5.7. 为 IBM Cloud VPC 手动创建 IAM

安装集群需要 Cloud Credential Operator(CCO)以手动模式运行。虽然安装程序为手动模式配置 CCO，但您必须为云供应商指定身份和访问管理 secret。

您可以使用 Cloud Credential Operator (CCO) 实用程序 (ccoctl) 创建所需的 IBM Cloud VPC 资源。

先决条件

您已配置了 ccoctl 二进制文件。
您有一个现有的 install-config.yaml 文件。

流程

编辑 install-config.yaml 配置文件，使其包含将 credentialsMode 参数设置为 Manual。

install-config.yaml 配置文件示例

apiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual 
compute:
- architecture: amd64
  hyperthreading: Enabled

apiVersion: v1
baseDomain: cluster1.example.com
credentialsMode: Manual


compute:
- architecture: amd64
  hyperthreading: Enabled

Copy to Clipboard

Toggle word wrap

1: 添加这一行将 credentialsMode 参数设置为 Manual。

要生成清单，请在包含安装程序的目录中运行以下命令：

openshift-install create manifests --dir <installation_directory>

$ openshift-install create manifests --dir <installation_directory>

Copy to Clipboard

Toggle word wrap

从包含安装程序的目录中，获取构建 openshift-install 二进制文件的 OpenShift Container Platform 发行镜像：
```
RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
```
```
$ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}')
```
Copy to Clipboard Toggle word wrap

从 OpenShift Container Platform 发行镜像中提取 CredentialsRequest 对象：

oc adm release extract --cloud=ibmcloud --credentials-requests $RELEASE_IMAGE \
    --to=<path_to_credential_requests_directory>

$ oc adm release extract --cloud=ibmcloud --credentials-requests $RELEASE_IMAGE \
    --to=<path_to_credential_requests_directory>

Copy to Clipboard

Toggle word wrap

此命令为每个 CredentialsRequest 对象创建一个 YAML 文件。

CredentialsRequest 对象示例

  apiVersion: cloudcredential.openshift.io/v1
  kind: CredentialsRequest
  metadata:
    labels:
      controller-tools.k8s.io: "1.0"
    name: openshift-image-registry-ibmcos
    namespace: openshift-cloud-credential-operator
  spec:
    secretRef:
      name: installer-cloud-credentials
      namespace: openshift-image-registry
    providerSpec:
      apiVersion: cloudcredential.openshift.io/v1
      kind: IBMCloudProviderSpec
      policies:
      - attributes:
        - name: serviceName
          value: cloud-object-storage
        roles:
        - crn:v1:bluemix:public:iam::::role:Viewer
        - crn:v1:bluemix:public:iam::::role:Operator
        - crn:v1:bluemix:public:iam::::role:Editor
        - crn:v1:bluemix:public:iam::::serviceRole:Reader
        - crn:v1:bluemix:public:iam::::serviceRole:Writer
      - attributes:
        - name: resourceType
          value: resource-group
        roles:
        - crn:v1:bluemix:public:iam::::role:Viewer

  apiVersion: cloudcredential.openshift.io/v1
  kind: CredentialsRequest
  metadata:
    labels:
      controller-tools.k8s.io: "1.0"
    name: openshift-image-registry-ibmcos
    namespace: openshift-cloud-credential-operator
  spec:
    secretRef:
      name: installer-cloud-credentials
      namespace: openshift-image-registry
    providerSpec:
      apiVersion: cloudcredential.openshift.io/v1
      kind: IBMCloudProviderSpec
      policies:
      - attributes:
        - name: serviceName
          value: cloud-object-storage
        roles:
        - crn:v1:bluemix:public:iam::::role:Viewer
        - crn:v1:bluemix:public:iam::::role:Operator
        - crn:v1:bluemix:public:iam::::role:Editor
        - crn:v1:bluemix:public:iam::::serviceRole:Reader
        - crn:v1:bluemix:public:iam::::serviceRole:Writer
      - attributes:
        - name: resourceType
          value: resource-group
        roles:
        - crn:v1:bluemix:public:iam::::role:Viewer

Copy to Clipboard

Toggle word wrap

如果您的集群使用集群功能禁用一个或多个可选组件，请删除任何禁用组件的 CredentialsRequest 自定义资源。

IBM Cloud VPC 上的 OpenShift Container Platform 4.12 的 credrequests 目录的内容示例

0000_26_cloud-controller-manager-operator_15_credentialsrequest-ibm.yaml 
0000_30_machine-api-operator_00_credentials-request.yaml 
0000_50_cluster-image-registry-operator_01-registry-credentials-request-ibmcos.yaml 
0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml 
0000_50_cluster-storage-operator_03_credentials_request_ibm.yaml

0000_26_cloud-controller-manager-operator_15_credentialsrequest-ibm.yaml


0000_30_machine-api-operator_00_credentials-request.yaml


0000_50_cluster-image-registry-operator_01-registry-credentials-request-ibmcos.yaml


0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml


0000_50_cluster-storage-operator_03_credentials_request_ibm.yaml

Copy to Clipboard

Toggle word wrap

1: 需要 Cloud Controller Manager Operator CR。
2: Machine API Operator CR 是必需的。
3: Image Registry Operator CR 是必需的。
4: Ingress Operator CR 是必需的。
5: Storage Operator CR 是一个可选组件，可能会在集群中禁用。

为每个凭证请求创建服务 ID，分配定义的策略，在 IBM Cloud VPC 中创建 API 密钥并生成 secret：

ccoctl ibmcloud create-service-id \
    --credentials-requests-dir <path_to_credential_requests_directory> \
    --name <cluster_name> \
    --output-dir <installation_directory> \
    --resource-group-name <resource_group_name>

$ ccoctl ibmcloud create-service-id \
    --credentials-requests-dir <path_to_credential_requests_directory> \


    --name <cluster_name> \


    --output-dir <installation_directory> \
    --resource-group-name <resource_group_name>

Copy to Clipboard

Toggle word wrap

1: 存储了凭据请求的目录。
2: OpenShift Container Platform 集群的名称。
3: 可选：用于限制访问策略的资源组名称。

注意

如果您的集群使用 TechPreviewNoUpgrade 功能集启用的技术预览功能，则必须包含 --enable-tech-preview 参数。

如果提供了不正确的资源组名称，安装会在 bootstrap 阶段失败。要查找正确的资源组名称，请运行以下命令：

grep resourceGroupName <installation_directory>/manifests/cluster-infrastructure-02-config.yml

$ grep resourceGroupName <installation_directory>/manifests/cluster-infrastructure-02-config.yml

Copy to Clipboard

Toggle word wrap

验证

确保在集群的 manifests 目录中生成了适当的 secret。

返回顶部

5.7. 为 IBM Cloud VPC 手动创建 IAM

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links