a specific cloud provider. The cluster autoscaler has a cluster scope, and is not associated with a particular namespace.
The cluster autoscaler increases the size of the cluster when there are pods that fail to schedule on any of the current worker nodes due to insufficient resources or when another node is necessary to meet deployment needs. The cluster autoscaler does not increase the cluster resources beyond the limits that you specify.
The cluster autoscaler computes the total memory, CPU, and GPU on all nodes the cluster, even though it does not manage the control plane nodes. These values are not single-machine oriented. They are an aggregation of all the resources in the entire cluster. For example, if you set the maximum memory resource limit, the cluster autoscaler includes all the nodes in the cluster when calculating the current memory usage. That calculation is then used to determine if the cluster autoscaler has the capacity to add more worker resources.
					Ensure that the maxNodesTotal value in the ClusterAutoscaler resource definition that you create is large enough to account for the total possible number of machines in your cluster. This value must encompass the number of control plane machines and the possible number of compute machines that you might scale to.
				
7.1.1. Automatic node removal
Every 10 seconds, the cluster autoscaler checks which nodes are unnecessary in the cluster and removes them. The cluster autoscaler considers a node for removal if the following conditions apply:
- 
							The node utilization is less than the node utilization level threshold for the cluster. The node utilization level is the sum of the requested resources divided by the allocated resources for the node. If you do not specify a value in the ClusterAutoscalercustom resource, the cluster autoscaler uses a default value of0.5, which corresponds to 50% utilization.
- The cluster autoscaler can move all pods running on the node to the other nodes. The Kubernetes scheduler is responsible for scheduling pods on the nodes.
- The cluster autoscaler does not have scale down disabled annotation.
If the following types of pods are present on a node, the cluster autoscaler will not remove the node:
- Pods with restrictive pod disruption budgets (PDBs).
- Kube-system pods that do not run on the node by default.
- Kube-system pods that do not have a PDB or have a PDB that is too restrictive.
- Pods that are not backed by a controller object such as a deployment, replica set, or stateful set.
- Pods with local storage.
- Pods that cannot be moved elsewhere because of a lack of resources, incompatible node selectors or affinity, matching anti-affinity, and so on.
- 
							Unless they also have a "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation, pods that have a"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"annotation.
For example, you set the maximum CPU limit to 64 cores and configure the cluster autoscaler to only create machines that have 8 cores each. If your cluster starts with 30 cores, the cluster autoscaler can add up to 4 more nodes with 32 cores, for a total of 62.
7.1.2. Limitations
If you configure the cluster autoscaler, additional usage restrictions apply:
- Do not modify the nodes that are in autoscaled node groups directly. All nodes within the same node group have the same capacity and labels and run the same system pods.
- Specify requests for your pods.
- If you have to prevent pods from being deleted too quickly, configure appropriate PDBs.
- Confirm that your cloud provider quota is large enough to support the maximum node pools that you configure.
- Do not run additional node group autoscalers, especially the ones offered by your cloud provider.
The cluster autoscaler only adds nodes in autoscaled node groups if doing so would result in a schedulable pod. If the available node types cannot meet the requirements for a pod request, or if the node groups that could meet these requirements are at their maximum size, the cluster autoscaler cannot scale up.
7.1.3. Interaction with other scheduling features
The horizontal pod autoscaler (HPA) and the cluster autoscaler modify cluster resources in different ways. The HPA changes the deployment’s or replica set’s number of replicas based on the current CPU load. If the load increases, the HPA creates new replicas, regardless of the amount of resources available to the cluster. If there are not enough resources, the cluster autoscaler adds resources so that the HPA-created pods can run. If the load decreases, the HPA stops some replicas. If this action causes some nodes to be underutilized or completely empty, the cluster autoscaler deletes the unnecessary nodes.
The cluster autoscaler takes pod priorities into account. The Pod Priority and Preemption feature enables scheduling pods based on priorities if the cluster does not have enough resources, but the cluster autoscaler ensures that the cluster has resources to run all pods. To honor the intention of both features, the cluster autoscaler includes a priority cutoff function. You can use this cutoff to schedule "best-effort" pods, which do not cause the cluster autoscaler to increase resources but instead run only when spare resources are available.
Pods with priority lower than the cutoff value do not cause the cluster to scale up or prevent the cluster from scaling down. No new nodes are added to run the pods, and nodes running these pods might be deleted to free resources.
7.1.4. Configuring the cluster autoscaler
First, deploy the cluster autoscaler to manage automatic resource scaling in your OpenShift Container Platform cluster.
Because the cluster autoscaler is scoped to the entire cluster, you can make only one cluster autoscaler for the cluster.
7.1.4.1. Cluster autoscaler resource definition
						This ClusterAutoscaler resource definition shows the parameters and sample values for the cluster autoscaler.
					
When you change the configuration of an existing cluster autoscaler, it restarts.
- 1
- Specify the priority that a pod must exceed to cause the cluster autoscaler to deploy additional nodes. Enter a 32-bit integer value. ThepodPriorityThresholdvalue is compared to the value of thePriorityClassthat you assign to each pod.
- 2
- Specify the maximum number of nodes to deploy. This value is the total number of machines that are deployed in your cluster, not just the ones that the autoscaler controls. Ensure that this value is large enough to account for all of your control plane and compute machines and the total number of replicas that you specify in yourMachineAutoscalerresources.
- 3
- Specify the minimum number of cores to deploy in the cluster.
- 4
- Specify the maximum number of cores to deploy in the cluster.
- 5
- Specify the minimum amount of memory, in GiB, in the cluster.
- 6
- Specify the maximum amount of memory, in GiB, in the cluster.
- 7
- Optional: To configure the cluster autoscaler to deploy GPU-enabled nodes, specify atypevalue. This value must match the value of thespec.template.spec.metadata.labels[cluster-api/accelerator]label in the machine set that manages the GPU-enabled nodes of that type. For example, this value might benvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs. For more information, see "Labeling GPU machine sets for the cluster autoscaler".
- 8
- Specify the minimum number of GPUs of the specified type to deploy in the cluster.
- 9
- Specify the maximum number of GPUs of the specified type to deploy in the cluster.
- 10
- Specify the logging verbosity level between0and10. The following log level thresholds are provided for guidance:- 
										1: (Default) Basic information about changes.
- 
										4: Debug-level verbosity for troubleshooting typical issues.
- 
										9: Extensive, protocol-level debugging information.
 If you do not specify a value, the default value of 1is used.
- 
										
- 11
- In this section, you can specify the period to wait for each action by using any valid ParseDuration interval, includingns,us,ms,s,m, andh.
- 12
- Specify whether the cluster autoscaler can remove unnecessary nodes.
- 13
- Optional: Specify the period to wait before deleting a node after a node has recently been added. If you do not specify a value, the default value of10mis used.
- 14
- Optional: Specify the period to wait before deleting a node after a node has recently been deleted. If you do not specify a value, the default value of0sis used.
- 15
- Optional: Specify the period to wait before deleting a node after a scale down failure occurred. If you do not specify a value, the default value of3mis used.
- 16
- Optional: Specify a period of time before an unnecessary node is eligible for deletion. If you do not specify a value, the default value of10mis used.
- 17
- Optional: Specify the node utilization level. Nodes below this utilization level are eligible for deletion.The node utilization level is the sum of the requested resources divided by the allocated resources for the node, and must be a value greater than "0"but less than"1". If you do not specify a value, the cluster autoscaler uses a default value of"0.5", which corresponds to 50% utilization. You must express this value as a string.
- 18
- In this section, you can specify the period to wait before recognizing newly pending pods by using any valid ParseDuration interval, includingns,us,ms,s,m, andh.
- 19
- Optional: Specify the period to ignore a new unschedulable pod before adding a new node. If you do not specify a value, the default value of0sis used.
- 20
- Optional: Specify any expanders that you want the cluster autoscaler to use. The following values are valid:- 
										LeastWaste: Selects the machine set that minimizes the idle CPU after scaling. If multiple machine sets would yield the same amount of idle CPU, the selection minimizes unused memory.
- 
										Priority: Selects the machine set with the highest user-assigned priority. To use this expander, you must create a config map that defines the priority of your machine sets. For more information, see "Configuring a priority expander for the cluster autoscaler."
- 
										Random: (Default) Selects the machine set randomly.
 If you do not specify a value, the default value of Randomis used.You can specify multiple expanders by using the [LeastWaste, Priority]format. The cluster autoscaler applies each expander according to the specified order.In the [LeastWaste, Priority]example, the cluster autoscaler first evaluates according to theLeastWastecriteria. If more than one machine set satisfies theLeastWastecriteria equally well, the cluster autoscaler then evaluates according to thePrioritycriteria. If more than one machine set satisfies all of the specified expanders equally well, the cluster autoscaler selects one to use at random.
- 
										
							When performing a scaling operation, the cluster autoscaler remains within the ranges set in the ClusterAutoscaler resource definition, such as the minimum and maximum number of cores to deploy or the amount of memory in the cluster. However, the cluster autoscaler does not correct the current values in your cluster to be within those ranges.
						
The minimum and maximum CPUs, memory, and GPU values are determined by calculating those resources on all nodes in the cluster, even if the cluster autoscaler does not manage the nodes. For example, the control plane nodes are considered in the total memory in the cluster, even though the cluster autoscaler does not manage the control plane nodes.
7.1.4.2. Configuring a priority expander for the cluster autoscaler
When the cluster autoscaler uses the priority expander, it scales up by using the machine set with the highest user-assigned priority. To use this expander, you must create a config map that defines the priority of your machine sets.
For each specified priority level, you must create regular expressions to identify machine sets that you want to use when prioritizing a machine set for selection. The regular expressions must match the name of any compute machine set that you want the cluster autoscaler to consider for selection.
Prerequisites
- You have deployed an OpenShift Container Platform cluster that uses the Machine API.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- List the compute machine sets on your cluster by running the following command: - oc get machinesets.machine.openshift.io - $ oc get machinesets.machine.openshift.io- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Using regular expressions, construct one or more patterns that match the name of any compute machine set that you want to set a priority level for. - For example, use the regular expression pattern - *fast*to match any compute machine set that includes the string- fastin its name.
- Create a - cluster-autoscaler-priority-expander.ymlYAML file that defines a config map similar to the following:- Example priority expander config map - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- You must name config mapcluster-autoscaler-priority-expander.
- 2
- You must create the config map in the same namespace as cluster autoscaler pod, which is theopenshift-machine-apinamespace.
- 3
- Define the priority of your machine sets.The prioritiesvalues must be positive integers. The cluster autoscaler uses higher-value priorities before lower-value priorities.For each priority level, specify the regular expressions that correspond to the machine sets you want to use. 
 
- Create the config map by running the following command: - oc create configmap cluster-autoscaler-priority-expander \ --from-file=<location_of_config_map_file>/cluster-autoscaler-priority-expander.yml - $ oc create configmap cluster-autoscaler-priority-expander \ --from-file=<location_of_config_map_file>/cluster-autoscaler-priority-expander.yml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Review the config map by running the following command: - oc get configmaps cluster-autoscaler-priority-expander -o yaml - $ oc get configmaps cluster-autoscaler-priority-expander -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- 
								To use the priority expander, ensure that the ClusterAutoscalerresource definition is configured to use theexpanders: ["Priority"]parameter.
7.1.4.3. Labeling GPU machine sets for the cluster autoscaler
You can use a machine set label to indicate which machines the cluster autoscaler can use to deploy GPU-enabled nodes.
Prerequisites
- Your cluster uses a cluster autoscaler.
Procedure
- On the machine set that you want to create machines for the cluster autoscaler to use to deploy GPU-enabled nodes, add a - cluster-api/acceleratorlabel:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a label of your choice that consists of alphanumeric characters,-,_, or.and starts and ends with an alphanumeric character. For example, you might usenvidia-t4to represent Nvidia T4 GPUs, ornvidia-a10gfor A10G GPUs.NoteYou must specify the value of this label for the spec.resourceLimits.gpus.typeparameter in yourClusterAutoscalerCR. For more information, see "Cluster autoscaler resource definition".
 
7.1.5. Deploying a cluster autoscaler
					To deploy a cluster autoscaler, you create an instance of the ClusterAutoscaler resource.
				
Procedure
- 
							Create a YAML file for a ClusterAutoscalerresource that contains the custom resource definition.
- Create the custom resource in the cluster by running the following command: - oc create -f <filename>.yaml - $ oc create -f <filename>.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <filename>is the name of the custom resource file.
 
Next steps
- After you configure the cluster autoscaler, you must configure at least one machine autoscaler.
7.2. About the machine autoscaler
				The machine autoscaler adjusts the number of Machines in the compute machine sets that you deploy in an OpenShift Container Platform cluster. You can scale both the default worker compute machine set and any other compute machine sets that you create. The machine autoscaler makes more Machines when the cluster runs out of resources to support more deployments. Any changes to the values in MachineAutoscaler resources, such as the minimum or maximum number of instances, are immediately applied to the compute machine set they target.
			
You must deploy a machine autoscaler for the cluster autoscaler to scale your machines. The cluster autoscaler uses the annotations on compute machine sets that the machine autoscaler sets to determine the resources that it can scale. If you define a cluster autoscaler without also defining machine autoscalers, the cluster autoscaler will never scale your cluster.
7.2.1. Configuring machine autoscalers
					After you deploy the cluster autoscaler, deploy MachineAutoscaler resources that reference the compute machine sets that are used to scale the cluster.
				
						You must deploy at least one MachineAutoscaler resource after you deploy the ClusterAutoscaler resource.
					
You must configure separate resources for each compute machine set. Remember that compute machine sets are different in each region, so consider whether you want to enable machine scaling in multiple regions. The compute machine set that you scale must have at least one machine in it.
7.2.1.1. Machine autoscaler resource definition
						This MachineAutoscaler resource definition shows the parameters and sample values for the machine autoscaler.
					
- 1
- Specify the machine autoscaler name. To make it easier to identify which compute machine set this machine autoscaler scales, specify or include the name of the compute machine set to scale. The compute machine set name takes the following form:<clusterid>-<machineset>-<region>.
- 2
- Specify the minimum number machines of the specified type that must remain in the specified zone after the cluster autoscaler initiates cluster scaling. If running in AWS, GCP, Azure, RHOSP, or vSphere, this value can be set to0. For other providers, do not set this value to0.You can save on costs by setting this value to 0for use cases such as running expensive or limited-usage hardware that is used for specialized workloads, or by scaling a compute machine set with extra large machines. The cluster autoscaler scales the compute machine set down to zero if the machines are not in use.ImportantDo not set the spec.minReplicasvalue to0for the three compute machine sets that are created during the OpenShift Container Platform installation process for an installer provisioned infrastructure.
- 3
- Specify the maximum number machines of the specified type that the cluster autoscaler can deploy in the specified zone after it initiates cluster scaling. Ensure that themaxNodesTotalvalue in theClusterAutoscalerresource definition is large enough to allow the machine autoscaler to deploy this number of machines.
- 4
- In this section, provide values that describe the existing compute machine set to scale.
- 5
- Thekindparameter value is alwaysMachineSet.
- 6
- Thenamevalue must match the name of an existing compute machine set, as shown in themetadata.nameparameter value.
7.2.2. Deploying a machine autoscaler
					To deploy a machine autoscaler, you create an instance of the MachineAutoscaler resource.
				
Procedure
- 
							Create a YAML file for a MachineAutoscalerresource that contains the custom resource definition.
- Create the custom resource in the cluster by running the following command: - oc create -f <filename>.yaml - $ oc create -f <filename>.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <filename>is the name of the custom resource file.
 
7.3. Disabling autoscaling
You can disable an individual machine autoscaler in your cluster or disable autoscaling on the cluster entirely.
7.3.1. Disabling a machine autoscaler
					To disable a machine autoscaler, you delete the corresponding MachineAutoscaler custom resource (CR).
				
Disabling a machine autoscaler does not disable the cluster autoscaler. To disable the cluster autoscaler, follow the instructions in "Disabling the cluster autoscaler".
Procedure
- List the - MachineAutoscalerCRs for the cluster by running the following command:- oc get MachineAutoscaler -n openshift-machine-api - $ oc get MachineAutoscaler -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME REF KIND REF NAME MIN MAX AGE compute-us-east-1a MachineSet compute-us-east-1a 1 12 39m compute-us-west-1a MachineSet compute-us-west-1a 2 4 37m - NAME REF KIND REF NAME MIN MAX AGE compute-us-east-1a MachineSet compute-us-east-1a 1 12 39m compute-us-west-1a MachineSet compute-us-west-1a 2 4 37m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Create a YAML file backup of the - MachineAutoscalerCR by running the following command:- oc get MachineAutoscaler/<machine_autoscaler_name> \ -n openshift-machine-api \ -o yaml> <machine_autoscaler_name_backup>.yaml - $ oc get MachineAutoscaler/<machine_autoscaler_name> \- 1 - -n openshift-machine-api \ -o yaml> <machine_autoscaler_name_backup>.yaml- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the - MachineAutoscalerCR by running the following command:- oc delete MachineAutoscaler/<machine_autoscaler_name> -n openshift-machine-api - $ oc delete MachineAutoscaler/<machine_autoscaler_name> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - machineautoscaler.autoscaling.openshift.io "compute-us-east-1a" deleted - machineautoscaler.autoscaling.openshift.io "compute-us-east-1a" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that the machine autoscaler is disabled, run the following command: - oc get MachineAutoscaler -n openshift-machine-api - $ oc get MachineAutoscaler -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The disabled machine autoscaler does not appear in the list of machine autoscalers. 
Next steps
- 
							If you need to re-enable the machine autoscaler, use the <machine_autoscaler_name_backup>.yamlbackup file and follow the instructions in "Deploying a machine autoscaler".
7.3.2. Disabling the cluster autoscaler
					To disable the cluster autoscaler, you delete the corresponding ClusterAutoscaler resource.
				
Disabling the cluster autoscaler disables autoscaling on the cluster, even if the cluster has existing machine autoscalers.
Procedure
- List the - ClusterAutoscalerresource for the cluster by running the following command:- oc get ClusterAutoscaler - $ oc get ClusterAutoscaler- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE default 42m - NAME AGE default 42m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Create a YAML file backup of the - ClusterAutoscalerCR by running the following command:- oc get ClusterAutoscaler/default \ -o yaml> <cluster_autoscaler_backup_name>.yaml - $ oc get ClusterAutoscaler/default \- 1 - -o yaml> <cluster_autoscaler_backup_name>.yaml- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete the - ClusterAutoscalerCR by running the following command:- oc delete ClusterAutoscaler/default - $ oc delete ClusterAutoscaler/default- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - clusterautoscaler.autoscaling.openshift.io "default" deleted - clusterautoscaler.autoscaling.openshift.io "default" deleted- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- To verify that the cluster autoscaler is disabled, run the following command: - oc get ClusterAutoscaler - $ oc get ClusterAutoscaler- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Expected output - No resources found - No resources found- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- 
							Disabling the cluster autoscaler by deleting the ClusterAutoscalerCR prevents the cluster from autoscaling but does not delete any existing machine autoscalers on the cluster. To clean up unneeded machine autoscalers, see "Disabling a machine autoscaler".
- 
							If you need to re-enable the cluster autoscaler, use the <cluster_autoscaler_name_backup>.yamlbackup file and follow the instructions in "Deploying a cluster autoscaler".
Chapter 8. Creating infrastructure machine sets
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
				Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
			
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'You can use infrastructure machine sets to create machines that host only infrastructure components, such as the default router, the integrated container image registry, and the components for cluster metrics and monitoring. These infrastructure machines are not counted toward the total number of subscriptions that are required to run the environment.
In a production deployment, it is recommended that you deploy at least three machine sets to hold infrastructure components. Red Hat OpenShift Service Mesh deploys Elasticsearch, which requires three instances to be installed on different nodes. Each of these nodes can be deployed to different availability zones for high availability. This configuration requires three different machine sets, one for each availability zone. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability.
8.1. OpenShift Container Platform infrastructure components
Each self-managed Red Hat OpenShift subscription includes entitlements for OpenShift Container Platform and other OpenShift-related components. These entitlements are included for running OpenShift Container Platform control plane and infrastructure workloads and do not need to be accounted for during sizing.
To qualify as an infrastructure node and use the included entitlement, only components that are supporting the cluster, and not part of an end-user application, can run on those instances. Examples include the following components:
- Kubernetes and OpenShift Container Platform control plane services
- The default router
- The integrated container image registry
- The HAProxy-based Ingress Controller
- The cluster metrics collection, or monitoring service, including components for monitoring user-defined projects
- Cluster aggregated logging
- Red Hat Quay
- Red Hat OpenShift Data Foundation
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat OpenShift GitOps
- Red Hat OpenShift Pipelines
- Red Hat OpenShift Service Mesh
Any node that runs any other container, pod, or component is a worker node that your subscription must cover.
For information about infrastructure nodes and which components can run on infrastructure nodes, see the "Red Hat OpenShift control plane and infrastructure nodes" section in the OpenShift sizing and subscription guide for enterprise Kubernetes document.
To create an infrastructure node, you can use a machine set, label the node, or use a machine config pool.
8.2. Creating infrastructure machine sets for production environments
In a production deployment, it is recommended that you deploy at least three compute machine sets to hold infrastructure components. Red Hat OpenShift Service Mesh deploys Elasticsearch, which requires three instances to be installed on different nodes. Each of these nodes can be deployed to different availability zones for high availability. A configuration like this requires three different compute machine sets, one for each availability zone. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability.
8.2.1. Creating infrastructure machine sets for different clouds
Use the sample compute machine set for your cloud.
8.2.1.1. Sample YAML for a compute machine set custom resource on AWS
						The sample YAML defines a compute machine set that runs in the us-east-1a Amazon Web Services (AWS) Local Zone and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <infra> is the node label to add.
					
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the infrastructure ID,infrarole node label, and zone.
- 3
- Specify theinfrarole node label.
- 4
- Specify a valid Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Image (AMI) for your AWS zone for your OpenShift Container Platform nodes. If you want to use an AWS Marketplace image, you must complete the OpenShift Container Platform subscription from the AWS Marketplace to obtain an AMI ID for your region.oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/<infrastructure_id>-<role>-<zone>Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 5
- Specify the zone name, for example,us-east-1a.
- 6
- Specify the region, for example,us-east-1.
- 7
- Specify the infrastructure ID and zone.
- 8
- Optional: Specify custom tag data for your cluster. For example, you might add an admin contact email address by specifying aname:valuepair ofEmail:admin-email@example.com.NoteCustom tags can also be specified during installation in the install-config.ymlfile. If theinstall-config.ymlfile and the machine set include a tag with the samenamedata, the value for the tag from the machine set takes priority over the value for the tag in theinstall-config.ymlfile.
- 9
- Specify a taint to prevent user workloads from being scheduled oninfranodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
						Machine sets running on AWS support non-guaranteed Spot Instances. You can save on costs by using Spot Instances at a lower price compared to On-Demand Instances on AWS. Configure Spot Instances by adding spotMarketOptions to the MachineSet YAML file.
					
8.2.1.2. Sample YAML for a compute machine set custom resource on Azure
						This sample YAML defines a compute machine set that runs in the 1 Microsoft Azure zone in a region and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and infra is the node label to add.
					
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the subnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the vnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify theinfranode label.
- 3
- Specify the infrastructure ID,infranode label, and region.
- 4
- Specify the image details for your compute machine set. If you want to use an Azure Marketplace image, see "Using the Azure Marketplace offering".
- 5
- Specify an image that is compatible with your instance type. The Hyper-V generation V2 images created by the installation program have a-gen2suffix, while V1 images have the same name without the suffix.
- 6
- Specify the region to place machines on.
- 7
- Optional: Specify custom tags in your machine set. Provide the tag name in<custom_tag_name>field and the corresponding tag value in<custom_tag_value>field.
- 8
- Specify the zone within your region to place machines on. Ensure that your region supports the zone that you specify.ImportantIf your region supports availability zones, you must specify the zone. Specifying the zone avoids volume node affinity failure when a pod requires a persistent volume attachment. To do this, you can create a compute machine set for each zone in the same region. 
- 9
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
						Machine sets running on Azure support non-guaranteed Spot VMs. You can save on costs by using Spot VMs at a lower price compared to standard VMs on Azure. You can configure Spot VMs by adding spotVMOptions to the MachineSet YAML file.
					
8.2.1.3. Sample YAML for a compute machine set custom resource on Azure Stack Hub
						This sample YAML defines a compute machine set that runs in the 1 Microsoft Azure zone in a region and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <infra> is the node label to add.
					
- 1 5 7 14 16 17 18 21
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the subnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.subnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow You can obtain the vnet by running the following command: oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1$ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.vnet}{"\n"}' \ get machineset/<infrastructure_id>-worker-centralus1Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 11 19 20
- Specify the<infra>node label.
- 4 6 10
- Specify the infrastructure ID,<infra>node label, and region.
- 12
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
- 15
- Specify the region to place machines on.
- 13
- Specify the availability set for the cluster.
- 22
- Specify the zone within your region to place machines on. Be sure that your region supports the zone that you specify.
Machine sets running on Azure Stack Hub do not support non-guaranteed Spot VMs.
8.2.1.4. Sample YAML for a compute machine set custom resource on IBM Cloud
						This sample YAML defines a compute machine set that runs in a specified IBM Cloud® zone in a region and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <infra> is the node label to add.
					
- 1 5 7
- The infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 16
- The<infra>node label.
- 4 6 10
- The infrastructure ID,<infra>node label, and region.
- 11
- The custom Red Hat Enterprise Linux CoreOS (RHCOS) image that was used for cluster installation.
- 12
- The infrastructure ID and zone within your region to place machines on. Be sure that your region supports the zone that you specify.
- 13
- Specify the IBM Cloud® instance profile.
- 14
- Specify the region to place machines on.
- 15
- The resource group that machine resources are placed in. This is either an existing resource group specified at installation time, or an installer-created resource group named based on the infrastructure ID.
- 17
- The VPC name.
- 18
- Specify the zone within your region to place machines on. Be sure that your region supports the zone that you specify.
- 19
- The taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
8.2.1.5. Sample YAML for a compute machine set custom resource on GCP
						This sample YAML defines a compute machine set that runs in Google Cloud Platform (GCP) and creates nodes that are labeled with node-role.kubernetes.io/infra: "", where infra is the node label to add.
					
8.2.1.5.1. Values obtained by using the OpenShift CLI
In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI.
- Infrastructure ID
- The - <infrastructure_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Image path
- The - <path_to_image>string is the path to the image that was used to create the disk. If you have the OpenShift CLI installed, you can obtain the path to the image by running the following command:- oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.disks[0].image}{"\n"}' \ get machineset/<infrastructure_id>-worker-a- $ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.disks[0].image}{"\n"}' \ get machineset/<infrastructure_id>-worker-a- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Sample GCP MachineSet values
- 1
- For<infrastructure_id>, specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster.
- 2
- For<infra>, specify the<infra>node label.
- 3
- Specify the path to the image that is used in current compute machine sets.To use a GCP Marketplace image, specify the offer to use: - 
											OpenShift Container Platform: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-ocp-413-x86-64-202305021736
- 
											OpenShift Platform Plus: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-opp-413-x86-64-202305021736
- 
											OpenShift Kubernetes Engine: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-oke-413-x86-64-202305021736
 
- 
											OpenShift Container Platform: 
- 4
- Optional: Specify custom metadata in the form of akey:valuepair. For example use cases, see the GCP documentation for setting custom metadata.
- 5
- For<project_name>, specify the name of the GCP project that you use for your cluster.
- 6
- Specifies a single service account. Multiple service accounts are not supported.
- 7
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
							Machine sets running on GCP support non-guaranteed preemptible VM instances. You can save on costs by using preemptible VM instances at a lower price compared to normal instances on GCP. You can configure preemptible VM instances by adding preemptible to the MachineSet YAML file.
						
8.2.1.6. Sample YAML for a compute machine set custom resource on Nutanix
						This sample YAML defines a Nutanix compute machine set that creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <infra> is the node label to add.
					
8.2.1.6.1. Values obtained by using the OpenShift CLI
							In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI (oc).
						
- Infrastructure ID
- The - <infrastructure_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 1
- For<infrastructure_id>, specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster.
- 2
- Specify the<infra>node label.
- 3
- Specify the infrastructure ID,<infra>node label, and zone.
- 4
- Annotations for the cluster autoscaler.
- 5
- Specifies the boot type that the compute machines use. For more information about boot types, see Understanding UEFI, Secure Boot, and TPM in the Virtualized Environment. Valid values areLegacy,SecureBoot, orUEFI. The default isLegacy.NoteYou must use the Legacyboot type in OpenShift Container Platform 4.20.
- 6
- Specify one or more Nutanix Prism categories to apply to compute machines. This stanza requireskeyandvalueparameters for a category key-value pair that exists in Prism Central. For more information about categories, see Category management.
- 7
- Specify a Nutanix Prism Element cluster configuration. In this example, the cluster type isuuid, so there is auuidstanza.
- 8
- Specify the image to use. Use an image from an existing default compute machine set for the cluster.
- 9
- Specify the amount of memory for the cluster in Gi.
- 10
- Specify the Nutanix project that you use for your cluster. In this example, the project type isname, so there is anamestanza.
- 11
- Specify one or more UUID for the Prism Element subnet object. The CIDR IP address prefix for one of the specified subnets must contain the virtual IP addresses that the OpenShift Container Platform cluster uses. A maximum of 32 subnets for each Prism Element failure domain in the cluster is supported. All subnet UUID values must be unique.
- 12
- Specify the size of the system disk in Gi.
- 13
- Specify the name of the secret in the user data YAML file that is in theopenshift-machine-apinamespace. Use the value that installation program populates in the default compute machine set.
- 14
- Specify the number of vCPU sockets.
- 15
- Specify the number of vCPUs per socket.
- 16
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
8.2.1.7. Sample YAML for a compute machine set custom resource on RHOSP
						This sample YAML defines a compute machine set that runs on Red Hat OpenStack Platform (RHOSP) and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and <infra> is the node label to add.
					
- 1 5 7 14 16 17 18 19
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2 3 8 9 20
- Specify the<infra>node label.
- 4 6 10
- Specify the infrastructure ID and<infra>node label.
- 11
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
- 12
- To set a server group policy for the MachineSet, enter the value that is returned from creating a server group. For most deployments,anti-affinityorsoft-anti-affinitypolicies are recommended.
- 13
- Required for deployments to multiple networks. If deploying to multiple networks, this list must include the network that is used as theprimarySubnetvalue.
- 15
- Specify the RHOSP subnet that you want the endpoints of nodes to be published on. Usually, this is the same subnet that is used as the value ofmachinesSubnetin theinstall-config.yamlfile.
8.2.1.8. Sample YAML for a compute machine set custom resource on vSphere
						This sample YAML defines a compute machine set that runs on VMware vSphere and creates nodes that are labeled with node-role.kubernetes.io/infra: "".
					
						In this sample, <infrastructure_id> is the infrastructure ID label that is based on the cluster ID that you set when you provisioned the cluster, and infra is the node label to add.
					
- 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI (oc) installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the infrastructure ID andinfranode label.
- 3
- Specify theinfranode label.
- 4
- Specify one or more data disk definitions. For more information, see "Configuring data disks by using machine sets".
- 5
- Specify the vSphere VM network to deploy the compute machine set to. This VM network must be where other compute machines reside in the cluster.
- 6
- Specify the vSphere VM template to use, such asuser-5ddjd-rhcos.
- 7
- Specify the vCenter datacenter to deploy the compute machine set on.
- 8
- Specify the vCenter datastore to deploy the compute machine set on.
- 9
- Specify the path to the vSphere VM folder in vCenter, such as/dc1/vm/user-inst-5ddjd.
- 10
- Specify the vSphere resource pool for your VMs.
- 11
- Specify the vCenter server IP or fully qualified domain name.
- 12
- Specify a taint to prevent user workloads from being scheduled on infra nodes.NoteAfter adding the NoScheduletaint on the infrastructure node, existing DNS pods running on that node are marked asmisscheduled. You must either delete or add toleration onmisscheduledDNS pods.
8.2.2. Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- Deploy an OpenShift Container Platform cluster.
- 
							Install the OpenShift CLI (oc).
- 
							Log in to ocas a user withcluster-adminpermission.
Procedure
- Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named - <file_name>.yaml.- Ensure that you set the - <clusterID>and- <role>parameter values.
- Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster. - To list the compute machine sets in your cluster, run the following command: - oc get machinesets -n openshift-machine-api - $ oc get machinesets -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To view values of a specific compute machine set custom resource (CR), run the following command: - oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml - $ oc get machineset <machineset_name> \ -n openshift-machine-api -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The cluster infrastructure ID.
- 2
- A default node label.NoteFor clusters that have user-provisioned infrastructure, a compute machine set can only create workerandinfratype machines.
- 3
- The values in the<providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
 
 
- Create a - MachineSetCR by running the following command:- oc create -f <file_name>.yaml - $ oc create -f <file_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- View the list of compute machine sets by running the following command: - oc get machineset -n openshift-machine-api - $ oc get machineset -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - DESIREDand- CURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
8.2.3. Creating an infrastructure node
See Creating infrastructure machine sets for installer-provisioned infrastructure environments or for any cluster where the control plane nodes are managed by the machine API.
Requirements of the cluster dictate that infrastructure (infra) nodes, be provisioned. The installation program provisions only control plane and worker nodes. Worker nodes can be designated as infrastructure nodes through labeling. You can then use taints and tolerations to move appropriate workloads to the infrastructure nodes. For more information, see "Moving resources to infrastructure machine sets".
You can optionally create a default cluster-wide node selector. The default node selector is applied to pods created in all namespaces and creates an intersection with any existing node selectors on a pod, which additionally constrains the pod’s selector.
If the default node selector key conflicts with the key of a pod’s label, then the default node selector is not applied.
						However, do not set a default node selector that might cause a pod to become unschedulable. For example, setting the default node selector to a specific node role, such as node-role.kubernetes.io/infra="", when a pod’s label is set to a different node role, such as node-role.kubernetes.io/master="", can cause the pod to become unschedulable. For this reason, use caution when setting the default node selector to specific node roles.
					
You can alternatively use a project node selector to avoid cluster-wide node selector key conflicts.
Procedure
- Add a label to the worker nodes that you want to act as infrastructure nodes: - oc label node <node-name> node-role.kubernetes.io/infra="" - $ oc label node <node-name> node-role.kubernetes.io/infra=""- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check to see if applicable nodes now have the - infrarole:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Optional: Create a default cluster-wide node selector: - Edit the - Schedulerobject:- oc edit scheduler cluster - $ oc edit scheduler cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the - defaultNodeSelectorfield with the appropriate node selector:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This example node selector deploys pods on infrastructure nodes by default.
 
- Save the file to apply the changes.
 
You can now move infrastructure resources to the new infrastructure nodes. Also, remove any workloads that you do not want, or that do not belong, on the new infrastructure node. See the list of workloads supported for use on infrastructure nodes in "OpenShift Container Platform infrastructure components".
8.2.4. Creating a machine config pool for infrastructure machines
If you need infrastructure machines to have dedicated configurations, you must create an infra pool.
Creating a custom machine configuration pool overrides default worker pool configurations if they refer to the same file or unit.
Procedure
- Add a label to the node you want to assign as the infra node with a specific label: - oc label node <node_name> <label> - $ oc label node <node_name> <label>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - oc label node ci-ln-n8mqwr2-f76d1-xscn2-worker-c-6fmtx node-role.kubernetes.io/infra= - $ oc label node ci-ln-n8mqwr2-f76d1-xscn2-worker-c-6fmtx node-role.kubernetes.io/infra=- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create a machine config pool that contains both the worker role and your custom role as machine config selector: - cat infra.mcp.yaml - $ cat infra.mcp.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Custom machine config pools inherit machine configs from the worker pool. Custom pools use any machine config targeted for the worker pool, but add the ability to also deploy changes that are targeted at only the custom pool. Because a custom pool inherits resources from the worker pool, any change to the worker pool also affects the custom pool. 
- After you have the YAML file, you can create the machine config pool: - oc create -f infra.mcp.yaml - $ oc create -f infra.mcp.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check the machine configs to ensure that the infrastructure configuration rendered successfully: - oc get machineconfig - $ oc get machineconfig- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - You should see a new machine config, with the - rendered-infra-*prefix.
- Optional: To deploy changes to a custom pool, create a machine config that uses the custom pool name as the label, such as - infra. Note that this is not required and only shown for instructional purposes. In this manner, you can apply any custom configurations specific to only your infra nodes.Note- After you create the new machine config pool, the MCO generates a new rendered config for that pool, and associated nodes of that pool reboot to apply the new configuration. - Create a machine config: - cat infra.mc.yaml - $ cat infra.mc.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Add the label you added to the node as anodeSelector.
 
- Apply the machine config to the infra-labeled nodes: - oc create -f infra.mc.yaml - $ oc create -f infra.mc.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Confirm that your new machine config pool is available: - oc get mcp - $ oc get mcp- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE infra rendered-infra-60e35c2e99f42d976e084fa94da4d0fc True False False 1 1 1 0 4m20s master rendered-master-9360fdb895d4c131c7c4bebbae099c90 True False False 3 3 3 0 91m worker rendered-worker-60e35c2e99f42d976e084fa94da4d0fc True False False 2 2 2 0 91m - NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGE infra rendered-infra-60e35c2e99f42d976e084fa94da4d0fc True False False 1 1 1 0 4m20s master rendered-master-9360fdb895d4c131c7c4bebbae099c90 True False False 3 3 3 0 91m worker rendered-worker-60e35c2e99f42d976e084fa94da4d0fc True False False 2 2 2 0 91m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, a worker node was changed to an infra node. 
8.3. Assigning machine set resources to infrastructure nodes
				After creating an infrastructure machine set, the worker and infra roles are applied to new infra nodes. Nodes with the infra role applied are not counted toward the total number of subscriptions that are required to run the environment, even when the worker role is also applied.
			
However, with an infra node being assigned as a worker, there is a chance user workloads could get inadvertently assigned to an infra node. To avoid this, you can apply a taint to the infra node and tolerations for the pods you want to control.
8.3.1. Binding infrastructure node workloads using taints and tolerations
					If you have an infrastructure node that has the infra and worker roles assigned, you must configure the node so that user workloads are not assigned to it.
				
						It is recommended that you preserve the dual infra,worker label that is created for infrastructure nodes and use taints and tolerations to manage nodes that user workloads are scheduled on. If you remove the worker label from the node, you must create a custom pool to manage it. A node with a label other than master or worker is not recognized by the MCO without a custom pool. Maintaining the worker label allows the node to be managed by the default worker machine config pool, if no custom pools that select the custom label exists. The infra label communicates to the cluster that it does not count toward the total number of subscriptions.
					
Prerequisites
- 
							Configure additional MachineSetobjects in your OpenShift Container Platform cluster.
Procedure
- Add a taint to the infrastructure node to prevent scheduling user workloads on it: - Determine if the node has the taint: - oc describe nodes <node_name> - $ oc describe nodes <node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Sample output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This example shows that the node has a taint. You can proceed with adding a toleration to your pod in the next step. 
- If you have not configured a taint to prevent scheduling user workloads on it: - oc adm taint nodes <node_name> <key>=<value>:<effect> - $ oc adm taint nodes <node_name> <key>=<value>:<effect>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For example: - oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoSchedule - $ oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoSchedule- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Tip- You can alternatively edit the pod specification to add the taint: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - These examples place a taint on - node1that has the- node-role.kubernetes.io/infrakey and the- NoScheduletaint effect. Nodes with the- NoScheduleeffect schedule only pods that tolerate the taint, but allow existing pods to remain scheduled on the node.- If you added a - NoScheduletaint to the infrastructure node, any pods that are controlled by a daemon set on that node are marked as- misscheduled. You must either delete the pods or add a toleration to the pods as shown in the Red Hat Knowledgebase solution add toleration on- misscheduledDNS pods. Note that you cannot add a toleration to a daemon set object that is managed by an operator.Note- If a descheduler is used, pods violating node taints could be evicted from the cluster. 
 
- Add tolerations to the pods that you want to schedule on the infrastructure node, such as the router, registry, and monitoring workloads. Referencing the previous examples, add the following tolerations to the - Podobject specification:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - This toleration matches the taint created by the - oc adm taintcommand. A pod with this toleration can be scheduled onto the infrastructure node.Note- Moving pods for an Operator installed via OLM to an infrastructure node is not always possible. The capability to move Operator pods depends on the configuration of each Operator. 
- Schedule the pod to the infrastructure node by using a scheduler. See the documentation for "Controlling pod placement using the scheduler" for details.
- Remove any workloads that you do not want, or that do not belong, on the new infrastructure node. See the list of workloads supported for use on infrastructure nodes in "OpenShift Container Platform infrastructure components".
8.4. Moving resources to infrastructure machine sets
Some of the infrastructure resources are deployed in your cluster by default. You can move them to the infrastructure machine sets that you created by adding the infrastructure node selector, as shown:
- 1
- Add anodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorin the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrasructure node, also add a matching toleration.
Applying a specific node selector to all infrastructure components causes OpenShift Container Platform to schedule those workloads on nodes with that label.
8.4.1. Moving the router
You can deploy the router pod to a different compute machine set. By default, the pod is deployed to a worker node.
Prerequisites
- Configure additional compute machine sets in your OpenShift Container Platform cluster.
Procedure
- View the - IngressControllercustom resource for the router Operator:- oc get ingresscontroller default -n openshift-ingress-operator -o yaml - $ oc get ingresscontroller default -n openshift-ingress-operator -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The command output resembles the following text: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - ingresscontrollerresource and change the- nodeSelectorto use the- infralabel:- oc edit ingresscontroller default -n openshift-ingress-operator - $ oc edit ingresscontroller default -n openshift-ingress-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Add anodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorparameter in the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrastructure node, also add a matching toleration.
 
- Confirm that the router pod is running on the - infranode.- View the list of router pods and note the node name of the running pod: - oc get pod -n openshift-ingress -o wide - $ oc get pod -n openshift-ingress -o wide- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES router-default-86798b4b5d-bdlvd 1/1 Running 0 28s 10.130.2.4 ip-10-0-217-226.ec2.internal <none> <none> router-default-955d875f4-255g8 0/1 Terminating 0 19h 10.129.2.4 ip-10-0-148-172.ec2.internal <none> <none> - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES router-default-86798b4b5d-bdlvd 1/1 Running 0 28s 10.130.2.4 ip-10-0-217-226.ec2.internal <none> <none> router-default-955d875f4-255g8 0/1 Terminating 0 19h 10.129.2.4 ip-10-0-148-172.ec2.internal <none> <none>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, the running pod is on the - ip-10-0-217-226.ec2.internalnode.
- View the node status of the running pod: - oc get node <node_name> - $ oc get node <node_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the<node_name>that you obtained from the pod list.
 - Example output - NAME STATUS ROLES AGE VERSION ip-10-0-217-226.ec2.internal Ready infra,worker 17h v1.33.4 - NAME STATUS ROLES AGE VERSION ip-10-0-217-226.ec2.internal Ready infra,worker 17h v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Because the role list includes - infra, the pod is running on the correct node.
 
8.4.2. Moving the default registry
You configure the registry Operator to deploy its pods to different nodes.
Prerequisites
- Configure additional compute machine sets in your OpenShift Container Platform cluster.
Procedure
- View the - config/instanceobject:- oc get configs.imageregistry.operator.openshift.io/cluster -o yaml - $ oc get configs.imageregistry.operator.openshift.io/cluster -o yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - config/instanceobject:- oc edit configs.imageregistry.operator.openshift.io/cluster - $ oc edit configs.imageregistry.operator.openshift.io/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Add anodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorparameter in the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrasructure node, also add a matching toleration.
 
- Verify the registry pod has been moved to the infrastructure node. - Run the following command to identify the node where the registry pod is located: - oc get pods -o wide -n openshift-image-registry - $ oc get pods -o wide -n openshift-image-registry- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm the node has the label you specified: - oc describe node <node_name> - $ oc describe node <node_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Review the command output and confirm that - node-role.kubernetes.io/infrais in the- LABELSlist.
 
8.4.3. Moving the monitoring solution
The monitoring stack includes multiple components, including Prometheus, Thanos Querier, and Alertmanager. The Cluster Monitoring Operator manages this stack. To redeploy the monitoring stack to infrastructure nodes, you can create and apply a custom config map.
Prerequisites
- 
							You have access to the cluster as a user with the cluster-admincluster role.
- 
							You have created the cluster-monitoring-configConfigMapobject.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- Edit the - cluster-monitoring-configconfig map and change the- nodeSelectorto use the- infralabel:- oc edit configmap cluster-monitoring-config -n openshift-monitoring - $ oc edit configmap cluster-monitoring-config -n openshift-monitoring- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Add anodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorparameter in the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrastructure node, also add a matching toleration.
 
- Watch the monitoring pods move to the new machines: - watch 'oc get pod -n openshift-monitoring -o wide' - $ watch 'oc get pod -n openshift-monitoring -o wide'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If a component has not moved to the - infranode, delete the pod with this component:- oc delete pod -n openshift-monitoring <pod> - $ oc delete pod -n openshift-monitoring <pod>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The component from the deleted pod is re-created on the - infranode.
8.4.4. Moving the Vertical Pod Autoscaler Operator components
					The Vertical Pod Autoscaler Operator (VPA) consists of three components: the recommender, updater, and admission controller. The Operator and each component has its own pod in the VPA namespace on the control plane nodes. You can move the VPA Operator and component pods to infrastructure nodes by adding a node selector to the VPA subscription and the VerticalPodAutoscalerController CR.
				
The following example shows the default deployment of the VPA pods to the control plane nodes.
Example output
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z 1/1 Running 0 7m59s 10.128.2.24 c416-tfsbj-master-1 <none> <none> vpa-admission-plugin-default-6cb78d6f8b-rpcrj 1/1 Running 0 5m37s 10.129.2.22 c416-tfsbj-master-1 <none> <none> vpa-recommender-default-66846bd94c-dsmpp 1/1 Running 0 5m37s 10.129.2.20 c416-tfsbj-master-0 <none> <none> vpa-updater-default-db8b58df-2nkvf 1/1 Running 0 5m37s 10.129.2.21 c416-tfsbj-master-1 <none> <none>
NAME                                                READY   STATUS    RESTARTS   AGE     IP            NODE                  NOMINATED NODE   READINESS GATES
vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z   1/1     Running   0          7m59s   10.128.2.24   c416-tfsbj-master-1   <none>           <none>
vpa-admission-plugin-default-6cb78d6f8b-rpcrj       1/1     Running   0          5m37s   10.129.2.22   c416-tfsbj-master-1   <none>           <none>
vpa-recommender-default-66846bd94c-dsmpp            1/1     Running   0          5m37s   10.129.2.20   c416-tfsbj-master-0   <none>           <none>
vpa-updater-default-db8b58df-2nkvf                  1/1     Running   0          5m37s   10.129.2.21   c416-tfsbj-master-1   <none>           <none>Procedure
- Move the VPA Operator pod by adding a node selector to the - Subscriptioncustom resource (CR) for the VPA Operator:- Edit the CR: - oc edit Subscription vertical-pod-autoscaler -n openshift-vertical-pod-autoscaler - $ oc edit Subscription vertical-pod-autoscaler -n openshift-vertical-pod-autoscaler- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a node selector to match the node role label on the infra node: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies the node role of an infra node.
 Note- If the infra node uses taints, you need to add a toleration to the - SubscriptionCR.- For example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies a toleration for a taint on the infra node.
 
 
- Move each VPA component by adding node selectors to the - VerticalPodAutoscalercustom resource (CR):- Edit the CR: - oc edit VerticalPodAutoscalerController default -n openshift-vertical-pod-autoscaler - $ oc edit VerticalPodAutoscalerController default -n openshift-vertical-pod-autoscaler- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add node selectors to match the node role label on the infra node: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If a target node uses taints, you need to add a toleration to the - VerticalPodAutoscalerControllerCR.- For example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
Verification
- You can verify the pods have moved by using the following command: - oc get pods -n openshift-vertical-pod-autoscaler -o wide - $ oc get pods -n openshift-vertical-pod-autoscaler -o wide- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The pods are no longer deployed to the control plane nodes. In the following example output, the node is now an infra node, not a control plane node. - Example output - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z 1/1 Running 0 7m59s 10.128.2.24 c416-tfsbj-infra-eastus3-2bndt <none> <none> vpa-admission-plugin-default-6cb78d6f8b-rpcrj 1/1 Running 0 5m37s 10.129.2.22 c416-tfsbj-infra-eastus1-lrgj8 <none> <none> vpa-recommender-default-66846bd94c-dsmpp 1/1 Running 0 5m37s 10.129.2.20 c416-tfsbj-infra-eastus1-lrgj8 <none> <none> vpa-updater-default-db8b58df-2nkvf 1/1 Running 0 5m37s 10.129.2.21 c416-tfsbj-infra-eastus1-lrgj8 <none> <none> - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES vertical-pod-autoscaler-operator-6c75fcc9cd-5pb6z 1/1 Running 0 7m59s 10.128.2.24 c416-tfsbj-infra-eastus3-2bndt <none> <none> vpa-admission-plugin-default-6cb78d6f8b-rpcrj 1/1 Running 0 5m37s 10.129.2.22 c416-tfsbj-infra-eastus1-lrgj8 <none> <none> vpa-recommender-default-66846bd94c-dsmpp 1/1 Running 0 5m37s 10.129.2.20 c416-tfsbj-infra-eastus1-lrgj8 <none> <none> vpa-updater-default-db8b58df-2nkvf 1/1 Running 0 5m37s 10.129.2.21 c416-tfsbj-infra-eastus1-lrgj8 <none> <none>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
8.4.5. Moving the Cluster Resource Override Operator pods
					By default, the Cluster Resource Override Operator installation process creates an Operator pod and two Cluster Resource Override pods on nodes in the clusterresourceoverride-operator namespace. You can move these pods to other nodes, such as infrastructure nodes, as needed.
				
The following examples shows the Cluster Resource Override pods are deployed to control plane nodes and the Cluster Resource Override Operator pod is deployed to a worker node.
Example Cluster Resource Override pods
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES clusterresourceoverride-786b8c898c-9wrdq 1/1 Running 0 23s 10.128.2.32 ip-10-0-14-183.us-west-2.compute.internal <none> <none> clusterresourceoverride-786b8c898c-vn2lf 1/1 Running 0 26s 10.130.2.10 ip-10-0-20-140.us-west-2.compute.internal <none> <none> clusterresourceoverride-operator-6b8b8b656b-lvr62 1/1 Running 0 56m 10.131.0.33 ip-10-0-2-39.us-west-2.compute.internal <none> <none>
NAME                                                READY   STATUS    RESTARTS   AGE   IP            NODE                                        NOMINATED NODE   READINESS GATES
clusterresourceoverride-786b8c898c-9wrdq            1/1     Running   0          23s   10.128.2.32   ip-10-0-14-183.us-west-2.compute.internal   <none>           <none>
clusterresourceoverride-786b8c898c-vn2lf            1/1     Running   0          26s   10.130.2.10   ip-10-0-20-140.us-west-2.compute.internal   <none>           <none>
clusterresourceoverride-operator-6b8b8b656b-lvr62   1/1     Running   0          56m   10.131.0.33   ip-10-0-2-39.us-west-2.compute.internal     <none>           <none>Example node list
Procedure
- Move the Cluster Resource Override Operator pod by adding a node selector to the - Subscriptioncustom resource (CR) for the Cluster Resource Override Operator.- Edit the CR: - oc edit -n clusterresourceoverride-operator subscriptions.operators.coreos.com clusterresourceoverride - $ oc edit -n clusterresourceoverride-operator subscriptions.operators.coreos.com clusterresourceoverride- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a node selector to match the node role label on the node where you want to install the Cluster Resource Override Operator pod: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the role of the node where you want to deploy the Cluster Resource Override Operator pod.
 Note- If the infra node uses taints, you need to add a toleration to the - SubscriptionCR.- For example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies a toleration for a taint on the infra node.
 
 
- Move the Cluster Resource Override pods by adding a node selector to the - ClusterResourceOverridecustom resource (CR):- Edit the CR: - oc edit ClusterResourceOverride cluster -n clusterresourceoverride-operator - $ oc edit ClusterResourceOverride cluster -n clusterresourceoverride-operator- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add a node selector to match the node role label on the infra node: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- If the infra node uses taints, you need to add a toleration to the - ClusterResourceOverrideCR.- For example: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies a toleration for a taint on the infra node.
 
 
Verification
- You can verify that the pods have moved by using the following command: - oc get pods -n clusterresourceoverride-operator -o wide - $ oc get pods -n clusterresourceoverride-operator -o wide- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The Cluster Resource Override pods are now deployed to the infra nodes. - Example output - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES clusterresourceoverride-786b8c898c-9wrdq 1/1 Running 0 23s 10.127.2.25 ip-10-0-23-244.us-west-2.compute.internal <none> <none> clusterresourceoverride-786b8c898c-vn2lf 1/1 Running 0 26s 10.128.0.80 ip-10-0-24-233.us-west-2.compute.internal <none> <none> clusterresourceoverride-operator-6b8b8b656b-lvr62 1/1 Running 0 56m 10.129.0.71 ip-10-0-67-453.us-west-2.compute.internal <none> <none> - NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES clusterresourceoverride-786b8c898c-9wrdq 1/1 Running 0 23s 10.127.2.25 ip-10-0-23-244.us-west-2.compute.internal <none> <none> clusterresourceoverride-786b8c898c-vn2lf 1/1 Running 0 26s 10.128.0.80 ip-10-0-24-233.us-west-2.compute.internal <none> <none> clusterresourceoverride-operator-6b8b8b656b-lvr62 1/1 Running 0 56m 10.129.0.71 ip-10-0-67-453.us-west-2.compute.internal <none> <none>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 9. Managing user-provisioned infrastructure manually
9.1. Adding compute machines to clusters with user-provisioned infrastructure manually
You can add compute machines to a cluster on user-provisioned infrastructure either as part of the installation process or after installation. The postinstallation process requires some of the same configuration files and parameters that were used during installation.
9.1.1. Adding compute machines to Amazon Web Services
To add more compute machines to your OpenShift Container Platform cluster on Amazon Web Services (AWS), see Adding compute machines to AWS by using CloudFormation templates.
9.1.2. Adding compute machines to Microsoft Azure
To add more compute machines to your OpenShift Container Platform cluster on Microsoft Azure, see Creating additional worker machines in Azure.
9.1.3. Adding compute machines to Azure Stack Hub
To add more compute machines to your OpenShift Container Platform cluster on Azure Stack Hub, see Creating additional worker machines in Azure Stack Hub.
9.1.4. Adding compute machines to Google Cloud Platform
To add more compute machines to your OpenShift Container Platform cluster on Google Cloud Platform (GCP), see Creating additional worker machines in GCP.
9.1.5. Adding compute machines to vSphere
You can use compute machine sets to automate the creation of additional compute machines for your OpenShift Container Platform cluster on vSphere.
To manually add more compute machines to your cluster, see Adding compute machines to vSphere manually.
9.1.6. Adding compute machines to bare metal
To add more compute machines to your OpenShift Container Platform cluster on bare metal, see Adding compute machines to bare metal.
9.2. Adding compute machines to AWS by using CloudFormation templates
You can add more compute machines to your OpenShift Container Platform cluster on Amazon Web Services (AWS) that you created by using the sample CloudFormation templates.
9.2.1. Prerequisites
- You installed your cluster on AWS by using the provided AWS CloudFormation templates.
- You have the JSON file and CloudFormation template that you used to create the compute machines during cluster installation. If you do not have these files, you must recreate them by following the instructions in the installation procedure.
9.2.2. Adding more compute machines to your AWS cluster by using CloudFormation templates
You can add more compute machines to your OpenShift Container Platform cluster on Amazon Web Services (AWS) that you created by using the sample CloudFormation templates.
The CloudFormation template creates a stack that represents one compute machine. You must create a stack for each compute machine.
If you do not use the provided CloudFormation template to create your compute nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.
Prerequisites
- You installed an OpenShift Container Platform cluster by using CloudFormation templates and have access to the JSON file and CloudFormation template that you used to create the compute machines during cluster installation.
- You installed the AWS CLI.
Procedure
- Create another compute stack. - Launch the template: - aws cloudformation create-stack --stack-name <name> \ --template-body file://<template>.yaml \ --parameters file://<parameters>.json- $ aws cloudformation create-stack --stack-name <name> \- 1 - --template-body file://<template>.yaml \- 2 - --parameters file://<parameters>.json- 3 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <name>is the name for the CloudFormation stack, such as- cluster-workers. You must provide the name of this stack if you remove the cluster.
- 2
- <template>is the relative path to and name of the CloudFormation template YAML file that you saved.
- 3
- <parameters>is the relative path to and name of the CloudFormation parameters JSON file.
 
- Confirm that the template components exist: - aws cloudformation describe-stacks --stack-name <name> - $ aws cloudformation describe-stacks --stack-name <name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Continue to create compute stacks until you have created enough compute machines for your cluster.
9.2.3. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
9.3. Adding compute machines to vSphere manually
You can add more compute machines to your OpenShift Container Platform cluster on VMware vSphere manually.
You can also use compute machine sets to automate the creation of additional VMware vSphere compute machines for your cluster.
9.3.1. Prerequisites
- You installed a cluster on vSphere.
- You have installation media and Red Hat Enterprise Linux CoreOS (RHCOS) images that you used to create your cluster. If you do not have these files, you must obtain them by following the instructions in the installation procedure.
If you do not have access to the Red Hat Enterprise Linux CoreOS (RHCOS) images that were used to create your cluster, you can add more compute machines to your OpenShift Container Platform cluster with newer versions of Red Hat Enterprise Linux CoreOS (RHCOS) images. For instructions, see Adding new nodes to UPI cluster fails after upgrading to OpenShift 4.6+.
9.3.2. Adding more compute machines to a cluster in vSphere
You can add more compute machines to a user-provisioned OpenShift Container Platform cluster on VMware vSphere.
After your vSphere template deploys in your OpenShift Container Platform cluster, you can deploy a virtual machine (VM) for a machine in that cluster.
Prerequisites
- Obtain the base64-encoded Ignition file for your compute machines.
- You have access to the vSphere template that you created for your cluster.
Procedure
- Right-click the template’s name and click Clone → Clone to Virtual Machine.
- On the Select a name and folder tab, specify a name for the VM. You might include the machine type in the name, such as - compute-1.Note- Ensure that all virtual machine names across a vSphere installation are unique. 
- On the Select a name and folder tab, select the name of the folder that you created for the cluster.
- On the Select a compute resource tab, select the name of a host in your data center.
- On the Select storage tab, select storage for your configuration and disk files.
- On the Select clone options tab, select Customize this virtual machine’s hardware.
- On the Customize hardware tab, click Advanced Parameters. - Add the following configuration parameter names and values by specifying data in the Attribute and Values fields. Ensure that you select the Add button for each parameter that you create. - 
											guestinfo.ignition.config.data: Paste the contents of the base64-encoded compute Ignition config file for this machine type.
- 
											guestinfo.ignition.config.data.encoding: Specifybase64.
- 
											disk.EnableUUID: SpecifyTRUE.
 
- 
											
 
- In the Virtual Hardware panel of the Customize hardware tab, modify the specified values as required. Ensure that the amount of RAM, CPU, and disk storage meets the minimum requirements for the machine type. If many networks exist, select Add New Device > Network Adapter, and then enter your network information in the fields provided by the New Network menu item.
- Complete the remaining configuration steps. On clicking the Finish button, you have completed the cloning operation.
- From the Virtual Machines tab, right-click on your VM and then select Power → Power On.
Next steps
- Continue to create more compute machines for your cluster.
9.3.3. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
9.4. Adding compute machines to bare metal
You can add more compute machines to your OpenShift Container Platform cluster on bare metal or platform agnostic cluster.
9.4.1. Prerequisites
- You installed a cluster on bare metal.
- You installed a cluster on any platform.
- You have installation media and Red Hat Enterprise Linux CoreOS (RHCOS) images that you used to create your cluster. If you do not have these files, you must obtain them by following the instructions in the installation procedure.
- If a DHCP server is available for your user-provisioned infrastructure, you have added the details for the additional compute machines to your DHCP server configuration. This includes a persistent IP address, DNS server information, and a hostname for each machine.
- You have updated your DNS configuration to include the record name and IP address of each compute machine that you are adding. You have validated that DNS lookup and reverse DNS lookup resolve correctly.
If you do not have access to the Red Hat Enterprise Linux CoreOS (RHCOS) images that were used to create your cluster, you can add more compute machines to your OpenShift Container Platform cluster with newer versions of Red Hat Enterprise Linux CoreOS (RHCOS) images. For instructions, see Adding new nodes to UPI cluster fails after upgrading to OpenShift 4.6+.
9.4.2. Creating Red Hat Enterprise Linux CoreOS (RHCOS) machines
Before you add more compute machines to a cluster that you installed on bare metal infrastructure, you must create RHCOS machines for it to use. You can either use an ISO image or network PXE booting to create the machines.
You must use the same ISO image that you used to install a cluster to deploy all new nodes in a cluster. It is recommended to use the same Ignition config file. The nodes automatically upgrade themselves on the first boot before running the workloads. You can add the nodes before or after the upgrade.
9.4.2.1. Creating RHCOS machines using an ISO image
You can create more Red Hat Enterprise Linux CoreOS (RHCOS) compute machines for your bare metal cluster by using an ISO image to create the machines.
Prerequisites
- Obtain the URL of the Ignition config file for the compute machines for your cluster. You uploaded this file to your HTTP server during installation.
- 
								You must have the OpenShift CLI (oc) installed.
Procedure
- Extract the Ignition config file from the cluster by running the following command: - oc extract -n openshift-machine-api secret/worker-user-data-managed --keys=userData --to=- > worker.ign - $ oc extract -n openshift-machine-api secret/worker-user-data-managed --keys=userData --to=- > worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								Upload the worker.ignIgnition config file you exported from your cluster to your HTTP server. Note the URLs of these files.
- You can validate that the ignition files are available on the URLs. The following example gets the Ignition config files for the compute node: - curl -k http://<HTTP_server>/worker.ign - $ curl -k http://<HTTP_server>/worker.ign- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- You can access the ISO image for booting your new machine by running to following command: - RHCOS_VHD_ORIGIN_URL=$(oc -n openshift-machine-config-operator get configmap/coreos-bootimages -o jsonpath='{.data.stream}' | jq -r '.architectures.<architecture>.artifacts.metal.formats.iso.disk.location')- RHCOS_VHD_ORIGIN_URL=$(oc -n openshift-machine-config-operator get configmap/coreos-bootimages -o jsonpath='{.data.stream}' | jq -r '.architectures.<architecture>.artifacts.metal.formats.iso.disk.location')- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Use the ISO file to install RHCOS on more compute machines. Use the same method that you used when you created machines before you installed the cluster: - Burn the ISO image to a disk and boot it directly.
- Use ISO redirection with a LOM interface.
 
- Boot the RHCOS ISO image without specifying any options, or interrupting the live boot sequence. Wait for the installer to boot into a shell prompt in the RHCOS live environment. Note- You can interrupt the RHCOS installation boot process to add kernel arguments. However, for this ISO procedure you must use the - coreos-installercommand as outlined in the following steps, instead of adding kernel arguments.
- Run the - coreos-installercommand and specify the options that meet your installation requirements. At a minimum, you must specify the URL that points to the Ignition config file for the node type, and the device that you are installing to:- sudo coreos-installer install --ignition-url=http://<HTTP_server>/<node_type>.ign <device> --ignition-hash=sha512-<digest> - $ sudo coreos-installer install --ignition-url=http://<HTTP_server>/<node_type>.ign <device> --ignition-hash=sha512-<digest>- 1 - 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- You must run thecoreos-installercommand by usingsudo, because thecoreuser does not have the required root privileges to perform the installation.
- 2
- The--ignition-hashoption is required when the Ignition config file is obtained through an HTTP URL to validate the authenticity of the Ignition config file on the cluster node.<digest>is the Ignition config file SHA512 digest obtained in a preceding step.
 Note- If you want to provide your Ignition config files through an HTTPS server that uses TLS, you can add the internal certificate authority (CA) to the system trust store before running - coreos-installer.- The following example initializes a bootstrap node installation to the - /dev/sdadevice. The Ignition config file for the bootstrap node is obtained from an HTTP web server with the IP address 192.168.1.2:- sudo coreos-installer install --ignition-url=http://192.168.1.2:80/installation_directory/bootstrap.ign /dev/sda --ignition-hash=sha512-a5a2d43879223273c9b60af66b44202a1d1248fc01cf156c46d4a79f552b6bad47bc8cc78ddf0116e80c59d2ea9e32ba53bc807afbca581aa059311def2c3e3b - $ sudo coreos-installer install --ignition-url=http://192.168.1.2:80/installation_directory/bootstrap.ign /dev/sda --ignition-hash=sha512-a5a2d43879223273c9b60af66b44202a1d1248fc01cf156c46d4a79f552b6bad47bc8cc78ddf0116e80c59d2ea9e32ba53bc807afbca581aa059311def2c3e3b- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Monitor the progress of the RHCOS installation on the console of the machine. Important- Ensure that the installation is successful on each node before commencing with the OpenShift Container Platform installation. Observing the installation process can also help to determine the cause of RHCOS installation issues that might arise. 
- Continue to create more compute machines for your cluster.
9.4.2.2. Creating RHCOS machines by PXE or iPXE booting
You can create more Red Hat Enterprise Linux CoreOS (RHCOS) compute machines for your bare metal cluster by using PXE or iPXE booting.
Prerequisites
- Obtain the URL of the Ignition config file for the compute machines for your cluster. You uploaded this file to your HTTP server during installation.
- 
								Obtain the URLs of the RHCOS ISO image, compressed metal BIOS, kernel, andinitramfsfiles that you uploaded to your HTTP server during cluster installation.
- You have access to the PXE booting infrastructure that you used to create the machines for your OpenShift Container Platform cluster during installation. The machines must boot from their local disks after RHCOS is installed on them.
- 
								If you use UEFI, you have access to the grub.conffile that you modified during OpenShift Container Platform installation.
Procedure
- Confirm that your PXE or iPXE installation for the RHCOS images is correct. - For PXE: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the location of the livekernelfile that you uploaded to your HTTP server.
- 2
- Specify locations of the RHCOS files that you uploaded to your HTTP server. Theinitrdparameter value is the location of the liveinitramfsfile, thecoreos.inst.ignition_urlparameter value is the location of the worker Ignition config file, and thecoreos.live.rootfs_urlparameter value is the location of the liverootfsfile. Thecoreos.inst.ignition_urlandcoreos.live.rootfs_urlparameters only support HTTP and HTTPS.
 Note- This configuration does not enable serial console access on machines with a graphical console. To configure a different console, add one or more - console=arguments to the- APPENDline. For example, add- console=tty0 console=ttyS0to set the first PC serial port as the primary console and the graphical console as a secondary console. For more information, see How does one set up a serial terminal and/or console in Red Hat Enterprise Linux?.
- For iPXE ( - x86_64+- aarch64):- kernel http://<HTTP_server>/rhcos-<version>-live-kernel-<architecture> initrd=main coreos.live.rootfs_url=http://<HTTP_server>/rhcos-<version>-live-rootfs.<architecture>.img coreos.inst.install_dev=/dev/sda coreos.inst.ignition_url=http://<HTTP_server>/worker.ign initrd --name main http://<HTTP_server>/rhcos-<version>-live-initramfs.<architecture>.img boot - kernel http://<HTTP_server>/rhcos-<version>-live-kernel-<architecture> initrd=main coreos.live.rootfs_url=http://<HTTP_server>/rhcos-<version>-live-rootfs.<architecture>.img coreos.inst.install_dev=/dev/sda coreos.inst.ignition_url=http://<HTTP_server>/worker.ign- 1 - 2 - initrd --name main http://<HTTP_server>/rhcos-<version>-live-initramfs.<architecture>.img- 3 - boot- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the locations of the RHCOS files that you uploaded to your HTTP server. Thekernelparameter value is the location of thekernelfile, theinitrd=mainargument is needed for booting on UEFI systems, thecoreos.live.rootfs_urlparameter value is the location of therootfsfile, and thecoreos.inst.ignition_urlparameter value is the location of the worker Ignition config file.
- 2
- If you use multiple NICs, specify a single interface in theipoption. For example, to use DHCP on a NIC that is namedeno1, setip=eno1:dhcp.
- 3
- Specify the location of theinitramfsfile that you uploaded to your HTTP server.
 Note- This configuration does not enable serial console access on machines with a graphical console To configure a different console, add one or more - console=arguments to the- kernelline. For example, add- console=tty0 console=ttyS0to set the first PC serial port as the primary console and the graphical console as a secondary console. For more information, see How does one set up a serial terminal and/or console in Red Hat Enterprise Linux? and "Enabling the serial console for PXE and ISO installation" in the "Advanced RHCOS installation configuration" section.Note- To network boot the CoreOS - kernelon- aarch64architecture, you need to use a version of iPXE build with the- IMAGE_GZIPoption enabled. See- IMAGE_GZIPoption in iPXE.
- For PXE (with UEFI and GRUB as second stage) on - aarch64:- menuentry 'Install CoreOS' { linux rhcos-<version>-live-kernel-<architecture> coreos.live.rootfs_url=http://<HTTP_server>/rhcos-<version>-live-rootfs.<architecture>.img coreos.inst.install_dev=/dev/sda coreos.inst.ignition_url=http://<HTTP_server>/worker.ign initrd rhcos-<version>-live-initramfs.<architecture>.img }- menuentry 'Install CoreOS' { linux rhcos-<version>-live-kernel-<architecture> coreos.live.rootfs_url=http://<HTTP_server>/rhcos-<version>-live-rootfs.<architecture>.img coreos.inst.install_dev=/dev/sda coreos.inst.ignition_url=http://<HTTP_server>/worker.ign- 1 - 2 - initrd rhcos-<version>-live-initramfs.<architecture>.img- 3 - }- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the locations of the RHCOS files that you uploaded to your HTTP/TFTP server. Thekernelparameter value is the location of thekernelfile on your TFTP server. Thecoreos.live.rootfs_urlparameter value is the location of therootfsfile, and thecoreos.inst.ignition_urlparameter value is the location of the worker Ignition config file on your HTTP Server.
- 2
- If you use multiple NICs, specify a single interface in theipoption. For example, to use DHCP on a NIC that is namedeno1, setip=eno1:dhcp.
- 3
- Specify the location of theinitramfsfile that you uploaded to your TFTP server.
 
 
- Use the PXE or iPXE infrastructure to create the required compute machines for your cluster.
9.4.3. Approving the certificate signing requests for your machines
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
Prerequisites
- You added machines to your cluster.
Procedure
- Confirm that the cluster recognizes the machines: - oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4 - NAME STATUS ROLES AGE VERSION master-0 Ready master 63m v1.33.4 master-1 Ready master 63m v1.33.4 master-2 Ready master 64m v1.33.4- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The output lists all of the machines that you created. Note- The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. 
- Review the pending CSRs and ensure that you see the client requests with the - Pendingor- Approvedstatus for each machine that you added to the cluster:- oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ... - NAME AGE REQUESTOR CONDITION csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this example, two machines are joining the cluster. You might see more approved CSRs in the list. 
- If the CSRs were not approved, after all of the pending CSRs for the machines you added are in - Pendingstatus, approve the CSRs for your cluster machines:Note- Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the - machine-approverif the Kubelet requests a new certificate with identical parameters.Note- For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the - oc exec,- oc rsh, and- oc logscommands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the- node-bootstrapperservice account in the- system:nodeor- system:admingroups, and confirm the identity of the node.- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Some Operators might not become available until some CSRs are approved. 
 
- Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster: - oc get csr - $ oc get csr- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ... - NAME AGE REQUESTOR CONDITION csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending ...- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- If the remaining CSRs are not approved, and are in the - Pendingstatus, approve the CSRs for your cluster machines:- To approve them individually, run the following command for each valid CSR: - oc adm certificate approve <csr_name> - $ oc adm certificate approve <csr_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- <csr_name>is the name of a CSR from the list of current CSRs.
 
- To approve all pending CSRs, run the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- After all client and server CSRs have been approved, the machines have the - Readystatus. Verify this by running the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- It can take a few minutes after approval of the server CSRs for the machines to transition to the - Readystatus.
Additional information
Chapter 10. Managing control plane machines
10.1. About control plane machine sets
With control plane machine sets, you can automate management of the control plane machine resources within your OpenShift Container Platform cluster.
Control plane machine sets cannot manage compute machines, and compute machine sets cannot manage control plane machines.
Control plane machine sets provide for control plane machines similar management capabilities as compute machine sets provide for compute machines. However, these two types of machine sets are separate custom resources defined within the Machine API and have several fundamental differences in their architecture and functionality.
10.1.1. Control Plane Machine Set Operator overview
					The Control Plane Machine Set Operator uses the ControlPlaneMachineSet custom resource (CR) to automate management of the control plane machine resources within your OpenShift Container Platform cluster.
				
					When the state of the cluster control plane machine set is set to Active, the Operator ensures that the cluster has the correct number of control plane machines with the specified configuration. This allows the automated replacement of degraded control plane machines and rollout of changes to the control plane.
				
					A cluster has only one control plane machine set, and the Operator only manages objects in the openshift-machine-api namespace.
				
10.1.1.1. Control Plane Machine Set Operator limitations
The Control Plane Machine Set Operator has the following limitations:
- Only Amazon Web Services (AWS), Google Cloud Platform (GCP), IBM Power® Virtual Server, Microsoft Azure, Nutanix, VMware vSphere, and Red Hat OpenStack Platform (RHOSP) clusters are supported.
- Clusters that do not have preexisting machines that represent the control plane nodes cannot use a control plane machine set or enable the use of a control plane machine set after installation. Generally, preexisting control plane machines are only present if a cluster was installed using infrastructure provisioned by the installation program. - To determine if a cluster has the required preexisting control plane machines, run the following command as a user with administrator privileges: - oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master - $ oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output showing preexisting control plane machines - NAME PHASE TYPE REGION ZONE AGE <infrastructure_id>-master-0 Running m6i.xlarge us-west-1 us-west-1a 5h19m <infrastructure_id>-master-1 Running m6i.xlarge us-west-1 us-west-1b 5h19m <infrastructure_id>-master-2 Running m6i.xlarge us-west-1 us-west-1a 5h19m - NAME PHASE TYPE REGION ZONE AGE <infrastructure_id>-master-0 Running m6i.xlarge us-west-1 us-west-1a 5h19m <infrastructure_id>-master-1 Running m6i.xlarge us-west-1 us-west-1b 5h19m <infrastructure_id>-master-2 Running m6i.xlarge us-west-1 us-west-1a 5h19m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output missing preexisting control plane machines - No resources found in openshift-machine-api namespace. - No resources found in openshift-machine-api namespace.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								The Operator requires the Machine API Operator to be operational and is therefore not supported on clusters with manually provisioned machines. When installing a OpenShift Container Platform cluster with manually provisioned machines for a platform that creates an active generated ControlPlaneMachineSetcustom resource (CR), you must remove the Kubernetes manifest files that define the control plane machine set as instructed in the installation process.
- Only clusters with three control plane machines are supported.
- Horizontal scaling of the control plane is not supported.
- Deploying Azure control plane machines on Ephemeral OS disks increases risk for data loss and is not supported.
- Deploying control plane machines as AWS Spot Instances, GCP preemptible VMs, or Azure Spot VMs is not supported. Important- Attempting to deploy control plane machines as AWS Spot Instances, GCP preemptible VMs, or Azure Spot VMs might cause the cluster to lose etcd quorum. A cluster that loses all control plane machines simultaneously is unrecoverable. 
- Making changes to the control plane machine set during or prior to installation is not supported. You must make any changes to the control plane machine set only after installation.
10.2. Getting started with control plane machine sets
				The process for getting started with control plane machine sets depends on the state of the ControlPlaneMachineSet custom resource (CR) in your cluster.
			
- Clusters with an active generated CR
- Clusters that have a generated CR with an active state use the control plane machine set by default. No administrator action is required.
- Clusters with an inactive generated CR
- For clusters that include an inactive generated CR, you must review the CR configuration and activate the CR.
- Clusters without a generated CR
- For clusters that do not include a generated CR, you must create and activate a CR with the appropriate configuration for your cluster.
				If you are uncertain about the state of the ControlPlaneMachineSet CR in your cluster, you can verify the CR status.
			
10.2.1. Supported cloud providers
In OpenShift Container Platform 4.20, the control plane machine set is supported for Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, Nutanix, and VMware vSphere clusters.
The status of the control plane machine set after installation depends on your cloud provider and the version of OpenShift Container Platform that you installed on your cluster.
| Cloud provider | Active by default | Generated CR | Manual CR required | 
|---|---|---|---|
| Amazon Web Services (AWS) | X [1] | X | |
| Google Cloud | X [2] | X | |
| Microsoft Azure | X [2] | X | |
| Nutanix | X [3] | X | |
| Red Hat OpenStack Platform (RHOSP) | X [3] | X | |
| VMware vSphere | X [4] | X | 
- AWS clusters that are upgraded from version 4.11 or earlier require CR activation.
- Google Cloud and Azure clusters that are upgraded from version 4.12 or earlier require CR activation.
- Nutanix and RHOSP clusters that are upgraded from version 4.13 or earlier require CR activation.
- vSphere clusters that are upgraded from version 4.15 or earlier require CR activation.
10.2.2. Checking the control plane machine set custom resource state
					You can verify the existence and state of the ControlPlaneMachineSet custom resource (CR).
				
Procedure
- Determine the state of the CR by running the following command: - oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api - $ oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 
									A result of Activeindicates that theControlPlaneMachineSetCR exists and is activated. No administrator action is required.
- 
									A result of Inactiveindicates that aControlPlaneMachineSetCR exists but is not activated.
- 
									A result of NotFoundindicates that there is no existingControlPlaneMachineSetCR.
 
- 
									A result of 
Next steps
						To use the control plane machine set, you must ensure that a ControlPlaneMachineSet CR with the correct settings for your cluster exists.
					
- If your cluster has an existing CR, you must verify that the configuration in the CR is correct for your cluster.
- If your cluster does not have an existing CR, you must create one with the correct configuration for your cluster.
10.2.3. Activating the control plane machine set custom resource
					To use the control plane machine set, you must ensure that a ControlPlaneMachineSet custom resource (CR) with the correct settings for your cluster exists. On a cluster with a generated CR, you must verify that the configuration in the CR is correct for your cluster and activate it.
				
For more information about the parameters in the CR, see "Control plane machine set configuration".
Procedure
- View the configuration of the CR by running the following command: - oc --namespace openshift-machine-api edit controlplanemachineset.machine.openshift.io cluster - $ oc --namespace openshift-machine-api edit controlplanemachineset.machine.openshift.io cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Change the values of any fields that are incorrect for your cluster configuration.
- When the configuration is correct, activate the CR by setting the - .spec.statefield to- Activeand saving your changes.Important- To activate the CR, you must change the - .spec.statefield to- Activein the same- oc editsession that you use to update the CR configuration. If the CR is saved with the state left as- Inactive, the control plane machine set generator resets the CR to its original settings.
10.2.4. Creating a control plane machine set custom resource
					To use the control plane machine set, you must ensure that a ControlPlaneMachineSet custom resource (CR) with the correct settings for your cluster exists. On a cluster without a generated CR, you must create the CR manually and activate it.
				
For more information about the structure and parameters of the CR, see "Control plane machine set configuration".
Procedure
- Create a YAML file using the following template: - Control plane machine set CR YAML file template - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You must specify this value when you create aControlPlaneMachineSetCR. If you have the OpenShift CLI (oc) installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 2
- Specify the state of the Operator. When the state isInactive, the Operator is not operational. You can activate the Operator by setting the value toActive.ImportantBefore you activate the CR, you must ensure that its configuration is correct for your cluster requirements. 
- 3
- Specify the update strategy for the cluster. Valid values areOnDeleteandRollingUpdate. The default value isRollingUpdate. For more information about update strategies, see "Updating the control plane configuration".
- 4
- Specify your cloud provider platform name. Valid values areAWS,Azure,GCP,Nutanix,VSphere, andOpenStack.
- 5
- Add the<platform_failure_domains>configuration for the cluster. The format and values of this section are provider-specific. For more information, see the sample failure domain configuration for your cloud provider.
- 6
- Specify the infrastructure ID.
- 7
- Add the<platform_provider_spec>configuration for the cluster. The format and values of this section are provider-specific. For more information, see the sample provider specification for your cloud provider.
 
- Refer to the sample YAML for a control plane machine set CR and populate your file with values that are appropriate for your cluster configuration.
- Refer to the sample failure domain configuration and sample provider specification for your cloud provider and update those sections of your file with the appropriate values.
- 
							When the configuration is correct, activate the CR by setting the .spec.statefield toActiveand saving your changes.
- Create the CR from your YAML file by running the following command: - oc create -f <control_plane_machine_set>.yaml - $ oc create -f <control_plane_machine_set>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <control_plane_machine_set>is the name of the YAML file that contains the CR configuration.
10.3. Managing control plane machines with control plane machine sets
Control plane machine sets automate several essential aspects of control plane management.
10.3.1. Updating the control plane configuration
You can make changes to the configuration of the machines in the control plane by updating the specification in the control plane machine set custom resource (CR).
The Control Plane Machine Set Operator monitors the control plane machines and compares their configuration with the specification in the control plane machine set CR. When there is a discrepancy between the specification in the CR and the configuration of a control plane machine, the Operator marks that control plane machine for replacement.
For more information about the parameters in the CR, see "Control plane machine set configuration".
Prerequisites
- Your cluster has an activated and functioning Control Plane Machine Set Operator.
Procedure
- Edit your control plane machine set CR by running the following command: - oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api - $ oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Change the values of any fields that you want to update in your cluster configuration.
- Save your changes.
Next steps
- 
							For clusters that use the default RollingUpdateupdate strategy, the control plane machine set propagates changes to your control plane configuration automatically.
- 
							For clusters that are configured to use the OnDeleteupdate strategy, you must replace your control plane machines manually.
10.3.1.1. Automatic updates to the control plane configuration
						The RollingUpdate update strategy automatically propagates changes to your control plane configuration. This update strategy is the default configuration for the control plane machine set.
					
						For clusters that use the RollingUpdate update strategy, the Operator creates a replacement control plane machine with the configuration that is specified in the CR. When the replacement control plane machine is ready, the Operator deletes the control plane machine that is marked for replacement. The replacement machine then joins the control plane.
					
If multiple control plane machines are marked for replacement, the Operator protects etcd health during replacement by repeating this replacement process one machine at a time until it has replaced each machine.
10.3.1.2. Manual updates to the control plane configuration
						You can use the OnDelete update strategy to propagate changes to your control plane configuration by replacing machines manually. Manually replacing machines allows you to test changes to your configuration on a single machine before applying the changes more broadly.
					
						For clusters that are configured to use the OnDelete update strategy, the Operator creates a replacement control plane machine when you delete an existing machine. When the replacement control plane machine is ready, the etcd Operator allows the existing machine to be deleted. The replacement machine then joins the control plane.
					
If multiple control plane machines are deleted, the Operator creates all of the required replacement machines simultaneously. The Operator maintains etcd health by preventing more than one machine being removed from the control plane at once.
10.3.2. Replacing a control plane machine
To replace a control plane machine in a cluster that has a control plane machine set, you delete the machine manually. The control plane machine set replaces the deleted machine with one using the specification in the control plane machine set custom resource (CR).
Prerequisites
- If your cluster runs on Red Hat OpenStack Platform (RHOSP) and you need to evacuate a compute server, such as for an upgrade, you must disable the RHOSP compute node that the machine runs on by running the following command: - openstack compute service set <target_node_host_name> nova-compute --disable - $ openstack compute service set <target_node_host_name> nova-compute --disable- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For more information, see Preparing to migrate in the RHOSP documentation. 
Procedure
- List the control plane machines in your cluster by running the following command: - oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api - $ oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Delete a control plane machine by running the following command: - oc delete machine \ -n openshift-machine-api \ <control_plane_machine_name> - $ oc delete machine \ -n openshift-machine-api \ <control_plane_machine_name>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the name of the control plane machine to delete.
 Note- If you delete multiple control plane machines, the control plane machine set replaces them according to the configured update strategy: - 
										For clusters that use the default RollingUpdateupdate strategy, the Operator replaces one machine at a time until each machine is replaced.
- 
										For clusters that are configured to use the OnDeleteupdate strategy, the Operator creates all of the required replacement machines simultaneously.
 - Both strategies maintain etcd health during control plane machine replacement. 
10.4. Control plane machine set configuration
This example YAML snippet shows the base structure for a control plane machine set custom resource (CR).
10.4.1. Sample YAML for a control plane machine set custom resource
					The base of the ControlPlaneMachineSet CR is structured the same way for all platforms.
				
Sample ControlPlaneMachineSet CR YAML file
- 1
- Specifies the name of theControlPlaneMachineSetCR, which iscluster. Do not change this value.
- 2
- Specifies the number of control plane machines. Only clusters with three control plane machines are supported, so thereplicasvalue is3. Horizontal scaling is not supported. Do not change this value.
- 3
- Specifies the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. You must specify this value when you create aControlPlaneMachineSetCR. If you have the OpenShift CLI (oc) installed, you can obtain the infrastructure ID by running the following command:oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterCopy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 4
- Specifies the state of the Operator. When the state isInactive, the Operator is not operational. You can activate the Operator by setting the value toActive.ImportantBefore you activate the Operator, you must ensure that the ControlPlaneMachineSetCR configuration is correct for your cluster requirements. For more information about activating the Control Plane Machine Set Operator, see "Getting started with control plane machine sets".
- 5
- Specifies the update strategy for the cluster. The allowed values areOnDeleteandRollingUpdate. The default value isRollingUpdate. For more information about update strategies, see "Updating the control plane configuration".
- 6
- Specifies the cloud provider platform name. Do not change this value.
- 7
- Specifies the<platform_failure_domains>configuration for the cluster. The format and values of this section are provider-specific. For more information, see the sample failure domain configuration for your cloud provider.
- 8
- Specifies the<platform_provider_spec>configuration for the cluster. The format and values of this section are provider-specific. For more information, see the sample provider specification for your cloud provider.
10.4.2. Control plane machine set configuration options
You can configure your control plane machine set to customize your cluster to your needs.
10.4.2.1. Adding a custom prefix to control plane machine names
						You can customize the prefix of machine names that the control plane machine set creates. This can be done by editing the ControlPlaneMachineSet custom resource (CR).
					
Procedure
- Edit the - ControlPlaneMachineSetCR by running the following command:- oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api - $ oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the - .spec.machineNamePrefixfield of the- ControlPlaneMachineSetCR:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_prefix>specifies a prefix name that follows the requirements for a lowercase RFC 1123 subdomain.Important- A lowercase RFC 1123 subdomain must consist of only lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). Each block, separated by periods, must start and end with an alphanumeric character. Hyphens are not allowed at the start or end of a block, and consecutive periods are not permitted. 
- Save your changes.
Next steps
- 
								If you changed only the value of the machineNamePrefixparameter, clusters that use the defaultRollingUpdateupdate strategy are not automatically updated. To propagate this change, you must replace your control plane machines manually, regardless of the update strategy for the cluster. For more information, see "Replacing a control plane machine".
10.4.3. Provider-specific configuration options
					The <platform_provider_spec> and <platform_failure_domains> sections of the control plane machine set manifests are provider specific. For provider-specific configuration options for your cluster, see the following resources:
				
- Control plane configuration options for Amazon Web Services
- Control plane configuration options for Google Cloud
- Control plane configuration options for Microsoft Azure
- Control plane configuration options for Nutanix
- Control plane configuration options for Red Hat OpenStack Platform (RHOSP)
- Control plane configuration options for VMware vSphere
10.5. Configuration options for control plane machines
10.5.1. Control plane configuration options for Amazon Web Services
You can change the configuration of your Amazon Web Services (AWS) control plane machines and enable features by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.1.1. Sample YAML for configuring Amazon Web Services clusters
The following example YAML snippets show provider specification and failure domain configurations for an AWS cluster.
10.5.1.1.1. Sample AWS provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane machine custom resource (CR) that the installation program creates. You can omit any field that is set in the failure domain section of the CR.
						
							In the following example, <cluster_id> is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:
						
oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterSample AWS providerSpec values
- 1
- Specifies the Red Hat Enterprise Linux CoreOS (RHCOS) Amazon Machine Images (AMI) ID for the cluster. The AMI must belong to the same region as the cluster. If you want to use an AWS Marketplace image, you must complete the OpenShift Container Platform subscription from the AWS Marketplace to obtain an AMI ID for your region.
- 2
- Specifies the configuration of an encrypted EBS volume.
- 3
- Specifies the secret name for the cluster. Do not change this value.
- 4
- Specifies the AWS Identity and Access Management (IAM) instance profile. Do not change this value.
- 5
- Specifies the AWS instance type for the control plane.
- 6
- Specifies the cloud provider platform type. Do not change this value.
- 7
- Specifies the internal (int) and external (ext) load balancers for the cluster.NoteYou can omit the external ( ext) load balancer parameters on private OpenShift Container Platform clusters.
- 8
- Specifies where to create the control plane instance in AWS.
- 9
- Specifies the AWS region for the cluster.
- 10
- This parameter is configured in the failure domain and is shown with an empty value here. If a value specified for this parameter differs from the value in the failure domain, the Control Plane Machine Set Operator overwrites it with the value in the failure domain.
- 11
- Specifies the AWS Dedicated Instance configuration for the control plane. For more information, see AWS documentation about Dedicated Instances. The following values are valid:- 
											default: The Dedicated Instance runs on shared hardware.
- 
											dedicated: The Dedicated Instance runs on single-tenant hardware.
- 
											host: The Dedicated Instance runs on a Dedicated Host, which is an isolated server with configurations that you can control.
 
- 
											
- 12
- Specifies the control plane machines security group.
- 13
- This parameter is configured in the failure domain and is shown with an empty value here. If a value specified for this parameter differs from the value in the failure domain, the Control Plane Machine Set Operator overwrites it with the value in the failure domain.NoteIf the failure domain configuration does not specify a value, the value in the provider specification is used. Configuring a subnet in the failure domain overwrites the subnet value in the provider specification. 
- 14
- Specifies the control plane user data secret. Do not change this value.
10.5.1.1.2. Sample AWS failure domain configuration
							The control plane machine set concept of a failure domain is analogous to existing AWS concept of an Availability Zone (AZ). The ControlPlaneMachineSet CR spreads control plane machines across multiple failure domains when possible.
						
When configuring AWS failure domains in the control plane machine set, you must specify the availability zone name and the subnet to use.
Sample AWS failure domain values
- 1
- Specifies an AWS availability zone for the first failure domain.
- 2
- Specifies a subnet configuration. In this example, the subnet type isFilters, so there is afiltersstanza.
- 3
- Specifies the subnet name for the first failure domain, using the infrastructure ID and the AWS availability zone.
- 4
- Specifies the subnet type. The allowed values are:ARN,FiltersandID. The default value isFilters.
- 5
- Specifies the subnet name for an additional failure domain, using the infrastructure ID and the AWS availability zone.
- 6
- Specifies the cluster’s infrastructure ID and the AWS availability zone for the additional failure domain.
- 7
- Specifies the cloud provider platform name. Do not change this value.
10.5.1.2. Enabling Amazon Web Services features for control plane machines
You can enable features by updating values in the control plane machine set.
10.5.1.2.1. Restricting the API server to private
After you deploy a cluster to Amazon Web Services (AWS), you can reconfigure the API server to use only the private zone.
Prerequisites
- 
									Install the OpenShift CLI (oc).
- 
									Have access to the web console as a user with adminprivileges.
Procedure
- In the web portal or console for your cloud provider, take the following actions: - Locate and delete the appropriate load balancer component: - For AWS, delete the external load balancer. The API DNS entry in the private zone already points to the internal load balancer, which uses an identical configuration, so you do not need to modify the internal load balancer.
 
- 
											Delete the api.$clustername.$yourdomainDNS entry in the public zone.
 
- Remove the external load balancers by deleting the following indicated lines in the control plane machine set custom resource: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.1.2.2. Changing the Amazon Web Services instance type by using a control plane machine set
You can change the Amazon Web Services (AWS) instance type that your control plane machines use by updating the specification in the control plane machine set custom resource (CR).
Prerequisites
- Your AWS cluster uses a control plane machine set.
Procedure
- Edit the following line under the - providerSpecfield:- providerSpec: value: ... instanceType: <compatible_aws_instance_type>- providerSpec: value: ... instanceType: <compatible_aws_instance_type>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a larger AWS instance type with the same base as the previous selection. For example, you can changem6i.xlargetom6i.2xlargeorm6i.4xlarge.
 
- Save your changes.
10.5.1.2.3. Assigning machines to placement groups for Elastic Fabric Adapter instances by using machine sets
You can configure a machine set to deploy machines on Elastic Fabric Adapter (EFA) instances within an existing AWS placement group.
EFA instances do not require placement groups, and you can use placement groups for purposes other than configuring an EFA. This example uses both to demonstrate a configuration that can improve network performance for machines within the specified placement group.
Prerequisites
- You created a placement group in the AWS console. Note- Ensure that the rules and limitations for the type of placement group that you create are compatible with your intended use case. The control plane machine set spreads the control plane machines across multiple failure domains when possible. To use placement groups for the control plane, you must use a placement group type that can span multiple Availability Zones. 
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify an instance type that supports EFAs.
- 2
- Specify theEFAnetwork interface type.
- 3
- Specify the zone, for example,us-east-1a.
- 4
- Specify the region, for example,us-east-1.
- 5
- Specify the name of the existing AWS placement group to deploy machines in.
- 6
- Optional: Specify the partition number of the existing AWS placement group to deploy machines in.
 
Verification
- In the AWS console, find a machine that the machine set created and verify the following in the machine properties: - 
											The placement group field has the value that you specified for the placementGroupNameparameter in the machine set.
- 
											The partition number field has the value that you specified for the placementGroupPartitionparameter in the machine set.
- The interface type field indicates that it uses an EFA.
 
- 
											The placement group field has the value that you specified for the 
10.5.1.2.4. Machine set options for the Amazon EC2 Instance Metadata Service
You can use machine sets to create machines that use a specific version of the Amazon EC2 Instance Metadata Service (IMDS). Machine sets can create machines that allow the use of both IMDSv1 and IMDSv2 or machines that require the use of IMDSv2.
To use IMDSv2 on AWS clusters that were created with OpenShift Container Platform version 4.6 or earlier, you must update your boot image. For more information, see "Updated boot images".
Before configuring a machine set to create machines that require IMDSv2, ensure that any workloads that interact with the AWS metadata service support IMDSv2.
10.5.1.2.4.1. Configuring IMDS by using machine sets
								You can specify whether to require the use of IMDSv2 by adding or editing the value of metadataServiceOptions.authentication in the machine set YAML file for your machines.
							
Prerequisites
- To use IMDSv2, your AWS cluster must have been created with OpenShift Container Platform version 4.7 or later.
Procedure
- Add or edit the following lines under the - providerSpecfield:- providerSpec: value: metadataServiceOptions: authentication: Required- providerSpec: value: metadataServiceOptions: authentication: Required- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- To require IMDSv2, set the parameter value toRequired. To allow the use of both IMDSv1 and IMDSv2, set the parameter value toOptional. If no value is specified, both IMDSv1 and IMDSv2 are allowed.
 
10.5.1.2.5. Machine sets that deploy machines as Dedicated Instances
You can create a machine set running on AWS that deploys machines as Dedicated Instances. Dedicated Instances run in a virtual private cloud (VPC) on hardware that is dedicated to a single customer. These Amazon EC2 instances are physically isolated at the host hardware level. The isolation of Dedicated Instances occurs even if the instances belong to different AWS accounts that are linked to a single payer account. However, other instances that are not dedicated can share hardware with Dedicated Instances if they belong to the same AWS account.
Instances with either public or dedicated tenancy are supported by the Machine API. Instances with public tenancy run on shared hardware. Public tenancy is the default tenancy. Instances with dedicated tenancy run on single-tenant hardware.
10.5.1.2.5.1. Creating Dedicated Instances by using machine sets
								You can run a machine that is backed by a Dedicated Instance by using Machine API integration. Set the tenancy field in your machine set YAML file to launch a Dedicated Instance on AWS.
							
Procedure
- Specify a dedicated tenancy under the - providerSpecfield:- providerSpec: placement: tenancy: dedicated- providerSpec: placement: tenancy: dedicated- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.1.2.6. Configuring Capacity Reservations by using machine sets
OpenShift Container Platform version 4.20 and later supports Capacity Reservations on Amazon Web Services clusters, including On-Demand Capacity Reservations and Capacity Blocks for ML.
You can configure a machine set to deploy machines on any available resources that match the parameters of a capacity request that you define. These parameters specify the instance type, region, and number of instances that you want to reserve. If your Capacity Reservation can accommodate the capacity request, the deployment succeeds.
For more information, including limitations and suggested use cases for this AWS offering, see On-Demand Capacity Reservations and Capacity Blocks for ML in the AWS documentation.
Prerequisites
- 
									You have access to the cluster with cluster-adminprivileges.
- 
									You installed the OpenShift CLI (oc).
- You purchased an On-Demand Capacity Reservation or Capacity Block for ML. For more information, see On-Demand Capacity Reservations and Capacity Blocks for ML in the AWS documentation.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the ID of the Capacity Block for ML or On-Demand Capacity Reservation that you want the machine set to deploy machines on.
- 2
- Specify the market type to use. The following values are valid:- CapacityBlock
- Use this market type with Capacity Blocks for ML.
- OnDemand
- Use this market type with On-Demand Capacity Reservations.
 
 
Verification
- To verify machine deployment, list the machines that the machine set created by running the following command: - oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master - $ oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the output, verify that the characteristics of the listed machines match the parameters of your Capacity Reservation. 
10.5.2. Control plane configuration options for Microsoft Azure
You can change the configuration of your Microsoft Azure control plane machines and enable features by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.2.1. Sample YAML for configuring Microsoft Azure clusters
The following example YAML snippets show provider specification and failure domain configurations for an Azure cluster.
10.5.2.1.1. Sample Azure provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane Machine CR that is created by the installation program. You can omit any field that is set in the failure domain section of the CR.
						
							In the following example, <cluster_id> is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:
						
oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster
$ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure clusterSample Azure providerSpec values
- 1
- Specifies the secret name for the cluster. Do not change this value.
- 2
- Specifies the image details for your control plane machine set.
- 3
- Specifies an image that is compatible with your instance type. The Hyper-V generation V2 images created by the installation program have a-gen2suffix, while V1 images have the same name without the suffix.
- 4
- Specifies the internal load balancer for the control plane. This field might not be preconfigured but is required in both theControlPlaneMachineSetand control planeMachineCRs.
- 5
- Specifies the cloud provider platform type. Do not change this value.
- 6
- Specifies the region to place control plane machines on.
- 7
- Specifies the disk configuration for the control plane.
- 8
- Specifies the public load balancer for the control plane.NoteYou can omit the publicLoadBalancerparameter on private OpenShift Container Platform clusters that have user-defined outbound routing.
- 9
- Specifies the subnet for the control plane.
- 10
- Specifies the control plane user data secret. Do not change this value.
- 11
- Specifies the zone configuration for clusters that use a single zone for all failure domains.NoteIf the cluster is configured to use a different zone for each failure domain, this parameter is configured in the failure domain. If you specify this value in the provider specification when using different zones for each failure domain, the Control Plane Machine Set Operator ignores it. 
10.5.2.1.2. Sample Azure failure domain configuration
							The control plane machine set concept of a failure domain is analogous to existing Azure concept of an Azure availability zone. The ControlPlaneMachineSet CR spreads control plane machines across multiple failure domains when possible.
						
When configuring Azure failure domains in the control plane machine set, you must specify the availability zone name. An Azure cluster uses a single subnet that spans multiple zones.
Sample Azure failure domain values
- 1
- Each instance ofzonespecifies an Azure availability zone for a failure domain.NoteIf the cluster is configured to use a single zone for all failure domains, the zoneparameter is configured in the provider specification instead of in the failure domain configuration.
- 2
- Specifies the cloud provider platform name. Do not change this value.
10.5.2.2. Enabling Microsoft Azure features for control plane machines
You can enable features by updating values in the control plane machine set.
10.5.2.2.1. Restricting the API server to private
After you deploy a cluster to Amazon Web Services (AWS), you can reconfigure the API server to use only the private zone.
Prerequisites
- 
									Install the OpenShift CLI (oc).
- 
									Have access to the web console as a user with adminprivileges.
Procedure
- In the web portal or console for your cloud provider, take the following actions: - Locate and delete the appropriate load balancer component:
- 
											Delete the api.$clustername.$yourdomainDNS entry in the public zone.
 
- Remove the external load balancers by deleting the following indicated lines in the control plane machine set custom resource: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.2.2.2. Using the Azure Marketplace offering
You can create a machine set running on Azure that deploys machines that use the Azure Marketplace offering. To use this offering, you must first obtain the Azure Marketplace image. When obtaining your image, consider the following:
- 
									While the images are the same, the Azure Marketplace publisher is different depending on your region. If you are located in North America, specify redhatas the publisher. If you are located in EMEA, specifyredhat-limitedas the publisher.
- 
									The offer includes a rh-ocp-workerSKU and arh-ocp-worker-gen1SKU. Therh-ocp-workerSKU represents a Hyper-V generation version 2 VM image. The default instance types used in OpenShift Container Platform are version 2 compatible. If you plan to use an instance type that is only version 1 compatible, use the image associated with therh-ocp-worker-gen1SKU. Therh-ocp-worker-gen1SKU represents a Hyper-V version 1 VM image.
Installing images with the Azure marketplace is not supported on clusters with 64-bit ARM instances.
You should only modify the RHCOS image for compute machines to use an Azure Marketplace image. Control plane machines and infrastructure nodes do not require an OpenShift Container Platform subscription and use the public RHCOS default image by default, which does not incur subscription costs on your Azure bill. Therefore, you should not modify the cluster default boot image or the control plane boot images. Applying the Azure Marketplace image to them will incur additional licensing costs that cannot be recovered.
Prerequisites
- 
									You have installed the Azure CLI client (az).
- Your Azure account is entitled for the offer and you have logged into this account with the Azure CLI client.
Procedure
- Display all of the available OpenShift Container Platform images by running one of the following commands: - North America: - az vm image list --all --offer rh-ocp-worker --publisher redhat -o table - $ az vm image list --all --offer rh-ocp-worker --publisher redhat -o table- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker RedHat rh-ocp-worker RedHat:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker RedHat rh-ocp-worker-gen1 RedHat:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419 - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker RedHat rh-ocp-worker RedHat:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker RedHat rh-ocp-worker-gen1 RedHat:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image list --all --offer rh-ocp-worker --publisher redhat-limited -o table - $ az vm image list --all --offer rh-ocp-worker --publisher redhat-limited -o table- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker redhat-limited rh-ocp-worker redhat-limited:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker redhat-limited rh-ocp-worker-gen1 redhat-limited:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419 - Offer Publisher Sku Urn Version ------------- -------------- ------------------ -------------------------------------------------------------- ----------------- rh-ocp-worker redhat-limited rh-ocp-worker redhat-limited:rh-ocp-worker:rh-ocp-worker:4.17.2024100419 4.17.2024100419 rh-ocp-worker redhat-limited rh-ocp-worker-gen1 redhat-limited:rh-ocp-worker:rh-ocp-worker-gen1:4.17.2024100419 4.17.2024100419- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 Note- Use the latest image that is available for compute and control plane nodes. If required, your VMs are automatically upgraded as part of the installation process. 
- Inspect the image for your offer by running one of the following commands: - North America: - az vm image show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Review the terms of the offer by running one of the following commands: - North America: - az vm image terms show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image terms show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Accept the terms of the offering by running one of the following commands: - North America: - az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- EMEA: - az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version> - $ az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
									Record the image details of your offer, specifically the values for publisher,offer,sku, andversion.
- Add the following parameters to the - providerSpecsection of your machine set YAML file using the image details for your offer:- Sample - providerSpecimage values for Azure Marketplace machines- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.2.2.3. Enabling Azure boot diagnostics
You can enable boot diagnostics on Azure machines that your machine set creates.
Prerequisites
- Have an existing Microsoft Azure cluster.
Procedure
- Add the - diagnosticsconfiguration that is applicable to your storage type to the- providerSpecfield in your machine set YAML file:- For an Azure Managed storage account: - providerSpec: diagnostics: boot: storageAccountType: AzureManaged- providerSpec: diagnostics: boot: storageAccountType: AzureManaged- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies an Azure Managed storage account.
 
- For an Azure Unmanaged storage account: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- Only the Azure Blob Storage data service is supported. 
 
Verification
- On the Microsoft Azure portal, review the Boot diagnostics page for a machine deployed by the machine set, and verify that you can see the serial logs for the machine.
10.5.2.2.4. Machine sets that deploy machines with ultra disks as data disks
You can create a machine set running on Azure that deploys machines with ultra disks. Ultra disks are high-performance storage that are intended for use with the most demanding data workloads.
10.5.2.2.4.1. Creating machines with ultra disks by using machine sets
You can deploy machines with ultra disks on Azure by editing your machine set YAML file.
Prerequisites
- Have an existing Microsoft Azure cluster.
Procedure
- Create a custom secret in the - openshift-machine-apinamespace using the- masterdata secret by running the following command:- oc -n openshift-machine-api \ get secret <role>-user-data \ --template='{{index .data.userData | base64decode}}' | jq > userData.txt- $ oc -n openshift-machine-api \ get secret <role>-user-data \- 1 - --template='{{index .data.userData | base64decode}}' | jq > userData.txt- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- In a text editor, open the - userData.txtfile and locate the final- }character in the file.- 
												On the immediately preceding line, add a ,.
- Create a new line after the - ,and add the following configuration details:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The configuration details for the disk that you want to attach to a node as an ultra disk.
- 2
- Specify thelunvalue that is defined in thedataDisksstanza of the machine set you are using. For example, if the machine set containslun: 0, specifylun0. You can initialize multiple data disks by specifying multiple"disks"entries in this configuration file. If you specify multiple"disks"entries, ensure that thelunvalue for each matches the value in the machine set.
- 3
- The configuration details for a new partition on the disk.
- 4
- Specify a label for the partition. You might find it helpful to use hierarchical names, such aslun0p1for the first partition oflun0.
- 5
- Specify the total size in MiB of the partition.
- 6
- Specify the filesystem to use when formatting a partition. Use the partition label to specify the partition.
- 7
- Specify asystemdunit to mount the partition at boot. Use the partition label to specify the partition. You can create multiple partitions by specifying multiple"partitions"entries in this configuration file. If you specify multiple"partitions"entries, you must specify asystemdunit for each.
- 8
- ForWhere, specify the value ofstorage.filesystems.path. ForWhat, specify the value ofstorage.filesystems.device.
 
 
- 
												On the immediately preceding line, add a 
- Extract the disabling template value to a file called - disableTemplating.txtby running the following command:- oc -n openshift-machine-api get secret <role>-user-data \ --template='{{index .data.disableTemplating | base64decode}}' | jq > disableTemplating.txt- $ oc -n openshift-machine-api get secret <role>-user-data \- 1 - --template='{{index .data.disableTemplating | base64decode}}' | jq > disableTemplating.txt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<role>withmaster.
 
- Combine the - userData.txtfile and- disableTemplating.txtfile to create a data secret file by running the following command:- oc -n openshift-machine-api create secret generic <role>-user-data-x5 \ --from-file=userData=userData.txt \ --from-file=disableTemplating=disableTemplating.txt - $ oc -n openshift-machine-api create secret generic <role>-user-data-x5 \- 1 - --from-file=userData=userData.txt \ --from-file=disableTemplating=disableTemplating.txt- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- For<role>-user-data-x5, specify the name of the secret. Replace<role>withmaster.
 
- Edit your control plane machine set CR by running the following command: - oc --namespace openshift-machine-api edit controlplanemachineset.machine.openshift.io cluster - $ oc --namespace openshift-machine-api edit controlplanemachineset.machine.openshift.io cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Add the following lines in the positions indicated: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save your changes. - 
												For clusters that use the default RollingUpdateupdate strategy, the Operator automatically propagates the changes to your control plane configuration.
- 
												For clusters that are configured to use the OnDeleteupdate strategy, you must replace your control plane machines manually.
 
- 
												For clusters that use the default 
Verification
- Validate that the machines are created by running the following command: - oc get machines - $ oc get machines- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The machines should be in the - Runningstate.
- For a machine that is running and has a node attached, validate the partition by running the following command: - oc debug node/<node_name> -- chroot /host lsblk - $ oc debug node/<node_name> -- chroot /host lsblk- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In this command, - oc debug node/<node_name>starts a debugging shell on the node- <node_name>and passes a command with- --. The passed command- chroot /hostprovides access to the underlying host OS binaries, and- lsblkshows the block devices that are attached to the host OS machine.
Next steps
- To use an ultra disk on the control plane, reconfigure your workload to use the control plane’s ultra disk mount point.
10.5.2.2.4.2. Troubleshooting resources for machine sets that enable ultra disks
Use the information in this section to understand and recover from issues you might encounter.
10.5.2.2.4.2.1. Incorrect ultra disk configuration
									If an incorrect configuration of the ultraSSDCapability parameter is specified in the machine set, the machine provisioning fails.
								
									For example, if the ultraSSDCapability parameter is set to Disabled, but an ultra disk is specified in the dataDisks parameter, the following error message appears:
								
StorageAccountType UltraSSD_LRS can be used only when additionalCapabilities.ultraSSDEnabled is set.
StorageAccountType UltraSSD_LRS can be used only when additionalCapabilities.ultraSSDEnabled is set.- To resolve this issue, verify that your machine set configuration is correct.
10.5.2.2.4.2.2. Unsupported disk parameters
If a region, availability zone, or instance size that is not compatible with ultra disks is specified in the machine set, the machine provisioning fails. Check the logs for the following error message:
failed to create vm <machine_name>: failure sending request for machine <machine_name>: cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Storage Account type 'UltraSSD_LRS' is not supported <more_information_about_why>."
failed to create vm <machine_name>: failure sending request for machine <machine_name>: cannot create vm: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="BadRequest" Message="Storage Account type 'UltraSSD_LRS' is not supported <more_information_about_why>."- To resolve this issue, verify that you are using this feature in a supported environment and that your machine set configuration is correct.
10.5.2.2.4.2.3. Unable to delete disks
If the deletion of ultra disks as data disks is not working as expected, the machines are deleted and the data disks are orphaned. You must delete the orphaned disks manually if desired.
10.5.2.2.5. Enabling customer-managed encryption keys for a machine set
You can supply an encryption key to Azure to encrypt data on managed disks at rest. You can enable server-side encryption with customer-managed keys by using the Machine API.
An Azure Key Vault, a disk encryption set, and an encryption key are required to use a customer-managed key. The disk encryption set must be in a resource group where the Cloud Credential Operator (CCO) has granted permissions. If not, an additional reader role is required to be granted on the disk encryption set.
Prerequisites
Procedure
- Configure the disk encryption set under the - providerSpecfield in your machine set YAML file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.2.2.6. Configuring trusted launch for Azure virtual machines by using machine sets
OpenShift Container Platform 4.20 supports trusted launch for Azure virtual machines (VMs). By editing the machine set YAML file, you can configure the trusted launch options that a machine set uses for machines that it deploys. For example, you can configure these machines to use UEFI security features such as Secure Boot or a dedicated virtual Trusted Platform Module (vTPM) instance.
Some feature combinations result in an invalid configuration.
| Secure Boot[1] | vTPM[2] | Valid configuration | 
|---|---|---|
| Enabled | Enabled | Yes | 
| Enabled | Disabled | Yes | 
| Enabled | Omitted | Yes | 
| Disabled | Enabled | Yes | 
| Omitted | Enabled | Yes | 
| Disabled | Disabled | No | 
| Omitted | Disabled | No | 
| Omitted | Omitted | No | 
- 
										Using the secureBootfield.
- 
										Using the virtualizedTrustedPlatformModulefield.
For more information about related features and functionality, see the Microsoft Azure documentation about Trusted launch for Azure virtual machines.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield to provide a valid configuration:- Sample valid configuration with UEFI Secure Boot and vTPM enabled - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- On the Azure portal, review the details for a machine deployed by the machine set and verify that the trusted launch options match the values that you configured.
10.5.2.2.7. Configuring Azure confidential virtual machines by using machine sets
OpenShift Container Platform 4.20 supports Azure confidential virtual machines (VMs).
Confidential VMs are currently not supported on 64-bit ARM architectures.
By editing the machine set YAML file, you can configure the confidential VM options that a machine set uses for machines that it deploys. For example, you can configure these machines to use UEFI security features such as Secure Boot or a dedicated virtual Trusted Platform Module (vTPM) instance.
Not all instance types support confidential VMs. Do not change the instance type for a control plane machine set that is configured to use confidential VMs to a type that is incompatible. Using an incompatible instance type can cause your cluster to become unstable.
For more information about related features and functionality, see the Microsoft Azure documentation about Confidential virtual machines.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specifies security profile settings for the managed disk when using a confidential VM.
- 2
- Enables encryption of the Azure VM Guest State (VMGS) blob. This setting requires the use of vTPM.
- 3
- Specifies security profile settings for the confidential VM.
- 4
- Enables the use of confidential VMs. This value is required for all valid configurations.
- 5
- Specifies which UEFI security features to use. This section is required for all valid configurations.
- 6
- Disables UEFI Secure Boot.
- 7
- Enables the use of a vTPM.
- 8
- Specifies an instance type that supports confidential VMs.
 
Verification
- On the Azure portal, review the details for a machine deployed by the machine set and verify that the confidential VM options match the values that you configured.
10.5.2.2.8. Configuring Capacity Reservation by using machine sets
OpenShift Container Platform version 4.20 and later supports on-demand Capacity Reservation with Capacity Reservation groups on Microsoft Azure clusters.
You can configure a machine set to deploy machines on any available resources that match the parameters of a capacity request that you define. These parameters specify the VM size, region, and number of instances that you want to reserve. If your Azure subscription quota can accommodate the capacity request, the deployment succeeds.
For more information, including limitations and suggested use cases for this Azure offering, see On-demand Capacity Reservation in the Microsoft Azure documentation.
You cannot change an existing Capacity Reservation configuration for a machine set. To use a different Capacity Reservation group, you must replace the machine set and the machines that the previous machine set deployed.
Prerequisites
- 
									You have access to the cluster with cluster-adminprivileges.
- 
									You installed the OpenShift CLI (oc).
- You created a Capacity Reservation group. For more information, see Create a Capacity Reservation in the Microsoft Azure documentation.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Sample configuration - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the ID of the Capacity Reservation group that you want the machine set to deploy machines on.
 
Verification
- To verify machine deployment, list the machines that the machine set created by running the following command: - oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master - $ oc get machine \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machine-role=master- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the output, verify that the characteristics of the listed machines match the parameters of your Capacity Reservation. 
10.5.2.2.9. Accelerated Networking for Microsoft Azure VMs
Accelerated Networking uses single root I/O virtualization (SR-IOV) to provide Microsoft Azure VMs with a more direct path to the switch. This enhances network performance. This feature can be enabled after installation.
10.5.2.2.9.1. Limitations
Consider the following limitations when deciding whether to use Accelerated Networking:
- Accelerated Networking is only supported on clusters where the Machine API is operational.
- Accelerated Networking requires an Azure VM size that includes at least four vCPUs. To satisfy this requirement, you can change the value of - vmSizein your machine set. For information about Azure VM sizes, see Microsoft Azure documentation.
10.5.2.2.9.2. Enabling Accelerated Networking on an existing Microsoft Azure cluster
								You can enable Accelerated Networking on Azure by adding acceleratedNetworking to your machine set YAML file.
							
Prerequisites
- Have an existing Microsoft Azure cluster where the Machine API is operational.
Procedure
- Add the following to the - providerSpecfield:- providerSpec: value: acceleratedNetworking: true vmSize: <azure-vm-size>- providerSpec: value: acceleratedNetworking: true- 1 - vmSize: <azure-vm-size>- 2 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This line enables Accelerated Networking.
- 2
- Specify an Azure VM size that includes at least four vCPUs. For information about VM sizes, see Microsoft Azure documentation.
 
Verification
- 
										On the Microsoft Azure portal, review the Networking settings page for a machine provisioned by the machine set, and verify that the Accelerated networkingfield is set toEnabled.
10.5.3. Control plane configuration options for Google Cloud Platform
You can change the configuration of your Google Cloud control plane machines and enable features by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.3.1. Sample YAML for configuring Google Cloud clusters
The following example YAML snippets show provider specification and failure domain configurations for a Google Cloud cluster.
10.5.3.1.1. Sample GCP provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane machine custom resource (CR) that the installation program creates. You can omit any field that is set in the failure domain section of the CR.
						
10.5.3.1.1.1. Values obtained by using the OpenShift CLI
In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI.
- Infrastructure ID
- The - <cluster_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Image path
- The - <path_to_image>string is the path to the image that was used to create the disk. If you have the OpenShift CLI installed, you can obtain the path to the image by running the following command:- oc -n openshift-machine-api \ -o jsonpath='{.spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.disks[0].image}{"\n"}' \ get ControlPlaneMachineSet/cluster- $ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.machines_v1beta1_machine_openshift_io.spec.providerSpec.value.disks[0].image}{"\n"}' \ get ControlPlaneMachineSet/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Sample GCP providerSpec values
- 1
- Specifies the secret name for the cluster. Do not change this value.
- 2
- Specifies the path to the image that was used to create the disk.To use a GCP Marketplace image, specify the offer to use: - 
												OpenShift Container Platform: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-ocp-413-x86-64-202305021736
- 
												OpenShift Platform Plus: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-opp-413-x86-64-202305021736
- 
												OpenShift Kubernetes Engine: https://www.googleapis.com/compute/v1/projects/redhat-marketplace-public/global/images/redhat-coreos-oke-413-x86-64-202305021736
 
- 
												OpenShift Container Platform: 
- 3
- Specifies the cloud provider platform type. Do not change this value.
- 4
- Specifies the name of the GCP project that you use for your cluster.
- 5
- Specifies the GCP region for the cluster.
- 6
- Specifies a single service account. Multiple service accounts are not supported.
- 7
- Specifies the control plane user data secret. Do not change this value.
- 8
- This parameter is configured in the failure domain, and is shown with an empty value here. If a value specified for this parameter differs from the value in the failure domain, the Operator overwrites it with the value in the failure domain.
10.5.3.1.2. Sample GCP failure domain configuration
							The control plane machine set concept of a failure domain is analogous to the existing GCP concept of a zone. The ControlPlaneMachineSet CR spreads control plane machines across multiple failure domains when possible.
						
When configuring GCP failure domains in the control plane machine set, you must specify the zone name to use.
Sample GCP failure domain values
10.5.3.2. Enabling Google Cloud features for control plane machines
You can enable features by updating values in the control plane machine set.
10.5.3.2.1. Configuring persistent disk types by using machine sets
You can configure the type of persistent disk that a machine set deploys machines on by editing the machine set YAML file.
For more information about persistent disk types, compatibility, regional availability, and limitations, see the GCP Compute Engine documentation about persistent disks.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following line under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Control plane nodes must use thepd-ssddisk type.
 
Verification
- 
									Using the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Typefield matches the configured disk type.
10.5.3.2.2. Configuring Confidential VM by using machine sets
By editing the machine set YAML file, you can configure the Confidential VM options that a machine set uses for machines that it deploys.
For more information about Confidential VM features, functions, and compatibility, see the GCP Compute Engine documentation about Confidential VM.
Confidential VMs are currently not supported on 64-bit ARM architectures. If you use Confidential VM, you must ensure that you select a supported region. For details on supported regions and configurations, see the GCP Compute Engine documentation about supported zones.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify whether Confidential VM is enabled. The following values are valid:- Enabled
- Enables Confidential VM with a default selection of Confidential VM technology. The default selection is AMD Secure Encrypted Virtualization (AMD SEV). Important- The - Enabledvalue selects Confidential Computing with AMD Secure Encrypted Virtualization (AMD SEV), which is deprecated.
- Disabled
- Disables Confidential VM.
- AMDEncryptedVirtualizationNestedPaging
- Enables Confidential VM using AMD Secure Encrypted Virtualization Secure Nested Paging (AMD SEV-SNP). AMD SEV-SNP supports n2d machines.
- AMDEncryptedVirtualization
- Enables Confidential VM using AMD SEV. AMD SEV supports c2d, n2d, and c3d machines. Important- The use of Confidential Computing with AMD Secure Encrypted Virtualization (AMD SEV) has been deprecated and will be removed in a future release. 
- IntelTrustedDomainExtensions
- Enables Confidential VM using Intel Trusted Domain Extensions (Intel TDX). Intel TDX supports n2d machines.
 
- 2
- Specify the behavior of the VM during a host maintenance event, such as a hardware or software update. For a machine that uses Confidential VM, this value must be set toTerminate, which stops the VM. Confidential VM does not support live VM migration.
- 3
- Specify a machine type that supports the Confidential VM option that you specified in theconfidentialComputefield.
 
Verification
- On the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Confidential VM options match the values that you configured.
10.5.3.2.3. Configuring Shielded VM options by using machine sets
By editing the machine set YAML file, you can configure the Shielded VM options that a machine set uses for machines that it deploys.
For more information about Shielded VM features and functionality, see the GCP Compute Engine documentation about Shielded VM.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following section under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- In this section, specify any Shielded VM options that you want.
- 2
- Specify whether integrity monitoring is enabled. Valid values areDisabledorEnabled.NoteWhen integrity monitoring is enabled, you must not disable virtual trusted platform module (vTPM). 
- 3
- Specify whether UEFI Secure Boot is enabled. Valid values areDisabledorEnabled.
- 4
- Specify whether vTPM is enabled. Valid values areDisabledorEnabled.
 
Verification
- Using the Google Cloud console, review the details for a machine deployed by the machine set and verify that the Shielded VM options match the values that you configured.
10.5.3.2.4. Enabling customer-managed encryption keys for a machine set
Google Cloud Platform (GCP) Compute Engine allows users to supply an encryption key to encrypt data on disks at rest. The key is used to encrypt the data encryption key, not to encrypt the customer’s data. By default, Compute Engine encrypts this data by using Compute Engine keys.
You can enable encryption with a customer-managed key in clusters that use the Machine API. You must first create a KMS key and assign the correct permissions to a service account. The KMS key name, key ring name, and location are required to allow a service account to use your key.
								If you do not want to use a dedicated service account for the KMS encryption, the Compute Engine default service account is used instead. You must grant the default service account permission to access the keys if you do not use a dedicated service account. The Compute Engine default service account name follows the service-<project_number>@compute-system.iam.gserviceaccount.com pattern.
							
Procedure
- To allow a specific service account to use your KMS key and to grant the service account the correct IAM role, run the following command with your KMS key name, key ring name, and location: - gcloud kms keys add-iam-policy-binding <key_name> \ --keyring <key_ring_name> \ --location <key_ring_location> \ --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter - $ gcloud kms keys add-iam-policy-binding <key_name> \ --keyring <key_ring_name> \ --location <key_ring_location> \ --member "serviceAccount:service-<project_number>@compute-system.iam.gserviceaccount.com” \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the encryption key under the - providerSpecfield in your machine set YAML file. For example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The name of the customer-managed encryption key that is used for the disk encryption.
- 2
- The name of the KMS key ring that the KMS key belongs to.
- 3
- The GCP location in which the KMS key ring exists.
- 4
- Optional: The ID of the project in which the KMS key ring exists. If a project ID is not set, the machine setprojectIDin which the machine set was created is used.
- 5
- Optional: The service account that is used for the encryption request for the given KMS key. If a service account is not set, the Compute Engine default service account is used.
 - When a new machine is created by using the updated - providerSpecobject configuration, the disk encryption key is encrypted with the KMS key.
10.5.4. Control plane configuration options for Nutanix
You can change the configuration of your Nutanix control plane machines by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.4.1. Sample YAML for configuring Nutanix clusters
The following example YAML snippet shows a provider specification configuration for a Nutanix cluster.
10.5.4.1.1. Sample Nutanix provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane machine custom resource (CR) that the installation program creates.
						
10.5.4.1.1.1. Values obtained by using the OpenShift CLI
In the following example, you can obtain some of the values for your cluster by using the OpenShift CLI.
- Infrastructure ID
- The - <cluster_id>string is the infrastructure ID that is based on the cluster ID that you set when you provisioned the cluster. If you have the OpenShift CLI installed, you can obtain the infrastructure ID by running the following command:- oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- $ oc get -o jsonpath='{.status.infrastructureName}{"\n"}' infrastructure cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Sample Nutanix providerSpec values
- 1
- Specifies the boot type that the control plane machines use. For more information about boot types, see Understanding UEFI, Secure Boot, and TPM in the Virtualized Environment. Valid values areLegacy,SecureBoot, orUEFI. The default isLegacy.NoteYou must use the Legacyboot type in OpenShift Container Platform 4.20.
- 2
- Specifies one or more Nutanix Prism categories to apply to control plane machines. This stanza requireskeyandvalueparameters for a category key-value pair that exists in Prism Central. For more information about categories, see Category management.
- 3
- Specifies a Nutanix Prism Element cluster configuration. In this example, the cluster type isuuid, so there is auuidstanza.NoteClusters that use OpenShift Container Platform version 4.15 or later can use failure domain configurations. If the cluster uses a failure domain, configure this parameter in the failure domain. If you specify this value in the provider specification when using failure domains, the Control Plane Machine Set Operator ignores it. 
- 4
- Specifies the secret name for the cluster. Do not change this value.
- 5
- Specifies the image that was used to create the disk.
- 6
- Specifies the cloud provider platform type. Do not change this value.
- 7
- Specifies the memory allocated for the control plane machines.
- 8
- Specifies the Nutanix project that you use for your cluster. In this example, the project type isname, so there is anamestanza.
- 9
- Specify one or more Prism Element subnet objects. In this example, the subnet type isuuid, so there is auuidstanza. A maximum of 32 subnets for each Prism Element failure domain in the cluster is supported.ImportantThe following known issues with configuring multiple subnets for an existing Nutanix cluster by using a control plane machine set exist in OpenShift Container Platform version 4.18: - 
													Adding subnets above the existing subnet in the subnetsstanza causes a control plane node to become stuck in theDeletingstate. As a workaround, only add subnets below the existing subnet in thesubnetsstanza.
- Sometimes, after adding a subnet, the updated control plane machines appear in the Nutanix console but the OpenShift Container Platform cluster is unreachable. There is no workaround for this issue.
 These issues occur on clusters that use a control plane machine set to configure subnets regardless of whether subnets are specified in a failure domain or the provider specification. For more information, see OCPBUGS-50904. The CIDR IP address prefix for one of the specified subnets must contain the virtual IP addresses that the OpenShift Container Platform cluster uses. All subnet UUID values must be unique. NoteClusters that use OpenShift Container Platform version 4.15 or later can use failure domain configurations. If the cluster uses a failure domain, configure this parameter in the failure domain. If you specify this value in the provider specification when using failure domains, the Control Plane Machine Set Operator ignores it. 
- 
													Adding subnets above the existing subnet in the 
- 10
- Specifies the VM disk size for the control plane machines.
- 11
- Specifies the control plane user data secret. Do not change this value.
- 12
- Specifies the number of vCPU sockets allocated for the control plane machines.
- 13
- Specifies the number of vCPUs for each control plane vCPU socket.
10.5.4.1.2. Failure domains for Nutanix clusters
To add or update the failure domain configuration on a Nutanix cluster, you must make coordinated changes to several resources. The following actions are required:
- Modify the cluster infrastructure custom resource (CR).
- Modify the cluster control plane machine set CR.
- Modify or replace the compute machine set CRs.
For more information, see "Adding failure domains to an existing Nutanix cluster" in the Post-installation configuration content.
10.5.5. Control plane configuration options for Red Hat OpenStack Platform
You can change the configuration of your Red Hat OpenStack Platform (RHOSP) control plane machines and enable features by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.5.1. Sample YAML for configuring Red Hat OpenStack Platform (RHOSP) clusters
The following example YAML snippets show provider specification and failure domain configurations for an RHOSP cluster.
10.5.5.1.1. Sample RHOSP provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane machine custom resource (CR) that the installation program creates.
						
Sample OpenStack providerSpec values
10.5.5.1.2. Sample RHOSP failure domain configuration
							The control plane machine set concept of a failure domain is analogous to the existing Red Hat OpenStack Platform (RHOSP) concept of an availability zone. The ControlPlaneMachineSet CR spreads control plane machines across multiple failure domains when possible.
						
The following example demonstrates the use of multiple Nova availability zones as well as Cinder availability zones.
Sample OpenStack failure domain values
10.5.5.2. Enabling Red Hat OpenStack Platform (RHOSP) features for control plane machines
You can enable features by updating values in the control plane machine set.
10.5.5.2.1. Changing the RHOSP compute flavor by using a control plane machine set
You can change the Red Hat OpenStack Platform (RHOSP) compute service (Nova) flavor that your control plane machines use by updating the specification in the control plane machine set custom resource.
In RHOSP, flavors define the compute, memory, and storage capacity of computing instances. By increasing or decreasing the flavor size, you can scale your control plane vertically.
Prerequisites
- Your RHOSP cluster uses a control plane machine set.
Procedure
- Edit the following line under the - providerSpecfield:- providerSpec: value: # ... flavor: m1.xlarge- providerSpec: value: # ... flavor: m1.xlarge- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a RHOSP flavor type that has the same base as the existing selection. For example, you can changem6i.xlargetom6i.2xlargeorm6i.4xlarge. You can choose larger or smaller flavors depending on your vertical scaling needs.
 
- Save your changes.
After you save your changes, machines are replaced with ones that use the flavor you chose.
10.5.6. Control plane configuration options for VMware vSphere
You can change the configuration of your VMware vSphere control plane machines by updating values in the control plane machine set. When you save an update to the control plane machine set, the Control Plane Machine Set Operator updates the control plane machines according to your configured update strategy.
10.5.6.1. Sample YAML for configuring VMware vSphere clusters
The following example YAML snippets show provider specification and failure domain configurations for a vSphere cluster.
10.5.6.1.1. Sample VMware vSphere provider specification
							When you create a control plane machine set for an existing cluster, the provider specification must match the providerSpec configuration in the control plane machine custom resource (CR) that the installation program creates.
						
Sample vSphere providerSpec values
- 1
- Specifies the secret name for the cluster. Do not change this value.
- 2
- Specifies one or more data disk definitions. For more information, see "Configuring data disks by using machine sets".
- 3
- Specifies the VM disk size for the control plane machines.
- 4
- Specifies the cloud provider platform type. Do not change this value.
- 5
- Specifies the memory allocated for the control plane machines.
- 6
- Specifies the network on which the control plane is deployed.NoteIf the cluster is configured to use a failure domain, this parameter is configured in the failure domain. If you specify this value in the provider specification when using failure domains, the Control Plane Machine Set Operator ignores it. 
- 7
- Specifies the number of CPUs allocated for the control plane machines.
- 8
- Specifies the number of cores for each control plane CPU.
- 9
- Specifies the vSphere VM template to use, such asuser-5ddjd-rhcos.NoteIf the cluster is configured to use a failure domain, this parameter is configured in the failure domain. If you specify this value in the provider specification when using failure domains, the Control Plane Machine Set Operator ignores it. 
- 10
- Specifies the control plane user data secret. Do not change this value.
- 11
- Specifies the workspace details for the control plane.NoteIf the cluster is configured to use a failure domain, these parameters are configured in the failure domain. If you specify these values in the provider specification when using failure domains, the Control Plane Machine Set Operator ignores them. 
- 12
- Specifies the vCenter datacenter for the control plane.
- 13
- Specifies the vCenter datastore for the control plane.
- 14
- Specifies the path to the vSphere VM folder in vCenter, such as/dc1/vm/user-inst-5ddjd.
- 15
- Specifies the vSphere resource pool for your VMs.
- 16
- Specifies the vCenter server IP or fully qualified domain name.
10.5.6.1.2. Sample VMware vSphere failure domain configuration
							On VMware vSphere infrastructure, the cluster-wide infrastructure Custom Resource Definition (CRD), infrastructures.config.openshift.io, defines failure domains for your cluster. The providerSpec in the ControlPlaneMachineSet custom resource (CR) specifies names for failure domains that the control plane machine set uses to ensure control plane nodes are deployed to the appropriate failure domain. A failure domain is an infrastructure resource made up of a control plane machine set, a vCenter data center, vCenter datastore, and a network.
						
By using a failure domain resource, you can use a control plane machine set to deploy control plane machines on separate clusters or data centers. A control plane machine set also balances control plane machines across defined failure domains to provide fault tolerance capabilities to your infrastructure.
								If you modify the ProviderSpec configuration in the ControlPlaneMachineSet CR, the control plane machine set updates all control plane machines deployed on the primary infrastructure and each failure domain infrastructure.
							
Sample VMware vSphere failure domain values
- 1
- Specifies the vCenter location for OpenShift Container Platform cluster nodes.
- 2
- Specifies failure domains by name for the control plane machine set.ImportantEach namefield value in this section must match the corresponding value in thefailureDomains.namefield of the cluster-wide infrastructure CRD. You can find the value of thefailureDomains.namefield by running the following command:oc get infrastructure cluster -o=jsonpath={.spec.platformSpec.vsphere.failureDomains[0].name}$ oc get infrastructure cluster -o=jsonpath={.spec.platformSpec.vsphere.failureDomains[0].name}Copy to Clipboard Copied! Toggle word wrap Toggle overflow The namefield is the only supported failure domain field that you can specify in theControlPlaneMachineSetCR.
For an example of a cluster-wide infrastructure CRD that defines resources for each failure domain, see "Specifying multiple regions and zones for your cluster on vSphere."
10.5.6.2. Enabling VMware vSphere features for control plane machines
You can enable features by updating values in the control plane machine set.
10.5.6.2.1. Adding tags to machines by using machine sets
OpenShift Container Platform adds a cluster-specific tag to each virtual machine (VM) that it creates. The installation program uses these tags to select the VMs to delete when uninstalling a cluster.
In addition to the cluster-specific tags assigned to VMs, you can configure a machine set to add up to 10 additional vSphere tags to the VMs it provisions.
Prerequisites
- 
									You have access to an OpenShift Container Platform cluster installed on vSphere using an account with cluster-adminpermissions.
- You have access to the VMware vCenter console associated with your cluster.
- You have created a tag in the vCenter console.
- 
									You have installed the OpenShift CLI (oc).
Procedure
- Use the vCenter console to find the tag ID for any tag that you want to add to your machines: - Log in to the vCenter console.
- From the Home menu, click Tags & Custom Attributes.
- Select a tag that you want to add to your machines.
- Use the browser URL for the tag that you select to identify the tag ID. - Example tag URL - https://vcenter.example.com/ui/app/tags/tag/urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL/permissions - https://vcenter.example.com/ui/app/tags/tag/urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL/permissions- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example tag ID - urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL - urn:vmomi:InventoryServiceTag:208e713c-cae3-4b7f-918e-4051ca7d1f97:GLOBAL- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
10.5.6.2.2. Configuring data disks by using machine sets
OpenShift Container Platform clusters on VMware vSphere support adding up to 29 disks to the virtual machine (VM) controller.
Configuring vSphere data disks is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
By configuring data disks, you can attach disks to VMs and use them to store data for etcd, container images, and other uses. Separating data can help avoid filling the primary disk so that important activities such as upgrades have the resources that they require.
Adding data disks attaches them to the VM and mounts them to the location that RHCOS designates.
Prerequisites
- 
									You have administrator access to OpenShift CLI (oc) for an OpenShift Container Platform cluster on vSphere.
Procedure
- In a text editor, open the YAML file for an existing machine set or create a new one.
- Edit the following lines under the - providerSpecfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a collection of 1-29 data disk definitions. This sample configuration shows the formatting to include two data disk definitions.
- 2
- Specify the name of the data disk. The name must meet the following requirements:- Start and end with an alphanumeric character
- 
													Consist only of alphanumeric characters, hyphens (-), and underscores (_)
- Have a maximum length of 80 characters
 
- 3
- Specify the data disk provisioning method. This value defaults to the vSphere default storage policy if not set. Valid values areThin,Thick, andEagerlyZeroed.
- 4
- Specify the size of the data disk in GiB. The maximum size is 16384 GiB.
 
10.6. Control plane resiliency and recovery
You can use the control plane machine set to improve the resiliency of the control plane for your OpenShift Container Platform cluster.
10.6.1. High availability and fault tolerance with failure domains
When possible, the control plane machine set spreads the control plane machines across multiple failure domains. This configuration provides high availability and fault tolerance within the control plane. This strategy can help protect the control plane when issues arise within the infrastructure provider.
10.6.1.1. Failure domain platform support and configuration
The control plane machine set concept of a failure domain is analogous to existing concepts on cloud providers. Not all platforms support the use of failure domains.
| Cloud provider | Support for failure domains | Provider nomenclature | 
|---|---|---|
| Amazon Web Services (AWS) | X | |
| Google Cloud Platform (GCP) | X | |
| Microsoft Azure | X | |
| Nutanix | X | |
| Red Hat OpenStack Platform (RHOSP) | X | OpenStack Nova availability zones and OpenStack Cinder availability zones | 
| VMware vSphere | X | failure domain mapped to a vSphere Zone [1] | 
- For more information, see "Regions and zones for a VMware vCenter".
The failure domain configuration in the control plane machine set custom resource (CR) is platform-specific. For more information about failure domain parameters in the CR, see the sample failure domain configuration for your provider.
10.6.1.2. Balancing control plane machines
The control plane machine set balances control plane machines across the failure domains that are specified in the custom resource (CR).
When possible, the control plane machine set uses each failure domain equally to ensure appropriate fault tolerance. If there are fewer failure domains than control plane machines, failure domains are selected for reuse alphabetically by name. For clusters with no failure domains specified, all control plane machines are placed within a single failure domain.
Some changes to the failure domain configuration cause the control plane machine set to rebalance the control plane machines. For example, if you add failure domains to a cluster with fewer failure domains than control plane machines, the control plane machine set rebalances the machines across all available failure domains.
10.6.2. Recovery of failed control plane machines
					The Control Plane Machine Set Operator automates the recovery of control plane machines. When a control plane machine is deleted, the Operator creates a replacement with the configuration that is specified in the ControlPlaneMachineSet custom resource (CR).
				
For clusters that use control plane machine sets, you can configure a machine health check. The machine health check deletes unhealthy control plane machines so that they are replaced.
						If you configure a MachineHealthCheck resource for the control plane, set the value of maxUnhealthy to 1.
					
This configuration ensures that the machine health check takes no action when multiple control plane machines appear to be unhealthy. Multiple unhealthy control plane machines can indicate that the etcd cluster is degraded or that a scaling operation to replace a failed machine is in progress.
If the etcd cluster is degraded, manual intervention might be required. If a scaling operation is in progress, the machine health check should allow it to finish.
10.6.3. Quorum protection with machine lifecycle hooks
For OpenShift Container Platform clusters that use the Machine API Operator, the etcd Operator uses lifecycle hooks for the machine deletion phase to implement a quorum protection mechanism.
					By using a preDrain lifecycle hook, the etcd Operator can control when the pods on a control plane machine are drained and removed. To protect etcd quorum, the etcd Operator prevents the removal of an etcd member until it migrates that member onto a new node within the cluster.
				
This mechanism allows the etcd Operator precise control over the members of the etcd quorum and allows the Machine API Operator to safely create and remove control plane machines without specific operational knowledge of the etcd cluster.
10.6.3.1. Control plane deletion with quorum protection processing order
When a control plane machine is replaced on a cluster that uses a control plane machine set, the cluster temporarily has four control plane machines. When the fourth control plane node joins the cluster, the etcd Operator starts a new etcd member on the replacement node. When the etcd Operator observes that the old control plane machine is marked for deletion, it stops the etcd member on the old node and promotes the replacement etcd member to join the quorum of the cluster.
						The control plane machine Deleting phase proceeds in the following order:
					
- A control plane machine is slated for deletion.
- 
								The control plane machine enters the Deletingphase.
- To satisfy the - preDrainlifecycle hook, the etcd Operator takes the following actions:- 
										The etcd Operator waits until a fourth control plane machine is added to the cluster as an etcd member. This new etcd member has a state of Runningbut notreadyuntil it receives the full database update from the etcd leader.
- When the new etcd member receives the full database update, the etcd Operator promotes the new etcd member to a voting member and removes the old etcd member from the cluster.
 - After this transition is complete, it is safe for the old etcd pod and its data to be removed, so the - preDrainlifecycle hook is removed.
- 
										The etcd Operator waits until a fourth control plane machine is added to the cluster as an etcd member. This new etcd member has a state of 
- 
								The control plane machine status condition Drainableis set toTrue.
- The machine controller attempts to drain the node that is backed by the control plane machine. - 
										If draining fails, Drainedis set toFalseand the machine controller attempts to drain the node again.
- 
										If draining succeeds, Drainedis set toTrue.
 
- 
										If draining fails, 
- 
								The control plane machine status condition Drainedis set toTrue.
- 
								If no other Operators have added a preTerminatelifecycle hook, the control plane machine status conditionTerminableis set toTrue.
- The machine controller removes the instance from the infrastructure provider.
- 
								The machine controller deletes the Nodeobject.
YAML snippet demonstrating the etcd quorum protection preDrain lifecycle hook
10.7. Troubleshooting the control plane machine set
Use the information in this section to understand and recover from issues you might encounter.
10.7.1. Checking the control plane machine set custom resource state
					You can verify the existence and state of the ControlPlaneMachineSet custom resource (CR).
				
Procedure
- Determine the state of the CR by running the following command: - oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api - $ oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 
									A result of Activeindicates that theControlPlaneMachineSetCR exists and is activated. No administrator action is required.
- 
									A result of Inactiveindicates that aControlPlaneMachineSetCR exists but is not activated.
- 
									A result of NotFoundindicates that there is no existingControlPlaneMachineSetCR.
 
- 
									A result of 
Next steps
						To use the control plane machine set, you must ensure that a ControlPlaneMachineSet CR with the correct settings for your cluster exists.
					
- If your cluster has an existing CR, you must verify that the configuration in the CR is correct for your cluster.
- If your cluster does not have an existing CR, you must create one with the correct configuration for your cluster.
10.7.2. Adding a missing Azure internal load balancer
					The internalLoadBalancer parameter is required in both the ControlPlaneMachineSet and control plane Machine custom resources (CRs) for Azure. If this parameter is not preconfigured on your cluster, you must add it to both CRs.
				
					For more information about where this parameter is located in the Azure provider specification, see the sample Azure provider specification. The placement in the control plane Machine CR is similar.
				
Procedure
- List the control plane machines in your cluster by running the following command: - oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api - $ oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For each control plane machine, edit the CR by running the following command: - oc edit machine <control_plane_machine_name> - $ oc edit machine <control_plane_machine_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Add the internalLoadBalancerparameter with the correct details for your cluster and save your changes.
- Edit your control plane machine set CR by running the following command: - oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api - $ oc edit controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
							Add the internalLoadBalancerparameter with the correct details for your cluster and save your changes.
Next steps
- 
							For clusters that use the default RollingUpdateupdate strategy, the Operator automatically propagates the changes to your control plane configuration.
- 
							For clusters that are configured to use the OnDeleteupdate strategy, you must replace your control plane machines manually.
10.7.3. Recovering a degraded etcd Operator
Certain situations can cause the etcd Operator to become degraded.
For example, while performing remediation, the machine health check might delete a control plane machine that is hosting etcd. If the etcd member is not reachable at that time, the etcd Operator becomes degraded.
When the etcd Operator is degraded, manual intervention is required to force the Operator to remove the failed member and restore the cluster state.
Procedure
- List the control plane machines in your cluster by running the following command: - oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api \ -o wide - $ oc get machines \ -l machine.openshift.io/cluster-api-machine-role==master \ -n openshift-machine-api \ -o wide- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Any of the following conditions might indicate a failed control plane machine: - 
									The STATEvalue isstopped.
- 
									The PHASEvalue isFailed.
- 
									The PHASEvalue isDeletingfor more than ten minutes.
 Important- Before continuing, ensure that your cluster has two healthy control plane machines. Performing the actions in this procedure on more than one control plane machine risks losing etcd quorum and can cause data loss. - If you have lost the majority of your control plane hosts, leading to etcd quorum loss, then you must follow the disaster recovery procedure "Restoring to a previous cluster state" instead of this procedure. 
- 
									The 
- Edit the machine CR for the failed control plane machine by running the following command: - oc edit machine <control_plane_machine_name> - $ oc edit machine <control_plane_machine_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove the contents of the - lifecycleHooksparameter from the failed control plane machine and save your changes.- The etcd Operator removes the failed machine from the cluster and can then safely add new etcd members. 
10.7.4. Upgrading clusters that run on RHOSP
For clusters that run on Red Hat OpenStack Platform (RHOSP) that were created with OpenShift Container Platform 4.13 or earlier, you might have to perform post-upgrade tasks before you can use control plane machine sets.
10.7.4.1. Configuring RHOSP clusters that have machines with root volume availability zones after an upgrade
For some clusters that run on Red Hat OpenStack Platform (RHOSP) that you upgrade, you must manually update machine resources before you can use control plane machine sets if the following configurations are true:
- The upgraded cluster was created with OpenShift Container Platform 4.13 or earlier.
- The cluster infrastructure is installer-provisioned.
- Machines were distributed across multiple availability zones.
- Machines were configured to use root volumes for which block storage availability zones were not defined.
To understand why this procedure is necessary, see Solution #7024383.
Procedure
- For all control plane machines, edit the provider spec for all control plane machines that match the environment. For example, to edit the machine - master-0, enter the following command:- oc edit machine/<cluster_id>-master-0 -n openshift-machine-api - $ oc edit machine/<cluster_id>-master-0 -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <cluster_id>
- Specifies the ID of the upgraded cluster.
 
- In the provider spec, set the value of the property - rootVolume.availabilityZoneto the volume of the availability zone you want to use.- An example RHOSP provider spec - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Set the zone name as this value.
 Note- If you edited or recreated machine resources after your initial cluster deployment, you might have to adapt these steps for your configuration. - In your RHOSP cluster, find the availability zone of the root volumes for your machines and use that as the value. 
- Run the following command to retrieve information about the control plane machine set resource: - oc describe controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api - $ oc describe controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to edit the resource: - oc edit controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api - $ oc edit controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								For that resource, set the value of the spec.stateproperty toActiveto activate control plane machine sets for your cluster.
Your control plane is ready to be managed by the Cluster Control Plane Machine Set Operator.
10.7.4.2. Configuring RHOSP clusters that have control plane machines with availability zones after an upgrade
For some clusters that run on Red Hat OpenStack Platform (RHOSP) that you upgrade, you must manually update machine resources before you can use control plane machine sets if the following configurations are true:
- The upgraded cluster was created with OpenShift Container Platform 4.13 or earlier.
- The cluster infrastructure is installer-provisioned.
- Control plane machines were distributed across multiple compute availability zones.
To understand why this procedure is necessary, see Solution #7013893.
Procedure
- For the - master-1and- master-2control plane machines, open the provider specs for editing. For example, to edit the first machine, enter the following command:- oc edit machine/<cluster_id>-master-1 -n openshift-machine-api - $ oc edit machine/<cluster_id>-master-1 -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <cluster_id>
- Specifies the ID of the upgraded cluster.
 
- For the - master-1and- master-2control plane machines, edit the value of the- serverGroupNameproperty in their provider specs to match that of the machine- master-0.- An example RHOSP provider spec - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- This value must match for machinesmaster-0,master-1, andmaster-3.
 Note- If you edited or recreated machine resources after your initial cluster deployment, you might have to adapt these steps for your configuration. - In your RHOSP cluster, find the server group that your control plane instances are in and use that as the value. 
- Run the following command to retrieve information about the control plane machine set resource: - oc describe controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api - $ oc describe controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the following command to edit the resource: - oc edit controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api - $ oc edit controlplanemachineset.machine.openshift.io/cluster --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- 
								For that resource, set the value of the spec.stateproperty toActiveto activate control plane machine sets for your cluster.
Your control plane is ready to be managed by the Cluster Control Plane Machine Set Operator.
10.8. Disabling the control plane machine set
				The .spec.state field in an activated ControlPlaneMachineSet custom resource (CR) cannot be changed from Active to Inactive. To disable the control plane machine set, you must delete the CR so that it is removed from the cluster.
			
When you delete the CR, the Control Plane Machine Set Operator performs cleanup operations and disables the control plane machine set. The Operator then removes the CR from the cluster and creates an inactive control plane machine set with default settings.
10.8.1. Deleting the control plane machine set
					To stop managing control plane machines with the control plane machine set on your cluster, you must delete the ControlPlaneMachineSet custom resource (CR).
				
Procedure
- Delete the control plane machine set CR by running the following command: - oc delete controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api - $ oc delete controlplanemachineset.machine.openshift.io cluster \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- 
							Check the control plane machine set custom resource state. A result of Inactiveindicates that the removal and replacement process is successful. AControlPlaneMachineSetCR exists but is not activated.
10.8.2. Checking the control plane machine set custom resource state
					You can verify the existence and state of the ControlPlaneMachineSet custom resource (CR).
				
Procedure
- Determine the state of the CR by running the following command: - oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api - $ oc get controlplanemachineset.machine.openshift.io cluster \ --namespace openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 
									A result of Activeindicates that theControlPlaneMachineSetCR exists and is activated. No administrator action is required.
- 
									A result of Inactiveindicates that aControlPlaneMachineSetCR exists but is not activated.
- 
									A result of NotFoundindicates that there is no existingControlPlaneMachineSetCR.
 
- 
									A result of 
10.8.3. Re-enabling the control plane machine set
To re-enable the control plane machine set, you must ensure that the configuration in the CR is correct for your cluster and activate it.
10.9. Manually scaling control plane machines
When installing a cluster on bare-metal infrastructure, you can manually scale up to 4 or 5 control plane nodes for your cluster. Consider this use case in situations where you need to recover your cluster from a degraded state, perform deep-level debugging, or ensure stability and security of the control planes in complex scenarios.
Red Hat supports a cluster that has 4 or 5 control plane nodes only on bare-metal infrastructure.
10.9.1. Adding a control plane node to your cluster
					When installing a cluster on bare-metal infrastructure, you can manually scale up to 4 or 5 control plane nodes for your cluster. The example in the procedure uses node-5 as the new control plane node.
				
Prerequisites
- You have installed a healthy cluster with at least three control plane nodes.
- You have created a single control plane node that you intend to add to your cluster as a postinstalltion task.
Procedure
- Retrieve pending Certificate Signing Requests (CSRs) for the new control plane node by entering the following command: - oc get csr | grep Pending - $ oc get csr | grep Pending- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Approve all pending CSRs for the control plane node by entering the following command: - oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Important- You must approve the CSRs to complete the installation. 
- Confirm that the control plane node is in the - Readystatus by entering the following command:- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- On installer-provisioned infrastructure, the etcd Operator relies on the Machine API to manage the control plane and ensure etcd quorum. The Machine API then uses - MachineCRs to represent and manage the underlying control plane nodes.
- Create the - BareMetalHostand- MachineCRs and link them to the- NodeCR of the control plane node.- Create the - BareMetalHostCR with a unique- .metadata.namevalue as demonstrated in the following example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the - BareMetalHostCR by entering the following command:- oc apply -f <filename> - $ oc apply -f <filename>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace <filename> with the name of theBareMetalHostCR.
 
- Create the - MachineCR by using the unique- .metadata.namevalue as demonstrated in the following example:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<cluster_name>with the name of the specific cluster, for example,test-day2-1-6qv96.
 
- Get the cluster name by running the following command: - oc get infrastructure cluster -o=jsonpath='{.status.infrastructureName}{"\n"}'- $ oc get infrastructure cluster -o=jsonpath='{.status.infrastructureName}{"\n"}'- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Apply the - MachineCR by entering the following command:- oc apply -f <filename> - $ oc apply -f <filename>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Replace<filename>with the name of theMachineCR.
 
- Link - BareMetalHost,- Machine, and- Nodeobjects by running the- link-machine-and-node.shscript:- Copy the following - link-machine-and-node.shscript to a local machine:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Make the script executable by entering the following command: - chmod +x link-machine-and-node.sh - $ chmod +x link-machine-and-node.sh- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Run the script by entering the following command: - bash link-machine-and-node.sh node-5 node-5 - $ bash link-machine-and-node.sh node-5 node-5- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The first - node-5instance represents the machine, and the second instance represents the node.
 
 
Verification
- Confirm members of etcd by executing into one of the pre-existing control plane nodes: - Open a remote shell session to the control plane node by entering the following command: - oc rsh -n openshift-etcd etcd-node-0 - $ oc rsh -n openshift-etcd etcd-node-0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- List etcd members: - etcdctl member list -w table - # etcdctl member list -w table- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Check the etcd Operator configuration process until completion by entering the following command. Expected output shows - Falseunder the- PROGRESSINGcolumn.- oc get clusteroperator etcd - $ oc get clusteroperator etcd- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm etcd health by running the following commands: - Open a remote shell session to the control plane node: - oc rsh -n openshift-etcd etcd-node-0 - $ oc rsh -n openshift-etcd etcd-node-0- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Check endpoint health. Expected output shows - is healthyfor the endpoint.- etcdctl endpoint health - # etcdctl endpoint health- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Verify that all nodes are ready by entering the following command. The expected output shows the - Readystatus beside each node entry.- oc get nodes - $ oc get nodes- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the cluster Operators are all available by entering the following command. Expected output lists each Operator and shows the available status as - Truebeside each listed Operator.- oc get ClusterOperators - $ oc get ClusterOperators- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Verify that the cluster version is correct by entering the following command: - oc get ClusterVersion - $ oc get ClusterVersion- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version OpenShift Container Platform.5 True False 5h57m Cluster version is OpenShift Container Platform.5 - NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version OpenShift Container Platform.5 True False 5h57m Cluster version is OpenShift Container Platform.5- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Chapter 11. Managing machines with the Cluster API
11.1. About the Cluster API
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
The Cluster API is an upstream project that is integrated into OpenShift Container Platform as a Technology Preview for Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Red Hat OpenStack Platform (RHOSP), VMware vSphere, and bare metal.
11.1.1. Cluster API overview
You can use the Cluster API to create and manage compute machine sets and compute machines in your OpenShift Container Platform cluster. This capability is in addition or an alternative to managing machines with the Machine API.
For OpenShift Container Platform 4.20 clusters, you can use the Cluster API to perform node host provisioning management actions after the cluster installation finishes. This system enables an elastic, dynamic provisioning method on top of public or private cloud infrastructure.
With the Cluster API Technology Preview, you can create compute machines and compute machine sets on OpenShift Container Platform clusters for supported providers. You can also explore the features that are enabled by this implementation that might not be available with the Machine API.
11.1.1.1. Cluster API benefits
By using the Cluster API, OpenShift Container Platform users and developers gain the following advantages:
- The option to use upstream community Cluster API infrastructure providers that might not be supported by the Machine API.
- The opportunity to collaborate with third parties who maintain machine controllers for infrastructure providers.
- The ability to use the same set of Kubernetes tools for infrastructure management in OpenShift Container Platform.
- The ability to create compute machine sets by using the Cluster API that support features that are not available with the Machine API.
11.1.1.2. Cluster API limitations
Using the Cluster API to manage machines is a Technology Preview feature and has the following limitations:
- To use this feature, you must enable the - TechPreviewNoUpgradefeature set.Important- Enabling this feature set cannot be undone and prevents minor version updates. 
- Only Amazon Web Services (AWS), Google Cloud, Microsoft Azure, Red Hat OpenStack Platform (RHOSP), VMware vSphere, and bare-metal clusters can use the Cluster API.
- You must manually create some of the primary resources that the Cluster API requires. For more information, see "Getting started with the Cluster API".
- You cannot use the Cluster API to manage control plane machines.
- Migration of existing compute machine sets created by the Machine API to Cluster API compute machine sets is not supported.
- Full feature parity with the Machine API is not available.
- For clusters that use the Cluster API, OpenShift CLI ( - oc) commands prioritize Cluster API objects over Machine API objects. This behavior impacts any- occommand that acts upon any object that is represented in both the Cluster API and the Machine API.- For more information and a workaround for this issue, see "Referencing the intended objects when using the CLI" in the troubleshooting content. 
11.1.2. Cluster API architecture
					The OpenShift Container Platform integration of the upstream Cluster API is implemented and managed by the Cluster CAPI Operator. The Cluster CAPI Operator and its operands are provisioned in the openshift-cluster-api namespace, in contrast to the Machine API, which uses the openshift-machine-api namespace.
				
11.1.2.1. The Cluster CAPI Operator
The Cluster CAPI Operator is an OpenShift Container Platform Operator that maintains the lifecycle of Cluster API resources. This Operator is responsible for all administrative tasks related to deploying the Cluster API project within an OpenShift Container Platform cluster.
If a cluster is configured correctly to allow the use of the Cluster API, the Cluster CAPI Operator installs the Cluster API components on the cluster.
For more information, see the "Cluster CAPI Operator" entry in the Cluster Operators reference content.
11.1.2.2. Cluster API primary resources
						The Cluster API consists of the following primary resources. For the Technology Preview of this feature, you must create some of these resources manually in the openshift-cluster-api namespace.
					
- Cluster
- A fundamental unit that represents a cluster that is managed by the Cluster API.
- Infrastructure cluster
- A provider-specific resource that defines properties that all of the compute machine sets in the cluster share, such as the region and subnets.
- Machine template
- A provider-specific template that defines the properties of the machines that a compute machine set creates.
- Machine set
- A group of machines. - Compute machine sets are to machines as replica sets are to pods. To add machines or scale them down, change the - replicasfield on the compute machine set custom resource to meet your compute needs.- With the Cluster API, a compute machine set references a - Clusterobject and a provider-specific machine template.
- Machine
- A fundamental unit that describes the host for a node. - The Cluster API creates machines based on the configuration in the machine template. 
11.2. Getting started with the Cluster API
The Machine API and Cluster API are distinct API groups that have similar resources. You can use these API groups to automate the management of infrastructure resources on your OpenShift Container Platform cluster.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
				When you install a standard OpenShift Container Platform cluster that has three control plane nodes, three compute nodes, and uses the default configuration options, the installation program provisions the following infrastructure resources in the openshift-machine-api namespace
			
- One control plane machine set that manages three control plane machines.
- One or more compute machine sets that manage three compute machines.
- One machine health check that manages spot instances.
				When you install a cluster that supports managing infrastructure resources with the Cluster API, the installation program provisions the following resources in the openshift-cluster-api namespace:
			
- One cluster resource.
- One provider-specific infrastructure cluster resource.
On clusters that support migrating Machine API resources to Cluster API resources, a two-way synchronization controller creates these primary resources automatically. For more information, see Migrating Machine API resources to Cluster API resources.
11.2.1. Creating the Cluster API primary resources
					For clusters that do not support migrating Machine API resources to Cluster API resources, you must manually create the following Cluster API resources in the openshift-cluster-api namespace:
				
- One or more machine templates that correspond to compute machine sets.
- One or more compute machine sets that manage three compute machines.
11.2.1.1. Creating a Cluster API machine template
						You can create a provider-specific machine template resource by creating a YAML manifest file and applying it with the OpenShift CLI (oc).
					
Prerequisites
- You have deployed an OpenShift Container Platform cluster.
- You have enabled the use of the Cluster API.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- Create a YAML file similar to the following. This procedure uses - <machine_template_resource_file>.yamlas an example file name.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the machine template kind. This value must match the value for your platform. The following values are valid:Expand Cluster infrastructure provider Value Amazon Web Services (AWS) AWSMachineTemplateGoogle Cloud GCPMachineTemplateMicrosoft Azure AzureMachineTemplateRed Hat OpenStack Platform (RHOSP) OpenStackMachineTemplateVMware vSphere VSphereMachineTemplateBare metal Metal3MachineTemplate
- 2
- Specify a name for the machine template.
- 3
- Specify the details for your environment. These parameters are provider specific. For more information, see the sample Cluster API machine template YAML for your provider.
 
- Create the machine template CR by running the following command: - oc create -f <machine_template_resource_file>.yaml - $ oc create -f <machine_template_resource_file>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Verification
- Confirm that the machine template CR is created by running the following command: - oc get <machine_template_kind> -n openshift-cluster-api - $ oc get <machine_template_kind> -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_template_kind>is the value that corresponds to your platform.- Example output - NAME AGE <template_name> 77m - NAME AGE <template_name> 77m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.2.1.2. Creating a Cluster API compute machine set
You can create compute machine sets that use the Cluster API to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
- You have deployed an OpenShift Container Platform cluster.
- You have enabled the use of the Cluster API.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
- You have created the machine template resource.
Procedure
- Create a YAML file similar to the following. This procedure uses - <machine_set_resource_file>.yamlas an example file name.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2
- Specify the name of the cluster. Obtain the value of the cluster ID by running the following command:oc get infrastructure cluster \ -o jsonpath='{.status.infrastructureName}'$ oc get infrastructure cluster \ -o jsonpath='{.status.infrastructureName}'Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
- 3
- Specify the details for your environment. These parameters are provider specific. For more information, see the sample Cluster API compute machine set YAML for your provider.
 
- Create the compute machine set CR by running the following command: - oc create -f <machine_set_resource_file>.yaml - $ oc create -f <machine_set_resource_file>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Confirm that the compute machine set CR is created by running the following command: - oc get machineset.cluster.x-k8s.io -n openshift-cluster-api - $ oc get machineset.cluster.x-k8s.io -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CLUSTER REPLICAS READY AVAILABLE AGE VERSION <machine_set_name> <cluster_name> 1 1 1 17m - NAME CLUSTER REPLICAS READY AVAILABLE AGE VERSION <machine_set_name> <cluster_name> 1 1 1 17m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new compute machine set is available, the - REPLICASand- AVAILABLEvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
Verification
- To verify that the compute machine set is creating machines according to your required configuration, review the lists of machines and nodes in the cluster by running the following commands: - View the list of Cluster API machines: - oc get machine.cluster.x-k8s.io -n openshift-cluster-api - $ oc get machine.cluster.x-k8s.io -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_set_name>-<string_id> <cluster_name> <ip_address>.<region>.compute.internal <provider_id> Running 8m23s - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_set_name>-<string_id> <cluster_name> <ip_address>.<region>.compute.internal <provider_id> Running 8m23s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- View the list of nodes: - oc get node - $ oc get node- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME STATUS ROLES AGE VERSION <ip_address_1>.<region>.compute.internal Ready worker 5h14m v1.28.5 <ip_address_2>.<region>.compute.internal Ready master 5h19m v1.28.5 <ip_address_3>.<region>.compute.internal Ready worker 7m v1.28.5 - NAME STATUS ROLES AGE VERSION <ip_address_1>.<region>.compute.internal Ready worker 5h14m v1.28.5 <ip_address_2>.<region>.compute.internal Ready master 5h19m v1.28.5 <ip_address_3>.<region>.compute.internal Ready worker 7m v1.28.5- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
11.2.2. Migrating Machine API resources to Cluster API resources
					On clusters that support migrating Machine API resources to Cluster API resources, a two-way synchronization controller creates the following Cluster API resources in the openshift-cluster-api namespace:
				
- One or more machine templates that correspond to compute machine sets.
- One or more compute machine sets that manage three compute machines.
- One or more Cluster API compute machines that correspond to each Machine API compute machine.
						The two-way synchronization controller only operates on clusters with the MachineAPIMigration feature gate in the TechPreviewNoUpgrade feature set enabled.
					
					These Cluster API resources correspond to the resources that the installation program provisions in the openshift-machine-api namespace for a cluster that uses the default configuration options. The Cluster API resources have the same names as their Machine API counterparts and appear in the output of commands, such as oc get, that list resources. The synchronization controller creates the Cluster API resources in an unprovisioned (Paused) state to prevent unintended reconciliation.
				
For supported configurations, you can migrate a Machine API resource to the equivalent Cluster API resource by changing which API it considers authoritative. When you migrate a Machine API resources to the Cluster API, you transfer management of the resource to the Cluster API.
By migrating a Machine API resource to use the Cluster API, you can verify that everything works as expected before deciding to use the Cluster API in production clusters. After migrating a Machine API resource to an equivalent Cluster API resource, you can examine the new resource to verify that the features and configuration match the original Machine API resource.
When you change the authoritative API for a compute machine set, any existing compute machines that the compute machine set manages retain their original authoritative API. As a result, a compute machine set that manages machines that use different authoritative APIs is a valid and expected occurrence in clusters that support migrating between these API types.
When you change the authoritative API for a compute machine, the instance on the underlying infrastructure that backs the machine is not recreated or reprovisioned. In-place changes, such as modifying labels, tags, taints, or annotations, are the only changes that the API group can make to the underlying instance that backs the machine.
You can only migrate some resources on supported infrastructure types.
| Infrastructure | Compute machine | Compute machine set | Machine health check | Control plane machine set | Cluster autoscaler | 
|---|---|---|---|---|---|
| AWS | Technology Preview | Technology Preview | Not Available | Not Available | Not Available | 
| All other infrastructure types | Not Available | Not Available | Not Available | Not Available | Not Available | 
11.2.2.1. Authoritative API types of compute machines
						The authoritative API of a compute machine depends on the values of the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI fields in the Machine API compute machine set that creates it.
					
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
							When the .spec.authoritativeAPI value is ClusterAPI, the Machine API machine set is not authoritative and the .spec.template.spec.authoritativeAPI value is not used. As a result, the only combination that creates a compute machine with the Machine API as authoritative is where the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI values are MachineAPI.
						
11.2.2.2. Migrating a Machine API resource to use the Cluster API
You can migrate individual Machine API objects to equivalent Cluster API objects.
Migrating a Machine API resource to use the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Prerequisites
- You have deployed an OpenShift Container Platform cluster on a supported infrastructure type.
- You have enabled the use of the Cluster API.
- 
								You have enabled the MachineAPIMigrationfeature gate in theTechPreviewNoUpgradefeature set.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- Identify the Machine API resource that you want to migrate to a Cluster API resource by running the following command: - oc get <resource_kind> -n openshift-machine-api - $ oc get <resource_kind> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <resource_kind>is one of the following values:- machine.machine.openshift.io
- The fully qualified name of the resource kind for a compute or control plane machine.
- machineset.machine.openshift.io
- The fully qualified name of the resource kind for a compute machine set.
 
- Edit the resource specification by running the following command: - oc edit <resource_kind>/<resource_name> -n openshift-machine-api - $ oc edit <resource_kind>/<resource_name> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <resource_kind>
- 
											Specifies a compute machine with machine.machine.openshift.ioor compute machine set withmachineset.machine.openshift.io.
- <resource_name>
- Specifies the name of the Machine API resource that you want to migrate to a Cluster API resource.
 
- In the resource specification, update the value of the - spec.authoritativeAPIfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The resource kind varies depending on the resource kind. For example, the resource kind for a compute machine set isMachineSetand the resource kind for a compute machine isMachine.
- 2
- The name of the resource that you want to migrate.
- 3
- Specify the authoritative API that you want this resource to use. For example, to start migrating a Machine API resource to the Cluster API, specifyClusterAPI.
- 4
- The value for the current authoritative API. This value indicates which API currently manages this resource. Do not change the value in this part of the specification.
 
Verification
- Check the status of the conversion by running the following command: - oc -n openshift-machine-api get <resource_kind>/<resource_name> -o json | jq .status.authoritativeAPI - $ oc -n openshift-machine-api get <resource_kind>/<resource_name> -o json | jq .status.authoritativeAPI- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <resource_kind>
- 
											Specifies a compute machine with machine.machine.openshift.ioor compute machine set withmachineset.machine.openshift.io.
- <resource_name>
- Specifies the name of the Machine API resource that you want to migrate to a Cluster API resource.
 - 
										While the conversion progresses, this command returns a value of Migrating. If this value persists for a long time, check the logs for thecluster-capi-operatordeployment in theopenshift-cluster-apinamespace for more information and to identify potential issues.
- 
										When the conversion is complete, this command returns a value of ClusterAPI.
 
11.2.2.3. Deploying Cluster API compute machines by using a Machine API compute machine set
You can configure a Machine API compute machine set to deploy Cluster API compute machines. With this process, you can test the Cluster API compute machine creation workflow without creating and scaling a Cluster API compute machine set.
A Machine API compute machine set with this configuration creates nonauthoritative Machine API compute machines that use the Cluster API as authoritative. The two-way synchronization controller then creates corresponding authoritative Cluster API machines that provision on the underlying infrastructure.
Deploying Cluster API compute machines by using a Machine API compute machine set is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Prerequisites
- You have deployed an OpenShift Container Platform cluster on a supported infrastructure type.
- You have enabled the use of the Cluster API.
- 
								You have enabled the MachineAPIMigrationfeature gate in theTechPreviewNoUpgradefeature set.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- List the Machine API compute machine sets in your cluster by running the following command: - oc get machineset.machine.openshift.io -n openshift-machine-api - $ oc get machineset.machine.openshift.io -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit the resource specification by running the following command: - oc edit machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api - $ oc edit machineset.machine.openshift.io <machine_set_name> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <machine_set_name>is the name of the Machine API compute machine set that you want to configure to deploy Cluster API compute machines.
- In the resource specification, update the value of the - spec.template.spec.authoritativeAPIfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The unconverted value for the Machine API compute machine set. Do not change the value in this part of the specification.
- 2
- SpecifyClusterAPIto configure the compute machine set to deploy Cluster API compute machines.
- 3
- The current value for the Machine API compute machine set. Do not change the value in this part of the specification.
 
Verification
- List the machines that are managed by the updated compute machine set by running the following command: - oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name> - $ oc get machines.machine.openshift.io \ -n openshift-machine-api \ -l machine.openshift.io/cluster-api-machineset=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify that a machine created by the updated machine set has the correct configuration, examine the - status.authoritativeAPIfield in the CR for one of the new machines by running the following command:- oc describe machines.machine.openshift.io <machine_name> \ -n openshift-machine-api - $ oc describe machines.machine.openshift.io <machine_name> \ -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For a Cluster API compute machine, the value of the field is - ClusterAPI.
11.3. Managing machines with the Cluster API
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.3.1. Modifying a Cluster API machine template
					You can update the machine template resource for your cluster by modifying the YAML manifest file and applying it with the OpenShift CLI (oc).
				
Prerequisites
- You have deployed an OpenShift Container Platform cluster that uses the Cluster API.
- 
							You have access to the cluster using an account with cluster-adminpermissions.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- List the machine template resource for your cluster by running the following command: - oc get <machine_template_kind> - $ oc get <machine_template_kind>- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Specify the value that corresponds to your platform. The following values are valid:Expand Cluster infrastructure provider Value Amazon Web Services AWSMachineTemplateGoogle Cloud GCPMachineTemplateMicrosoft Azure AzureMachineTemplateRHOSP OpenStackMachineTemplateVMware vSphere VSphereMachineTemplateBare metal Metal3MachineTemplate
 - Example output - NAME AGE <template_name> 77m - NAME AGE <template_name> 77m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Write the machine template resource for your cluster to a file that you can edit by running the following command: - oc get <machine_template_kind> <template_name> -o yaml > <template_name>.yaml - $ oc get <machine_template_kind> <template_name> -o yaml > <template_name>.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <template_name>is the name of the machine template resource for your cluster.
- 
							Make a copy of the <template_name>.yamlfile with a different name. This procedure uses<modified_template_name>.yamlas an example file name.
- Use a text editor to make changes to the - <modified_template_name>.yamlfile that defines the updated machine template resource for your cluster. When editing the machine template resource, observe the following:- 
									The parameters in the specstanza are provider specific. For more information, see the sample Cluster API machine template YAML for your provider.
- You must use a value for the - metadata.nameparameter that differs from any existing values.Important- For any Cluster API compute machine sets that reference this template, you must update the - spec.template.spec.infrastructureRef.nameparameter to match the- metadata.namevalue in the new machine template resource.
 
- 
									The parameters in the 
- Apply the machine template CR by running the following command: - oc apply -f <modified_template_name>.yaml - $ oc apply -f <modified_template_name>.yaml- 1 - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- Use the edited YAML file with a new name.
 
Next steps
- 
							For any Cluster API compute machine sets that reference this template, update the spec.template.spec.infrastructureRef.nameparameter to match themetadata.namevalue in the new machine template resource. For more information, see "Modifying a compute machine set by using the CLI."
11.3.2. Modifying a compute machine set by using the CLI
You can modify the configuration of a compute machine set, and then propagate the changes to the machines in your cluster by using the CLI.
					By updating the compute machine set configuration, you can enable features or change the properties of the machines it creates. When you modify a compute machine set, your changes only apply to compute machines that are created after you save the updated MachineSet custom resource (CR). The changes do not affect existing machines.
				
						Changes made in the underlying cloud provider are not reflected in the Machine or MachineSet CRs. To adjust instance configuration in cluster-managed infrastructure, use the cluster-side resources.
					
You can replace the existing machines with new ones that reflect the updated configuration by scaling the compute machine set to create twice the number of replicas and then scaling it down to the original number of replicas.
If you need to scale a compute machine set without making other changes, you do not need to delete the machines.
						By default, the OpenShift Container Platform router pods are deployed on compute machines. Because the router is required to access some cluster resources, including the web console, do not scale the compute machine set to 0 unless you first relocate the router pods.
					
The output examples in this procedure use the values for an AWS cluster.
Prerequisites
- Your OpenShift Container Platform cluster uses the Cluster API.
- 
							You are logged in to the cluster as an administrator by using the OpenShift CLI (oc).
Procedure
- List the compute machine sets in your cluster by running the following command: - oc get machinesets.cluster.x-k8s.io -n openshift-cluster-api - $ oc get machinesets.cluster.x-k8s.io -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output - NAME CLUSTER REPLICAS READY AVAILABLE AGE VERSION <compute_machine_set_name_1> <cluster_name> 1 1 1 26m <compute_machine_set_name_2> <cluster_name> 1 1 1 26m - NAME CLUSTER REPLICAS READY AVAILABLE AGE VERSION <compute_machine_set_name_1> <cluster_name> 1 1 1 26m <compute_machine_set_name_2> <cluster_name> 1 1 1 26m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Edit a compute machine set by running the following command: - oc edit machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api - $ oc edit machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Note the value of the - spec.replicasfield, because you need it when scaling the machine set to apply the changes.- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The examples in this procedure show a compute machine set that has areplicasvalue of2.
 
- Update the compute machine set CR with the configuration options that you want and save your changes.
- List the machines that are managed by the updated compute machine set by running the following command: - oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ -l cluster.x-k8s.io/set-name=<machine_set_name> - $ oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ -l cluster.x-k8s.io/set-name=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for an AWS cluster - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- For each machine that is managed by the updated compute machine set, set the - deleteannotation by running the following command:- oc annotate machines.cluster.x-k8s.io/<machine_name_original_1> \ -n openshift-cluster-api \ cluster.x-k8s.io/delete-machine="true" - $ oc annotate machines.cluster.x-k8s.io/<machine_name_original_1> \ -n openshift-cluster-api \ cluster.x-k8s.io/delete-machine="true"- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To create replacement machines with the new configuration, scale the compute machine set to twice the number of replicas by running the following command: - oc scale --replicas=4 \ machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api - $ oc scale --replicas=4 \- 1 - machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The original example value of2is doubled to4.
 
- List the machines that are managed by the updated compute machine set by running the following command: - oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ -l cluster.x-k8s.io/set-name=<machine_set_name> - $ oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ -l cluster.x-k8s.io/set-name=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output for an AWS cluster - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Provisioned 55s <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Provisioning 55s - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 4h <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Provisioned 55s <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Provisioning 55s- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - When the new machines are in the - Runningphase, you can scale the compute machine set to the original number of replicas.
- To remove the machines that were created with the old configuration, scale the compute machine set to the original number of replicas by running the following command: - oc scale --replicas=2 \ machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api - $ oc scale --replicas=2 \- 1 - machinesets.cluster.x-k8s.io <machine_set_name> \ -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The original example value of2.
 
Verification
- To verify that a machine created by the updated machine set has the correct configuration, examine the relevant fields in the CR for one of the new machines by running the following command: - oc describe machines.cluster.x-k8s.io <machine_name_updated_1> \ -n openshift-cluster-api - $ oc describe machines.cluster.x-k8s.io <machine_name_updated_1> \ -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To verify that the compute machines without the updated configuration are deleted, list the machines that are managed by the updated compute machine set by running the following command: - oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ cluster.x-k8s.io/set-name=<machine_set_name> - $ oc get machines.cluster.x-k8s.io \ -n openshift-cluster-api \ cluster.x-k8s.io/set-name=<machine_set_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output while deletion is in progress for an AWS cluster - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_original_1> <cluster_name> <original_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_original_2> <cluster_name> <original_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example output when deletion is complete for an AWS cluster - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m - NAME CLUSTER NODENAME PROVIDERID PHASE AGE VERSION <machine_name_updated_1> <cluster_name> <updated_1_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m <machine_name_updated_2> <cluster_name> <updated_2_ip>.<region>.compute.internal aws:///us-east-2a/i-04e7b2cbd61fd2075 Running 18m- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.4. Configuration options for Cluster API machines
11.4.1. Cluster API configuration options for Amazon Web Services
You can change the configuration of your Amazon Web Services (AWS) Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.1.1. Sample YAML for configuring Amazon Web Services clusters
The following example YAML files show configurations for an Amazon Web Services cluster.
11.4.1.1.1. Sample YAML for a Cluster API machine template resource on Amazon Web Services
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
11.4.1.1.2. Sample YAML for a Cluster API compute machine set resource on Amazon Web Services
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the cluster resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2 3
- Specify the cluster ID as the name of the cluster.
- 4
- Specify the machine template kind. This value must match the value for your platform.
- 5
- Specify the machine template name.
11.4.1.2. Enabling Amazon Web Services features with the Cluster API
You can enable the following features by updating values in the Cluster API custom resource manifests.
11.4.1.2.1. Elastic Fabric Adapter instances and placement group options
You can deploy compute machines on Elastic Fabric Adapter (EFA) instances within an existing AWS placement group.
EFA instances do not require placement groups, and you can use placement groups for purposes other than configuring an EFA. The following example uses an EFA and placement group together to demonstrate a configuration that can improve network performance for machines within the specified placement group.
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file. Then, configure a machine set YAML file to reference the machine template when it deploys machines.
Sample EFA instance and placement group configuration
- 1
- Specifies an instance type that supports EFAs.
- 2
- Specifies theefanetwork interface type.
- 3
- Specifies the name of the existing AWS placement group to deploy machines in.
- 4
- Optional: Specifies the partition number of the existing AWS placement group where you want your machines deployed.
Ensure that the rules and limitations for the type of placement group that you create are compatible with your intended use case.
11.4.1.2.2. Amazon EC2 Instance Metadata Service configuration options
You can restrict the version of the Amazon EC2 Instance Metadata Service (IMDS) that machines on Amazon Web Services (AWS) clusters use. Machines can require the use of IMDSv2 (AWS documentation), or allow the use of IMDSv1 in addition to IMDSv2.
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file. Then, configure a machine set YAML file to reference the machine template when it deploys machines.
Before creating machines that require IMDSv2, ensure that any workloads that interact with the IMDS support IMDSv2.
Sample IMDS configuration
- 1
- Specifies the number of network hops allowed for IMDSv2 calls. If no value is specified, this parameter is set to1by default.
- 2
- Specifies whether to require the use of IMDSv2. If no value is specified, this parameter is set tooptionalby default. The following values are valid:- optional
- Allow the use of both IMDSv1 and IMDSv2.
- required
- Require IMDSv2.
 
								The Machine API does not support the httpEndpoint, httpPutResponseHopLimit, and instanceMetadataTags fields. If you migrate a Cluster API machine template that uses this feature to a Machine API compute machine set, any Machine API machines that it creates will not have these fields and the underlying instances will not use these settings. Any existing machines that the migrated machine set manages will retain these fields and the underlying instances will continue to use these settings.
							
Requiring the use of IMDSv2 might cause timeouts. For more information, including mitigation strategies, see Instance metadata access considerations (AWS documentation).
11.4.1.2.3. Dedicated Instance configuration options
You can deploy machines that are backed by Dedicated Instances on Amazon Web Services (AWS) clusters.
Dedicated Instances run in a virtual private cloud (VPC) on hardware that is dedicated to a single customer. These Amazon EC2 instances are physically isolated at the host hardware level. The isolation of Dedicated Instances occurs even if the instances belong to different AWS accounts that are linked to a single payer account. However, other instances that are not dedicated can share hardware with Dedicated Instances if they belong to the same AWS account.
OpenShift Container Platform supports instances with public or dedicated tenancy.
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file. Then, configure a machine set YAML file to reference the machine template when it deploys machines.
Sample Dedicated Instances configuration
- 1
- Specifies using instances with dedicated tenancy that run on single-tenant hardware. If you do not specify this value, instances with public tenancy that run on shared hardware are used by default.
11.4.1.2.4. Non-guaranteed Spot Instances and hourly cost limits
You can deploy machines as non-guaranteed Spot Instances on Amazon Web Services (AWS). Spot Instances use spare AWS EC2 capacity and are less expensive than On-Demand Instances. You can use Spot Instances for workloads that can tolerate interruptions, such as batch or stateless, horizontally scalable workloads.
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file. Then, configure a machine set YAML file to reference the machine template when it deploys machines.
AWS EC2 can reclaim the capacity for a Spot Instance at any time.
Sample Spot Instance configuration
- 1
- Specifies the use of Spot Instances.
- 2
- Optional: Specifies an hourly cost limit in US dollars for the Spot Instance. For example, setting the<price_per_hour>value to2.50limits the cost of the Spot Instance to USD 2.50 per hour. When this value is not set, the maximum price charges up to the On-Demand Instance price.WarningSetting a specific maxPrice: <price_per_hour>value might increase the frequency of interruptions compared to using the default On-Demand Instance price. It is strongly recommended to use the default On-Demand Instance price and to not set the maximum price for Spot Instances.
Interruptions can occur when using Spot Instances for the following reasons:
- The instance price exceeds your maximum price
- The demand for Spot Instances increases
- The supply of Spot Instances decreases
AWS gives a two-minute warning to the user when an interruption occurs. OpenShift Container Platform begins to remove the workloads from the affected instances when AWS issues the termination warning.
							When AWS terminates an instance, a termination handler running on the Spot Instance node deletes the machine resource. To satisfy the compute machine set replicas quantity, the compute machine set creates a machine that requests a Spot Instance.
						
11.4.1.2.5. Capacity Reservation configuration options
OpenShift Container Platform version 4.20 and later supports Capacity Reservations on Amazon Web Services clusters, including On-Demand Capacity Reservations and Capacity Blocks for ML.
You can deploy machines on any available resources that match the parameters of a capacity request that you define. These parameters specify the instance type, region, and number of instances that you want to reserve. If your Capacity Reservation can accommodate the capacity request, the deployment succeeds.
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file. Then, configure a machine set YAML file to reference the machine template when it deploys machines.
Sample Capacity Reservation configuration
- 1
- Specify the ID of the Capacity Block for ML or On-Demand Capacity Reservation that you want to deploy machines on.
- 2
- Specify your preferred capacity reservation behavior. The following values are valid:- CapacityReservationsOnly
- Use this option to require a matching capacity reservation. If no matching capacity reservation is available, the instance fails to launch.
- Open
- Use this option to allow using an open capacity reservation that matches the availability zone and instance type.
- None
- Use this option to prohibit using a capacity reservation. You might use this option to help keep capacity reservations available for workloads that you want to use them.
 
- 3
- Specify the market type to use. The following values are valid:- CapacityBlock
- Use this market type with Capacity Blocks for ML.
- OnDemand
- Use this market type with On-Demand Capacity Reservations.
- Spot
- Use this market type with Spot Instances. This option is not compatible with Capacity Reservations.
 
For more information, including limitations and suggested use cases for this offering, see On-Demand Capacity Reservations and Capacity Blocks for ML in the AWS documentation.
11.4.1.2.6. GPU-enabled machine options
You can deploy GPU-enabled compute machines on Amazon Web Services (AWS). The following sample configuration uses an AWS G4dn instance type, which includes an NVIDIA Tesla T4 Tensor Core GPU, as an example.
For more information about supported instance types, see the following pages in the NVIDIA documentation:
To deploy compute machines with your configuration, configure the appropriate values in a machine template YAML file and a machine set YAML file that references the machine template when it deploys machines.
Sample GPU-enabled machine template configuration
- 1
- Specifies a G4dn instance type.
Sample GPU-enabled machine set configuration
11.4.2. Cluster API configuration options for Google Cloud Platform
You can change the configuration of your Google Cloud Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.2.1. Sample YAML for configuring Google Cloud clusters
The following example YAML files show configurations for a Google Cloud cluster.
11.4.2.1.1. Sample YAML for a Cluster API machine template resource on Google Cloud
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
11.4.2.1.2. Sample YAML for a Cluster API compute machine set resource on Google Cloud
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the cluster resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2 3
- Specify the cluster ID as the name of the cluster.
- 4
- Specify the machine template kind. This value must match the value for your platform.
- 5
- Specify the machine template name.
- 6
- Specify the failure domain within the Google Cloud region.
11.4.3. Cluster API configuration options for Microsoft Azure
You can change the configuration of your Microsoft Azure Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.3.1. Sample YAML for configuring Microsoft Azure clusters
The following example YAML files show configurations for an Azure cluster.
11.4.3.1.1. Sample YAML for a Cluster API machine template resource on Microsoft Azure
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
- 1
- Specify the machine template kind. This value must match the value for your platform.
- 2
- Specify a name for the machine template.
- 3
- Specify the details for your environment. The values here are examples.
- 4
- Specify an image that is compatible with your instance type. The Hyper-V generation V2 images created by the installation program have a-gen2suffix, while V1 images have the same name without the suffix.NoteDefault OpenShift Container Platform cluster names contain hyphens ( -), which are not compatible with Azure gallery name requirements. The value of<compliant_cluster_name>in this configuration must use underscores (_) instead of hyphens to comply with these requirements. Other instances of<cluster_name>do not change.For example, a cluster name of jdoe-test-2m2nptransforms tojdoe_test_2m2np. The full string forgallery_<compliant_cluster_name>in this example isgallery_jdoe_test_2m2np, notgallery_jdoe-test-2m2np. The complete value ofspec.template.spec.image.idfor this example value is/subscriptions/<subscription_id>/resourceGroups/jdoe-test-2m2np-rg/providers/Microsoft.Compute/galleries/gallery_jdoe_test_2m2np/images/jdoe-test-2m2np-gen2/versions/latest.
11.4.3.1.2. Sample YAML for a Cluster API compute machine set resource on Microsoft Azure
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the cluster resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2
- Specify the cluster ID as the name of the cluster.
- 3
- Specify the machine template kind. This value must match the value for your platform.
- 4
- Specify the machine template name.
11.4.4. Cluster API configuration options for Red Hat OpenStack Platform
You can change the configuration of your Red Hat OpenStack Platform (RHOSP) Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.4.1. Sample YAML for configuring RHOSP clusters
The following example YAML files show configurations for a RHOSP cluster.
11.4.4.1.1. Sample YAML for a Cluster API machine template resource on RHOSP
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
- 1
- Specify the machine template kind. This value must match the value for your platform.
- 2
- Specify a name for the machine template.
- 3
- Specify the details for your environment. The values here are examples.
- 4
- Specify the RHOSP flavor to use. For more information, see Creating flavors for launching instances.
- 5
- Specify the image to use.
11.4.4.1.2. Sample YAML for a Cluster API compute machine set resource on RHOSP
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the infrastructure resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set.
- 2
- Specify the cluster ID as the name of the cluster.
- 3
- For the Cluster API Technology Preview, the Operator can use the worker user data secret from theopenshift-machine-apinamespace.
- 4
- Specify the machine template kind. This value must match the value for your platform.
- 5
- Specify the machine template name.
- 6
- Optional: Specify the name of the Nova availability zone for the machine set to create machines in. If you do not specify a value, machines are not restricted to a specific availability zone.
11.4.5. Cluster API configuration options for VMware vSphere
You can change the configuration of your VMware vSphere Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.5.1. Sample YAML for configuring VMware vSphere clusters
The following example YAML files show configurations for a VMware vSphere cluster.
11.4.5.1.1. Sample YAML for a Cluster API machine template resource on VMware vSphere
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
- 1
- Specify the machine template kind. This value must match the value for your platform.
- 2
- Specify a name for the machine template.
- 3
- Specify the details for your environment. The values here are examples.
- 4
- Specify the vSphere VM template to use, such asuser-5ddjd-rhcos.
- 5
- Specify the vCenter server IP or fully qualified domain name.
- 6
- Specify the type of VM clone to use. The following values are valid:- 
											fullClone
- 
											linkedClone
 When using the linkedClonetype, the disk size matches the clone source instead of using thediskGiBvalue. For more information, see the vSphere documentation about VM clone types.
- 
											
- 7
- Specify the vCenter data center to deploy the compute machine set on.
- 8
- Specify the vCenter datastore to deploy the compute machine set on.
- 9
- Specify the path to the vSphere VM folder in vCenter, such as/dc1/vm/user-inst-5ddjd.
- 10
- Specify the vSphere resource pool for your VMs.
- 11
- Specify the vSphere VM network to deploy the compute machine set to. This VM network must be where other compute machines reside in the cluster.
11.4.5.1.2. Sample YAML for a Cluster API compute machine set resource on VMware vSphere
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the cluster resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2 3
- Specify the cluster ID as the name of the cluster.
- 4
- Specify the machine template kind. This value must match the value for your platform.
- 5
- Specify the machine template name.
- 6
- Specify the failure domain configuration details.NoteUsing multiple regions and zones on a vSphere cluster that uses the Cluster API is not a validated configuration. 
11.4.6. Cluster API configuration options for bare metal
You can change the configuration of your bare metal Cluster API machines by updating values in the Cluster API custom resource manifests.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.4.6.1. Sample YAML for configuring bare metal clusters
The following example YAML files show configurations for a bare metal cluster.
11.4.6.1.1. Sample YAML for a Cluster API machine template resource on bare metal
The machine template resource is provider-specific and defines the basic properties of the machines that a compute machine set creates. The compute machine set references this template when creating machines.
- 1
- Specify the machine template kind. This value must match the value for your platform.
- 2
- Specify a name for the machine template.
- 3
- Specify the details for your environment. The values here are examples.
- 4
- TheuserDataparameter refers to the Ignition configuration, which the Machine API Operator generates during installation. You must apply theopenshift-cluster-apinamespace to ensure the cluster can access the secret by running the following command:oc get secret worker-user-data-managed \ -n openshift-machine-api -o yaml | \ sed 's/namespace: .*/namespace: openshift-cluster-api/' | oc apply -f - $ oc get secret worker-user-data-managed \ -n openshift-machine-api -o yaml | \ sed 's/namespace: .*/namespace: openshift-cluster-api/' | oc apply -f -Copy to Clipboard Copied! Toggle word wrap Toggle overflow 
11.4.6.1.2. Sample YAML for a Cluster API compute machine set resource on bare metal
The compute machine set resource defines additional properties of the machines that it creates. The compute machine set also references the cluster resource and machine template when creating machines.
- 1
- Specify a name for the compute machine set. The cluster ID, machine role, and region form a typical pattern for this value in the following format:<cluster_name>-<role>-<region>.
- 2
- Specify the cluster ID as the name of the cluster.
- 3
- Specify the machine template kind. This value must match the value for your platform.
- 4
- Specify the machine template name.
11.5. Troubleshooting clusters that use the Cluster API
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Use the information in this section to understand and recover from issues you might encounter. Generally, troubleshooting steps for problems with the Cluster API are similar to those steps for problems with the Machine API.
				The Cluster CAPI Operator and its operands are provisioned in the openshift-cluster-api namespace, whereas the Machine API uses the openshift-machine-api namespace. When using oc commands that reference a namespace, be sure to reference the correct one.
			
11.5.1. Referencing the intended objects when using the CLI
					For clusters that use the Cluster API, OpenShift CLI (oc) commands prioritize Cluster API objects over Machine API objects.
				
					This behavior impacts any oc command that acts upon any object that is represented in both the Cluster API and the Machine API. This explanation uses the oc delete machine command, which deletes a machine, as an example.
				
- Cause
- When you run an - occommand,- occommunicates with the Kube API server to determine which objects to act upon. The Kube API server uses the first installed custom resource definition (CRD) it encounters alphabetically when an- occommand is run.- CRDs for Cluster API objects are in the - cluster.x-k8s.iogroup, while CRDs for Machine API objects are in the- machine.openshift.iogroup. Because the letter- cprecedes the letter- malphabetically, the Kube API server matches on the Cluster API object CRD. As a result, the- occommand acts upon Cluster API objects.
- Consequence
- Due to this behavior, the following unintended outcomes can occur on a cluster that uses the Cluster API: - 
										For namespaces that contain both types of objects, commands such as oc get machinereturn only Cluster API objects.
- 
										For namespaces that contain only Machine API objects, commands such as oc get machinereturn no results.
 
- 
										For namespaces that contain both types of objects, commands such as 
- Workaround
- 
								You can ensure that occommands act on the type of objects you intend by using the corresponding fully qualified name.
Prerequisites
- 
							You have access to the cluster using an account with cluster-adminpermissions.
- 
							You have installed the OpenShift CLI (oc).
Procedure
- To delete a Machine API machine, use the fully qualified name - machine.machine.openshift.iowhen running the- oc delete machinecommand:- oc delete machine.machine.openshift.io <machine_name> - $ oc delete machine.machine.openshift.io <machine_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- To delete a Cluster API machine, use the fully qualified name - machine.cluster.x-k8s.iowhen running the- oc delete machinecommand:- oc delete machine.cluster.x-k8s.io <machine_name> - $ oc delete machine.cluster.x-k8s.io <machine_name>- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
11.5.2. Duplicated machine set and machine resources
					On clusters that support migrating Machine API resources to Cluster API resources, some resources seem to have duplicate instances in the output of OpenShift CLI (oc) commands that list resources and in the OpenShift Container Platform web console.
				
- Cause
- When you install an OpenShift Container Platform cluster that uses the default configuration options, the installation program provisions the following infrastructure resources in the - openshift-machine-apinamespace:- One control plane machine set that manages three control plane machines.
- One or more compute machine sets that manage three compute machines.
- One machine health check that manages spot instances.
- Compute machines that are created according to the compute machine set specifications.
 - On clusters that support migrating Machine API resources to Cluster API resources, a two-way synchronization controller creates the following Cluster API resources in the - openshift-cluster-apinamespace:- One cluster resource.
- One provider-specific infrastructure cluster resource.
- One or more machine templates that correspond to compute machine sets.
- One or more compute machine sets that manage three compute machines.
- Compute machines that are created according to the machine template and compute machine set specifications.
- Infrastructure machines that correspond to compute machines.
 - These Cluster API resources have the same names as their counterparts in the - openshift-machine-apinamespace.
- Consequence
- 
								Due to this behavior, instances of machine set and machine resources that seem to be duplicates appear in the output of occommands that list resources and in the OpenShift Container Platform web console.
- Workaround
- 
								Although the resources have the same names as their counterparts in the other namespace, only the resources that use the current authoritative API are active. The synchronization controller creates and maintains the corresponding resources that do not use the current authoritative API in an unprovisioned (Paused) state to prevent unintended reconciliation.
- Result
- Only one of each resource that seems to be a duplicate is active at a time. The inactive nonauthoritative resources do not impact functionality. Important- Do not delete any nonauthoritative resource that does not use the current authoritative API unless you want to delete the corresponding resource that does use the current authoritative API. - When you delete a nonauthoritative resource that does not use the current authoritative API, the synchronization controller deletes the corresponding resource that does use the current authoritative API. For more information, see "Unexpected resource deletion behavior". 
11.5.3. Unexpected resource deletion behavior
On clusters that support migrating resources between the Machine API and the Cluster API, users might experience unexpected behavior when deleting Cluster API resources on a cluster where the Machine API is authoritative.
- Cause
- For any resource that uses the authoritative API, the two-way synchronization controller creates and maintains corresponding resources that do not use the current authoritative API. - The deletion behavior for resources that do not use the current authoritative API depends on which API is authoritative. - When you delete a Cluster API resource on a cluster where the Machine API is authoritative, the synchronization controller deletes the corresponding Machine API resource.
- When you delete a Machine API resource on a cluster where the Cluster API is authoritative, the synchronization controller does not delete the corresponding Cluster API resource. This difference in behavior supports migration from using the Machine API to using the Cluster API.
 - This behavior occurs when deleting resources directly and when performing scale-down operations. 
- Consequence
- This different behavior depending on which API is authoritative has the following consequences: - For clusters on which the Cluster API is authoritative, you can remove Machine API resources with no impact to the corresponding Cluster API resources.
- For clusters on which the Machine API is authoritative, you cannot remove Cluster API resources without also deleting the corresponding Machine API resources.
 
- Workaround
- For clusters on which the Machine API is authoritative, do not delete any Cluster API resource unless you want to delete the corresponding Machine API resource.
11.5.4. Troubleshooting resource migration
When you migrate a resource to use a different authoritative API, you might encounter issues during the migration process. You might also notice unexpected behavior due to differences between the Cluster API and the Machine API.
11.5.4.1. Authoritative API types of compute machines
						The authoritative API of a compute machine depends on the values of the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI fields in the Machine API compute machine set that creates it.
					
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
							When the .spec.authoritativeAPI value is ClusterAPI, the Machine API machine set is not authoritative and the .spec.template.spec.authoritativeAPI value is not used. As a result, the only combination that creates a compute machine with the Machine API as authoritative is where the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI values are MachineAPI.
						
11.5.4.2. Unexpected machine counts after scaling
						On clusters that support migrating resources between the Machine API and the Cluster API, users might experience unexpected behavior when scaling the number of compute machines. The output of the oc get command for a compute machine set that does not use the authoritative API might contain inaccurate values in the CURRENT, READY, and AVAILABLE columns.
					
- Cause
- The values that populate the - CURRENT,- READY, and- AVAILABLEcolumns originate in the- .statusstanza of a compute machine set. The two-way synchronization controller that handles resource conversion between authoritative API types does not currently synchronize values in the- .statusstanza.- The value in the - DESIREDcolumn reflects the- .spec.replicasvalue of a compute machine set. The two-way synchronization controller synchronizes values in the- .specstanza.
- Consequence
- Users can expect to see the following behavior when scaling migrated machine sets: - Start with a compute machine set with existing machines.
- Migrate the machine set to use a different authoritative API.
- 
											Scale the now authoritative machine set up by setting a larger value in the .spec.replicasfield.
- The machine set creates machines with the current authoritative API to satisfy the number of requested replicas.
- Scale the authoritative machine set down such that one of the following conditions causes the deletion of machines that do not use the current authoritative API: - The total number of replicas requested is fewer than the number of machines that do not use the current authoritative API.
- The machine deletion policy for the machine set selects machines that do not use the current authoritative API.
 
- Check the status of the nonauthoritative compute machine set by running the - oc getcommand.- 
													The value in the DESIREDcolumn in the output reflects the.spec.replicasvalue.
- 
													The values in the CURRENT,READY, andAVAILABLEcolumns reflect the original number of replicas that existed before scaling the machine set.
 
- 
													The value in the 
 
- Workaround
- 
									To verify that a scale-down operation successfully deleted the compute machines that do not use the current authoritative API, run the oc getcommand that lists the nonauthoritative compute machines.
- Result
- 
									If the scale-down operation succeeded, the count in the output of the oc getcommand for the nonauthoritative compute machines reflects the.spec.replicasvalue of the machine set.
11.5.4.3. Incomplete synchronization of labels and annotations
The label and annotation synchronization behavior differs between the Machine API and the Cluster API. In some cases, these differences cause the two-way synchronization controller to overwrite labels on a Cluster API machine during migration.
- Cause
- With the Machine API, changes to machine set labels and annotations do not propagate to existing machines and nodes. These changes only apply to machines deployed after the update. - With the Cluster API, changes to machine set labels and annotations propagate to existing machines and nodes. When the authoritative API for a machine set changes from Machine API to Cluster API, its labels propagate to the Cluster API machines that it manages. The propagation happens before the Cluster API machine is marked as authoritative. 
- Consequence
- The two-way synchronization controller overwrites any propagated labels and annotations with the earlier value, leading to an inconsistency. This outcome only occurs when removing a label or annotation. Updates and additional labels or annotations do not cause this inconsistency.
- Workaround
- There is no workaround for this issue. For more information, see OCPBUGS-54333.
11.5.4.4. Unsupported configuration options
The Machine API does not support all configuration options for the Cluster API. Some Machine API configurations cannot migrate to the Cluster API. Additional configuration options might be supported in a future release.
Attempting to use the following configurations might cause a migration to fail or result in errors.
This list might not be exhaustive.
11.5.4.4.1. General limitations
The following limitations apply to all clusters:
- 
									Machine API compute machines cannot migrate to the Cluster API unless the NodeDeletionTimeoutfield uses the Cluster API default value of10s.
- OpenShift Container Platform does not support using the following Cluster API fields in the - spec.template.specstanza of a machine set or the- specstanza of a machine:- 
											version
- 
											readinessGates
 
- 
											
- The Machine API does not support using the following Cluster API drain configuration options: - 
											nodeDrainTimeout
- 
											nodeVolumeDetachTimeout
- 
											nodeDeletionTimeout
 
- 
											
- The Cluster API does not support propagating labels or taints from machines to nodes.
11.5.4.4.2. Amazon Web Services (AWS) limitations
The following limitations apply to AWS clusters:
- Machine API compute machines cannot use AWS load balancers.
- The Machine API does not support using the following Amazon EC2 Instance Metadata Service (IMDS) configuration options: - 
											httpEndpoint
- 
											httpPutResponseHopLimit
- 
											instanceMetadataTags
 - If you migrate a Cluster API machine template that uses IMDS configuration options to a Machine API compute machine set, expect the following behaviors: - Any machines that the migrated Machine API machine set creates will not have these fields. The underlying instances will not use these settings.
- Any existing machines that the migrated machine set manages will retain these fields. The underlying instances will continue to use these settings.
 
- 
											
- OpenShift Container Platform does not support using the following AWS machine template fields: - 
											spec.ami.eksLookupType
- 
											spec.cloudInit
- 
											spec.ignition.proxy
- 
											spec.ignition.tls
- 
											spec.imageLookupBaseOS
- 
											spec.imageLookupFormat
- 
											spec.imageLookupOrg
- 
											spec.networkInterfaces
- 
											spec.privateDNSName
- 
											spec.securityGroupOverrides
- 
											spec.uncompressedUserData
 
- 
											
- The Cluster API does not support orphaning a nonroot EBS volume when its underlying AWS EC2 instance is removed. When an instance is terminated, the Cluster API removes all dependent volumes.
- When migrating a Machine API resource to the Cluster API, the ignition version is hard-coded and might not match the user data secret that is passed through.
11.6. Disabling the Cluster API
To stop using the Cluster API to automate the management of infrastructure resources on your OpenShift Container Platform cluster, convert any Cluster API resources on your cluster to equivalent Machine API resources.
Managing machines with the Cluster API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
11.6.1. Migrating Cluster API resources to Machine API resources
On clusters that support migrating between Machine API and Cluster API resources, the two-way synchronization controller supports converting a Cluster API resource to a Machine API resource.
						The two-way synchronization controller only operates on clusters with the MachineAPIMigration feature gate in the TechPreviewNoUpgrade feature set enabled.
					
You can migrate resources that you originally migrated from the Machine API to the Cluster API, or resources that you created as Cluster API resources initially. Migrating an original Machine API resource to a Cluster API resource and then migrating it back provides an opportunity to verify that the migration process works as expected.
You can only migrate some resources on supported infrastructure types.
| Infrastructure | Compute machine | Compute machine set | Machine health check | Control plane machine set | Cluster autoscaler | 
|---|---|---|---|---|---|
| AWS | Technology Preview | Technology Preview | Not Available | Not Available | Not Available | 
| All other infrastructure types | Not Available | Not Available | Not Available | Not Available | Not Available | 
11.6.1.1. Migrating a Cluster API resource to use the Machine API
You can migrate individual Cluster API objects to equivalent Machine API objects.
Migrating a Cluster API resource to use the Machine API is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
Prerequisites
- You have deployed an OpenShift Container Platform cluster on a supported infrastructure type.
- 
								You have enabled the MachineAPIMigrationfeature gate in theTechPreviewNoUpgradefeature set.
- 
								You have access to the cluster using an account with cluster-adminpermissions.
- 
								You have installed the OpenShift CLI (oc).
Procedure
- Identify the Cluster API resource that you want to migrate to a Machine API resource by running the following command: - oc get <resource_kind> -n openshift-cluster-api - $ oc get <resource_kind> -n openshift-cluster-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where - <resource_kind>is one of the following values:- machine.cluster.x-k8s.io
- The fully qualified name of the resource kind for a compute or control plane machine.
- machineset.cluster.x-k8s.io
- The fully qualified name of the resource kind for a compute machine set.
 
- Edit the resource specification by running the following command: - oc edit <resource_kind>/<resource_name> -n openshift-machine-api - $ oc edit <resource_kind>/<resource_name> -n openshift-machine-api- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <resource_kind>
- 
											Specifies a compute machine with machine.machine.openshift.ioor compute machine set withmachineset.machine.openshift.io.
- <resource_name>
- Specifies the name of the Machine API resource that corresponds to the Cluster API resource that you want to migrate to the Machine API.
 
- In the resource specification, update the value of the - spec.authoritativeAPIfield:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- The resource kind varies depending on the resource kind. For example, the resource kind for a compute machine set isMachineSetand the resource kind for a compute machine isMachine.
- 2
- The name of the resource that you want to migrate.
- 3
- Specify the authoritative API that you want this resource to use. For example, to start migrating a Cluster API resource to the Machine API, specifyMachineAPI.
- 4
- The value for the current authoritative API. This value indicates which API currently manages this resource. Do not change the value in this part of the specification.
 
Verification
- Check the status of the conversion by running the following command: - oc -n openshift-machine-api get <resource_kind>/<resource_name> -o json | jq .status.authoritativeAPI - $ oc -n openshift-machine-api get <resource_kind>/<resource_name> -o json | jq .status.authoritativeAPI- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - where: - <resource_kind>
- 
											Specifies a compute machine with machine.machine.openshift.ioor compute machine set withmachineset.machine.openshift.io.
- <resource_name>
- Specifies the name of the Machine API resource that corresponds to the Cluster API resource that you want to migrate to the Machine API.
 - 
										While the conversion progresses, this command returns a value of Migrating. If this value persists for a long time, check the logs for thecluster-capi-operatordeployment in theopenshift-cluster-apinamespace for more information and to identify potential issues.
- 
										When the conversion is complete, this command returns a value of MachineAPI.
 Important- Do not delete any nonauthoritative resource that does not use the current authoritative API unless you want to delete the corresponding resource that does use the current authoritative API. - When you delete a nonauthoritative resource that does not use the current authoritative API, the synchronization controller deletes the corresponding resource that does use the current authoritative API. For more information, see "Unexpected resource deletion behavior" in the Troubleshooting resource migration content. 
11.6.1.2. Authoritative API types of compute machines
						The authoritative API of a compute machine depends on the values of the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI fields in the Machine API compute machine set that creates it.
					
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
| 
										 | 
										 | 
										 | 
										 | 
										 | 
							When the .spec.authoritativeAPI value is ClusterAPI, the Machine API machine set is not authoritative and the .spec.template.spec.authoritativeAPI value is not used. As a result, the only combination that creates a compute machine with the Machine API as authoritative is where the .spec.authoritativeAPI and .spec.template.spec.authoritativeAPI values are MachineAPI.
						
Chapter 12. Deploying machine health checks
You can configure and deploy a machine health check to automatically repair damaged machines in a machine pool.
You can use the advanced machine management and scaling capabilities only in clusters where the Machine API is operational. Clusters with user-provisioned infrastructure require additional validation and configuration to use the Machine API.
				Clusters with the infrastructure platform type none cannot use the Machine API. This limitation applies even if the compute machines that are attached to the cluster are installed on a platform that supports the feature. This parameter cannot be changed after installation.
			
To view the platform type for your cluster, run the following command:
oc get infrastructure cluster -o jsonpath='{.status.platform}'
$ oc get infrastructure cluster -o jsonpath='{.status.platform}'12.1. About machine health checks
You can only apply a machine health check to machines that are managed by compute machine sets or control plane machine sets.
				To monitor machine health, create a resource to define the configuration for a controller. Set a condition to check, such as staying in the NotReady status for five minutes or displaying a permanent condition in the node-problem-detector, and a label for the set of machines to monitor.
			
				The controller that observes a MachineHealthCheck resource checks for the defined condition. If a machine fails the health check, the machine is automatically deleted and one is created to take its place. When a machine is deleted, you see a machine deleted event.
			
				To limit disruptive impact of the machine deletion, the controller drains and deletes only one node at a time. If there are more unhealthy machines than the maxUnhealthy threshold allows for in the targeted pool of machines, remediation stops and therefore enables manual intervention.
			
Consider the timeouts carefully, accounting for workloads and requirements.
- Long timeouts can result in long periods of downtime for the workload on the unhealthy machine.
- 
							Too short timeouts can result in a remediation loop. For example, the timeout for checking the NotReadystatus must be long enough to allow the machine to complete the startup process.
To stop the check, remove the resource.
12.1.1. Limitations when deploying machine health checks
There are limitations to consider before deploying a machine health check:
- Only machines owned by a machine set are remediated by a machine health check.
- If the node for a machine is removed from the cluster, a machine health check considers the machine to be unhealthy and remediates it immediately.
- 
							If the corresponding node for a machine does not join the cluster after the nodeStartupTimeout, the machine is remediated.
- 
							A machine is remediated immediately if the Machineresource phase isFailed.
12.2. Sample MachineHealthCheck resource
				The MachineHealthCheck resource for all cloud-based installation types, and other than bare metal, resembles the following YAML file:
			
- 1
- Specify the name of the machine health check to deploy.
- 2 3
- Specify a label for the machine pool that you want to check.
- 4
- Specify the machine set to track in<cluster_name>-<label>-<zone>format. For example,prod-node-us-east-1a.
- 5 6
- Specify the timeout duration for a node condition. If a condition is met for the duration of the timeout, the machine will be remediated. Long timeouts can result in long periods of downtime for a workload on an unhealthy machine.
- 7
- Specify the amount of machines allowed to be concurrently remediated in the targeted pool. This can be set as a percentage or an integer. If the number of unhealthy machines exceeds the limit set bymaxUnhealthy, remediation is not performed.
- 8
- Specify the timeout duration that a machine health check must wait for a node to join the cluster before a machine is determined to be unhealthy.
					The matchLabels are examples only; you must map your machine groups based on your specific needs.
				
12.2.1. Short-circuiting machine health check remediation
					Short-circuiting ensures that machine health checks remediate machines only when the cluster is healthy. Short-circuiting is configured through the maxUnhealthy field in the MachineHealthCheck resource.
				
					If the user defines a value for the maxUnhealthy field, before remediating any machines, the MachineHealthCheck compares the value of maxUnhealthy with the number of machines within its target pool that it has determined to be unhealthy. Remediation is not performed if the number of unhealthy machines exceeds the maxUnhealthy limit.
				
						If maxUnhealthy is not set, the value defaults to 100% and the machines are remediated regardless of the state of the cluster.
					
					The appropriate maxUnhealthy value depends on the scale of the cluster you deploy and how many machines the MachineHealthCheck covers. For example, you can use the maxUnhealthy value to cover multiple compute machine sets across multiple availability zones so that if you lose an entire zone, your maxUnhealthy setting prevents further remediation within the cluster. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability.
				
						If you configure a MachineHealthCheck resource for the control plane, set the value of maxUnhealthy to 1.
					
This configuration ensures that the machine health check takes no action when multiple control plane machines appear to be unhealthy. Multiple unhealthy control plane machines can indicate that the etcd cluster is degraded or that a scaling operation to replace a failed machine is in progress.
If the etcd cluster is degraded, manual intervention might be required. If a scaling operation is in progress, the machine health check should allow it to finish.
					The maxUnhealthy field can be set as either an integer or percentage. There are different remediation implementations depending on the maxUnhealthy value.
				
12.2.1.1. Setting maxUnhealthy by using an absolute value
						If maxUnhealthy is set to 2:
					
- Remediation will be performed if 2 or fewer nodes are unhealthy
- Remediation will not be performed if 3 or more nodes are unhealthy
These values are independent of how many machines are being checked by the machine health check.
12.2.1.2. Setting maxUnhealthy by using percentages
						If maxUnhealthy is set to 40% and there are 25 machines being checked:
					
- Remediation will be performed if 10 or fewer nodes are unhealthy
- Remediation will not be performed if 11 or more nodes are unhealthy
						If maxUnhealthy is set to 40% and there are 6 machines being checked:
					
- Remediation will be performed if 2 or fewer nodes are unhealthy
- Remediation will not be performed if 3 or more nodes are unhealthy
							The allowed number of machines is rounded down when the percentage of maxUnhealthy machines that are checked is not a whole number.
						
12.3. Creating a machine health check resource
				You can create a MachineHealthCheck resource for machine sets in your cluster.
			
You can only apply a machine health check to machines that are managed by compute machine sets or control plane machine sets.
Prerequisites
- 
						Install the occommand-line interface.
Procedure
- 
						Create a healthcheck.ymlfile that contains the definition of your machine health check.
- Apply the - healthcheck.ymlfile to your cluster:- oc apply -f healthcheck.yml - $ oc apply -f healthcheck.yml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
You can configure and deploy a machine health check to detect and repair unhealthy bare metal nodes.
12.4. About power-based remediation of bare metal
In a bare metal cluster, remediation of nodes is critical to ensuring the overall health of the cluster. Physically remediating a cluster can be challenging and any delay in putting the machine into a safe or an operational state increases the time the cluster remains in a degraded state, and the risk that subsequent failures might bring the cluster offline. Power-based remediation helps counter such challenges.
Instead of reprovisioning the nodes, power-based remediation uses a power controller to power off an inoperable node. This type of remediation is also called power fencing.
				OpenShift Container Platform uses the MachineHealthCheck controller to detect faulty bare metal nodes. Power-based remediation is fast and reboots faulty nodes instead of removing them from the cluster.
			
Power-based remediation provides the following capabilities:
- Allows the recovery of control plane nodes
- Reduces the risk of data loss in hyperconverged environments
- Reduces the downtime associated with recovering physical machines
12.4.1. MachineHealthChecks on bare metal
Machine deletion on bare metal cluster triggers reprovisioning of a bare metal host. Usually bare metal reprovisioning is a lengthy process, during which the cluster is missing compute resources and applications might be interrupted.
There are two ways to change the default remediation process from machine deletion to host power-cycle:
- 
							Annotate the MachineHealthCheckresource with themachine.openshift.io/remediation-strategy: external-baremetalannotation.
- 
							Create a Metal3RemediationTemplateresource, and refer to it in thespec.remediationTemplateof theMachineHealthCheck.
After using one of these methods, unhealthy machines are power-cycled by using Baseboard Management Controller (BMC) credentials.
12.4.2. Understanding the annotation-based remediation process
The remediation process operates as follows:
- The MachineHealthCheck (MHC) controller detects that a node is unhealthy.
- The MHC notifies the bare metal machine controller which requests to power-off the unhealthy node.
- After the power is off, the node is deleted, which allows the cluster to reschedule the affected workload on other nodes.
- The bare metal machine controller requests to power on the node.
- After the node is up, the node re-registers itself with the cluster, resulting in the creation of a new node.
- After the node is recreated, the bare metal machine controller restores the annotations and labels that existed on the unhealthy node before its deletion.
If the power operations did not complete, the bare metal machine controller triggers the reprovisioning of the unhealthy node unless this is a control plane node or a node that was provisioned externally.
12.4.3. Understanding the metal3-based remediation process
The remediation process operates as follows:
- The MachineHealthCheck (MHC) controller detects that a node is unhealthy.
- The MHC creates a metal3 remediation custom resource for the metal3 remediation controller, which requests to power-off the unhealthy node.
- After the power is off, the node is deleted, which allows the cluster to reschedule the affected workload on other nodes.
- The metal3 remediation controller requests to power on the node.
- After the node is up, the node re-registers itself with the cluster, resulting in the creation of a new node.
- After the node is recreated, the metal3 remediation controller restores the annotations and labels that existed on the unhealthy node before its deletion.
If the power operations did not complete, the metal3 remediation controller triggers the reprovisioning of the unhealthy node unless this is a control plane node or a node that was provisioned externally.
12.4.4. Creating a MachineHealthCheck resource for bare metal
Prerequisites
- The OpenShift Container Platform is installed using installer-provisioned infrastructure (IPI).
- Access to BMC credentials (or BMC access to each node).
- Network access to the BMC interface of the unhealthy node.
Procedure
- 
							Create a healthcheck.yamlfile that contains the definition of your machine health check.
- Apply the - healthcheck.yamlfile to your cluster using the following command:- oc apply -f healthcheck.yaml - $ oc apply -f healthcheck.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Sample MachineHealthCheck resource for bare metal, annotation-based remediation
- 1
- Specify the name of the machine health check to deploy.
- 2
- For bare metal clusters, you must include themachine.openshift.io/remediation-strategy: external-baremetalannotation in theannotationssection to enable power-cycle remediation. With this remediation strategy, unhealthy hosts are rebooted instead of removed from the cluster.
- 3 4
- Specify a label for the machine pool that you want to check.
- 5
- Specify the compute machine set to track in<cluster_name>-<label>-<zone>format. For example,prod-node-us-east-1a.
- 6 7
- Specify the timeout duration for the node condition. If the condition is met for the duration of the timeout, the machine will be remediated. Long timeouts can result in long periods of downtime for a workload on an unhealthy machine.
- 8
- Specify the amount of machines allowed to be concurrently remediated in the targeted pool. This can be set as a percentage or an integer. If the number of unhealthy machines exceeds the limit set bymaxUnhealthy, remediation is not performed.
- 9
- Specify the timeout duration that a machine health check must wait for a node to join the cluster before a machine is determined to be unhealthy.
						The matchLabels are examples only; you must map your machine groups based on your specific needs.
					
Sample MachineHealthCheck resource for bare metal, metal3-based remediation
Sample Metal3RemediationTemplate resource for bare metal, metal3-based remediation
						The matchLabels are examples only; you must map your machine groups based on your specific needs. The annotations section does not apply to metal3-based remediation. Annotation-based remediation and metal3-based remediation are mutually exclusive.
					
12.4.5. Troubleshooting issues with power-based remediation
To troubleshoot an issue with power-based remediation, verify the following:
- You have access to the BMC.
- BMC is connected to the control plane node that is responsible for running the remediation task.
        Legal Notice
        
          
            
          
        
      
 
Copyright © 2025 Red Hat
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
