Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates

In OKD version 4.9, you can install a cluster on Amazon Web Services (AWS) that uses infrastructure that you provide.

One way to create this infrastructure is to use the provided CloudFormation templates. You can modify the templates to customize your infrastructure or use the information that they contain to create AWS objects according to your company’s policies.

The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OKD. Several CloudFormation templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods; the templates are just an example.

Prerequisites

Required AWS infrastructure components

To install OKD on user-provisioned infrastructure in Amazon Web Services (AWS), you must manually create both the machines and their supporting infrastructure.

For more information about the integration testing for different platforms, see the OpenShift Container Platform 4.x Tested Integrations page.

By using the provided CloudFormation templates, you can create stacks of AWS resources that represent the following components:

  • An AWS Virtual Private Cloud (VPC)

  • Networking and load balancing components

  • Security groups and roles

  • An OKD bootstrap node

  • OKD control plane nodes

  • An OKD compute node

Alternatively, you can manually create the components or you can reuse existing infrastructure that meets the cluster requirements. Review the CloudFormation templates for more details about how the components interrelate.

Other infrastructure components

  • A VPC

  • DNS entries

  • Load balancers (classic or network) and listeners

  • A public and a private Route 53 zone

  • Security groups

  • IAM roles

  • S3 buckets

If you are working in a disconnected environment or use a proxy, you cannot reach the public IP addresses for EC2 and ELB endpoints. To reach these endpoints, you must create a VPC endpoint and attach it to the subnet that the clusters are using. Create the following endpoints:

  • ec2.<region>.amazonaws.com

  • elasticloadbalancing.<region>.amazonaws.com

  • s3.<region>.amazonaws.com

Required VPC components

You must provide a suitable VPC and subnets that allow communication to your machines.

ComponentAWS typeDescription

VPC

  • AWS::EC2::VPC

  • AWS::EC2::VPCEndpoint

You must provide a public VPC for the cluster to use. The VPC uses an endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3.

Public subnets

  • AWS::EC2::Subnet

  • AWS::EC2::SubnetNetworkAclAssociation

Your VPC must have public subnets for between 1 and 3 availability zones and associate them with appropriate Ingress rules.

Internet gateway

  • AWS::EC2::InternetGateway

  • AWS::EC2::VPCGatewayAttachment

  • AWS::EC2::RouteTable

  • AWS::EC2::Route

  • AWS::EC2::SubnetRouteTableAssociation

  • AWS::EC2::NatGateway

  • AWS::EC2::EIP

You must have a public internet gateway, with public routes, attached to the VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios.

Network access control

  • AWS::EC2::NetworkAcl

  • AWS::EC2::NetworkAclEntry

You must allow the VPC to access the following ports:

Port

Reason

80

Inbound HTTP traffic

443

Inbound HTTPS traffic

22

Inbound SSH traffic

1024 - 65535

Inbound ephemeral traffic

0 - 65535

Outbound ephemeral traffic

Private subnets

  • AWS::EC2::Subnet

  • AWS::EC2::RouteTable

  • AWS::EC2::SubnetRouteTableAssociation

Your VPC can have private subnets. The provided CloudFormation templates can create private subnets for between 1 and 3 availability zones. If you use private subnets, you must provide appropriate routes and tables for them.

Required DNS and load balancing components

Your DNS and load balancer configuration needs to use a public hosted zone and can use a private hosted zone similar to the one that the installation program uses if it provisions the cluster’s infrastructure. You must create a DNS entry that resolves to your load balancer. An entry for api.<cluster_name>.<domain> must point to the external load balancer, and an entry for api-int.<cluster_name>.<domain> must point to the internal load balancer.

The cluster also requires load balancers and listeners for port 6443, which are required for the Kubernetes API and its extensions, and port 22623, which are required for the Ignition config files for new machines. The targets will be the control plane nodes. Port 6443 must be accessible to both clients external to the cluster and nodes within the cluster. Port 22623 must be accessible to nodes within the cluster.

ComponentAWS typeDescription

DNS

AWS::Route53::HostedZone

The hosted zone for your internal DNS.

etcd record sets

AWS::Route53::RecordSet

The registration records for etcd for your control plane machines.

Public load balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

The load balancer for your public subnets.

External API server record

AWS::Route53::RecordSetGroup

Alias records for the external API server.

External listener

AWS::ElasticLoadBalancingV2::Listener

A listener on port 6443 for the external load balancer.

External target group

AWS::ElasticLoadBalancingV2::TargetGroup

The target group for the external load balancer.

Private load balancer

AWS::ElasticLoadBalancingV2::LoadBalancer

The load balancer for your private subnets.

Internal API server record

AWS::Route53::RecordSetGroup

Alias records for the internal API server.

Internal listener

AWS::ElasticLoadBalancingV2::Listener

A listener on port 22623 for the internal load balancer.

Internal target group

AWS::ElasticLoadBalancingV2::TargetGroup

The target group for the internal load balancer.

Internal listener

AWS::ElasticLoadBalancingV2::Listener

A listener on port 6443 for the internal load balancer.

Internal target group

AWS::ElasticLoadBalancingV2::TargetGroup

The target group for the internal load balancer.

Security groups

The control plane and worker machines require access to the following ports:

GroupTypeIP ProtocolPort range

MasterSecurityGroup

AWS::EC2::SecurityGroup

icmp

0

tcp

22

tcp

6443

tcp

22623

WorkerSecurityGroup

AWS::EC2::SecurityGroup

icmp

0

tcp

22

BootstrapSecurityGroup

AWS::EC2::SecurityGroup

tcp

22

tcp

19531

Control plane Ingress

The control plane machines require the following Ingress groups. Each Ingress group is a AWS::EC2::SecurityGroupIngress resource.

Ingress groupDescriptionIP protocolPort range

MasterIngressEtcd

etcd

tcp

2379- 2380

MasterIngressVxlan

Vxlan packets

udp

4789

MasterIngressWorkerVxlan

Vxlan packets

udp

4789

MasterIngressInternal

Internal cluster communication and Kubernetes proxy metrics

tcp

9000 - 9999

MasterIngressWorkerInternal

Internal cluster communication

tcp

9000 - 9999

MasterIngressKube

Kubernetes kubelet, scheduler and controller manager

tcp

10250 - 10259

MasterIngressWorkerKube

Kubernetes kubelet, scheduler and controller manager

tcp

10250 - 10259

MasterIngressIngressServices

Kubernetes Ingress services

tcp

30000 - 32767

MasterIngressWorkerIngressServices

Kubernetes Ingress services

tcp

30000 - 32767

Worker Ingress

The worker machines require the following Ingress groups. Each Ingress group is a AWS::EC2::SecurityGroupIngress resource.

Ingress groupDescriptionIP protocolPort range

WorkerIngressVxlan

Vxlan packets

udp

4789

WorkerIngressWorkerVxlan

Vxlan packets

udp

4789

WorkerIngressInternal

Internal cluster communication

tcp

9000 - 9999

WorkerIngressWorkerInternal

Internal cluster communication

tcp

9000 - 9999

WorkerIngressKube

Kubernetes kubelet, scheduler, and controller manager

tcp

10250

WorkerIngressWorkerKube

Kubernetes kubelet, scheduler, and controller manager

tcp

10250

WorkerIngressIngressServices

Kubernetes Ingress services

tcp

30000 - 32767

WorkerIngressWorkerIngressServices

Kubernetes Ingress services

tcp

30000 - 32767

Roles and instance profiles

You must grant the machines permissions in AWS. The provided CloudFormation templates grant the machines Allow permissions for the following AWS::IAM::Role objects and provide a AWS::IAM::InstanceProfile for each set of roles. If you do not use the templates, you can grant the machines the following broad permissions or the following individual permissions.

RoleEffectActionResource

Master

Allow

ec2:

Allow

elasticloadbalancing:

Allow

iam:PassRole

Allow

s3:GetObject

Worker

Allow

ec2:Describe

Bootstrap

Allow

ec2:Describe

Allow

ec2:AttachVolume

Allow

ec2:DetachVolume

Cluster machines

You need AWS::EC2::Instance objects for the following machines:

  • A bootstrap machine. This machine is required during installation, but you can remove it after your cluster deploys.

  • Three control plane machines. The control plane machines are not governed by a machine set.

  • Compute machines. You must create at least two compute machines, which are also known as worker machines, during installation. These machines are not governed by a machine set.

Certificate signing requests management

Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager only approves the kubelet client CSRs. The machine-approver cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.

Supported AWS machine types

The following Amazon Web Services (AWS) instance types are supported with OKD.

Instance types for machines

Instance typeBootstrapControl planeCompute

i3.large

x

m4.large

x

m4.xlarge

x

x

m4.2xlarge

x

x

m4.4xlarge

x

x

m4.10xlarge

x

x

m4.16xlarge

x

x

m5.large

x

m5.xlarge

x

x

m5.2xlarge

x

x

m5.4xlarge

x

x

m5.8xlarge

x

x

m5.12xlarge

x

x

m5.16xlarge

x

x

m5a.large

x

m5a.xlarge

x

x

m5a.2xlarge

x

x

m5a.4xlarge

x

x

m5a.8xlarge

x

x

m5a.12xlarge

x

x

m5a.16xlarge

x

x

c4.2xlarge

x

x

c4.4xlarge

x

x

c4.8xlarge

x

x

c5.xlarge

x

c5.2xlarge

x

x

c5.4xlarge

x

x

c5.9xlarge

x

x

c5.12xlarge

x

x

c5.18xlarge

x

x

c5.24xlarge

x

x

c5a.xlarge

x

c5a.2xlarge

x

x

c5a.4xlarge

x

x

c5a.8xlarge

x

x

c5a.12xlarge

x

x

c5a.16xlarge

x

x

c5a.24xlarge

x

x

r4.large

x

r4.xlarge

x

x

r4.2xlarge

x

x

r4.4xlarge

x

x

r4.8xlarge

x

x

r4.16xlarge

x

x

r5.large

x

r5.xlarge

x

x

r5.2xlarge

x

x

r5.4xlarge

x

x

r5.8xlarge

x

x

r5.12xlarge

x

x

r5.16xlarge

x

x

r5.24xlarge

x

x

r5a.large

x

r5a.xlarge

x

x

r5a.2xlarge

x

x

r5a.4xlarge

x

x

r5a.8xlarge

x

x

r5a.12xlarge

x

x

r5a.16xlarge

x

x

r5a.24xlarge

x

x

t3.large

x

t3.xlarge

x

t3.2xlarge

x

t3a.large

x

t3a.xlarge

x

t3a.2xlarge

x

Required AWS permissions for the IAM user

When you attach the AdministratorAccess policy to the IAM user that you create in Amazon Web Services (AWS), you grant that user all of the required permissions. To deploy all components of an OKD cluster, the IAM user requires the following permissions:

Required EC2 permissions for installation

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:CopyImage

  • ec2:CreateNetworkInterface

  • ec2:AttachNetworkInterface

  • ec2:CreateSecurityGroup

  • ec2:CreateTags

  • ec2:CreateVolume

  • ec2:DeleteSecurityGroup

  • ec2:DeleteSnapshot

  • ec2:DeleteTags

  • ec2:DeregisterImage

  • ec2:DescribeAccountAttributes

  • ec2:DescribeAddresses

  • ec2:DescribeAvailabilityZones

  • ec2:DescribeDhcpOptions

  • ec2:DescribeImages

  • ec2:DescribeInstanceAttribute

  • ec2:DescribeInstanceCreditSpecifications

  • ec2:DescribeInstances

  • ec2:DescribeInstanceTypes

  • ec2:DescribeInternetGateways

  • ec2:DescribeKeyPairs

  • ec2:DescribeNatGateways

  • ec2:DescribeNetworkAcls

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribePrefixLists

  • ec2:DescribeRegions

  • ec2:DescribeRouteTables

  • ec2:DescribeSecurityGroups

  • ec2:DescribeSubnets

  • ec2:DescribeTags

  • ec2:DescribeVolumes

  • ec2:DescribeVpcAttribute

  • ec2:DescribeVpcClassicLink

  • ec2:DescribeVpcClassicLinkDnsSupport

  • ec2:DescribeVpcEndpoints

  • ec2:DescribeVpcs

  • ec2:GetEbsDefaultKmsKeyId

  • ec2:ModifyInstanceAttribute

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:RevokeSecurityGroupEgress

  • ec2:RevokeSecurityGroupIngress

  • ec2:RunInstances

  • ec2:TerminateInstances

Required permissions for creating network resources during installation

  • ec2:AllocateAddress

  • ec2:AssociateAddress

  • ec2:AssociateDhcpOptions

  • ec2:AssociateRouteTable

  • ec2:AttachInternetGateway

  • ec2:CreateDhcpOptions

  • ec2:CreateInternetGateway

  • ec2:CreateNatGateway

  • ec2:CreateRoute

  • ec2:CreateRouteTable

  • ec2:CreateSubnet

  • ec2:CreateVpc

  • ec2:CreateVpcEndpoint

  • ec2:ModifySubnetAttribute

  • ec2:ModifyVpcAttribute

If you use an existing VPC, your account does not require these permissions for creating network resources.

Required Elastic Load Balancing permissions (ELB) for installation

  • elasticloadbalancing:AddTags

  • elasticloadbalancing:ApplySecurityGroupsToLoadBalancer

  • elasticloadbalancing:AttachLoadBalancerToSubnets

  • elasticloadbalancing:ConfigureHealthCheck

  • elasticloadbalancing:CreateLoadBalancer

  • elasticloadbalancing:CreateLoadBalancerListeners

  • elasticloadbalancing:DeleteLoadBalancer

  • elasticloadbalancing:DeregisterInstancesFromLoadBalancer

  • elasticloadbalancing:DescribeInstanceHealth

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:DescribeLoadBalancers

  • elasticloadbalancing:DescribeTags

  • elasticloadbalancing:ModifyLoadBalancerAttributes

  • elasticloadbalancing:RegisterInstancesWithLoadBalancer

  • elasticloadbalancing:SetLoadBalancerPoliciesOfListener

Required Elastic Load Balancing permissions (ELBv2) for installation

  • elasticloadbalancing:AddTags

  • elasticloadbalancing:CreateListener

  • elasticloadbalancing:CreateLoadBalancer

  • elasticloadbalancing:CreateTargetGroup

  • elasticloadbalancing:DeleteLoadBalancer

  • elasticloadbalancing:DeregisterTargets

  • elasticloadbalancing:DescribeListeners

  • elasticloadbalancing:DescribeLoadBalancerAttributes

  • elasticloadbalancing:DescribeLoadBalancers

  • elasticloadbalancing:DescribeTargetGroupAttributes

  • elasticloadbalancing:DescribeTargetHealth

  • elasticloadbalancing:ModifyLoadBalancerAttributes

  • elasticloadbalancing:ModifyTargetGroup

  • elasticloadbalancing:ModifyTargetGroupAttributes

  • elasticloadbalancing:RegisterTargets

Required IAM permissions for installation

  • iam:AddRoleToInstanceProfile

  • iam:CreateInstanceProfile

  • iam:CreateRole

  • iam:DeleteInstanceProfile

  • iam:DeleteRole

  • iam:DeleteRolePolicy

  • iam:GetInstanceProfile

  • iam:GetRole

  • iam:GetRolePolicy

  • iam:GetUser

  • iam:ListInstanceProfilesForRole

  • iam:ListRoles

  • iam:ListUsers

  • iam:PassRole

  • iam:PutRolePolicy

  • iam:RemoveRoleFromInstanceProfile

  • iam:SimulatePrincipalPolicy

  • iam:TagRole

If you have not created an elastic load balancer (ELB) in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission.

Required Route 53 permissions for installation

  • route53:ChangeResourceRecordSets

  • route53:ChangeTagsForResource

  • route53:CreateHostedZone

  • route53:DeleteHostedZone

  • route53:GetChange

  • route53:GetHostedZone

  • route53:ListHostedZones

  • route53:ListHostedZonesByName

  • route53:ListResourceRecordSets

  • route53:ListTagsForResource

  • route53:UpdateHostedZoneComment

Required S3 permissions for installation

  • s3:CreateBucket

  • s3:DeleteBucket

  • s3:GetAccelerateConfiguration

  • s3:GetBucketAcl

  • s3:GetBucketCors

  • s3:GetBucketLocation

  • s3:GetBucketLogging

  • s3:GetBucketObjectLockConfiguration

  • s3:GetBucketReplication

  • s3:GetBucketRequestPayment

  • s3:GetBucketTagging

  • s3:GetBucketVersioning

  • s3:GetBucketWebsite

  • s3:GetEncryptionConfiguration

  • s3:GetLifecycleConfiguration

  • s3:GetReplicationConfiguration

  • s3:ListBucket

  • s3:PutBucketAcl

  • s3:PutBucketTagging

  • s3:PutEncryptionConfiguration

S3 permissions that cluster Operators require

  • s3:DeleteObject

  • s3:GetObject

  • s3:GetObjectAcl

  • s3:GetObjectTagging

  • s3:GetObjectVersion

  • s3:PutObject

  • s3:PutObjectAcl

  • s3:PutObjectTagging

Required permissions to delete base cluster resources

  • autoscaling:DescribeAutoScalingGroups

  • ec2:DeleteNetworkInterface

  • ec2:DeleteVolume

  • elasticloadbalancing:DeleteTargetGroup

  • elasticloadbalancing:DescribeTargetGroups

  • iam:DeleteAccessKey

  • iam:DeleteUser

  • iam:ListAttachedRolePolicies

  • iam:ListInstanceProfiles

  • iam:ListRolePolicies

  • iam:ListUserPolicies

  • s3:DeleteObject

  • s3:ListBucketVersions

  • tag:GetResources

Required permissions to delete network resources

  • ec2:DeleteDhcpOptions

  • ec2:DeleteInternetGateway

  • ec2:DeleteNatGateway

  • ec2:DeleteRoute

  • ec2:DeleteRouteTable

  • ec2:DeleteSubnet

  • ec2:DeleteVpc

  • ec2:DeleteVpcEndpoints

  • ec2:DetachInternetGateway

  • ec2:DisassociateRouteTable

  • ec2:ReleaseAddress

  • ec2:ReplaceRouteTableAssociation

If you use an existing VPC, your account does not require these permissions to delete network resources. Instead, your account only requires the tag:UntagResources permission to delete network resources.

Required permissions to delete a cluster with shared instance roles

  • iam:UntagRole

Additional IAM and S3 permissions that are required to create manifests

  • iam:DeleteAccessKey

  • iam:DeleteUser

  • iam:DeleteUserPolicy

  • iam:GetUserPolicy

  • iam:ListAccessKeys

  • iam:PutUserPolicy

  • iam:TagUser

  • iam:GetUserPolicy

  • iam:ListAccessKeys

  • s3:PutBucketPublicAccessBlock

  • s3:GetBucketPublicAccessBlock

  • s3:PutLifecycleConfiguration

  • s3:HeadBucket

  • s3:ListBucketMultipartUploads

  • s3:AbortMultipartUpload

If you are managing your cloud provider credentials with mint mode, the IAM user also requires the iam:CreateAccessKey and iam:CreateUser permissions.

Optional permissions for instance and quota checks for installation

  • ec2:DescribeInstanceTypeOfferings

  • servicequotas:ListAWSDefaultServiceQuotas

Obtaining the installation program

Before you install OKD, download the installation file on a local computer.

Prerequisites

  • You have a computer that runs Linux or macOS, with 500 MB of local disk space

Procedure

  1. Download installer from https://github.com/openshift/okd/releases

    The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both files are required to delete the cluster.

    Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OKD uninstallation procedures for your specific cloud provider.

  2. Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:

    1. $ tar -xvf openshift-install-linux.tar.gz

  3. From the Pull Secret page on the Red Hat OpenShift Cluster Manager site, download your installation pull secret. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OKD components.

    Using a pull secret from the Red Hat OpenShift Cluster Manager site is not required. You can use a pull secret for another private registry. Or, if you do not need the cluster to pull images from a private registry, you can use {"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}} as the pull secret when prompted during the installation.

    If you do not use the pull secret from the Red Hat OpenShift Cluster Manager site:

    • Red Hat Operators are not available.

    • The Telemetry and Insights operators do not send data to Red Hat.

    • Content from the Red Hat Container Catalog registry, such as image streams and Operators, are not available.

Generating a key pair for cluster node SSH access

During an OKD installation, you can provide an SSH public key to the installation program. The key is passed to the Fedora CoreOS (FCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.

After the key is passed to the nodes, you can use the key pair to SSH in to the FCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.

If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.

Do not skip this procedure in production environments, where disaster recovery and debugging is required.

You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.

On clusters running Fedora CoreOS (FCOS), the SSH keys specified in the Ignition config files are written to the /home/core/.ssh/authorized_keys.d/core file. However, the Machine Config Operator manages SSH keys in the /home/core/.ssh/authorized_keys file and configures sshd to ignore the /home/core/.ssh/authorized_keys.d/core file. As a result, newly provisioned OKD nodes are not accessible using SSH until the Machine Config Operator reconciles the machine configs with the authorized_keys file. After you can access the nodes using SSH, you can delete the /home/core/.ssh/authorized_keys.d/core file.

Procedure

  1. If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command:

    1. $ ssh-keygen -t ed25519 -N '' -f <path>/<file_name> (1)
    1Specify the path and file name, such as ~/.ssh/id_rsa, of the new SSH key. If you have an existing key pair, ensure your public key is in the your ~/.ssh directory.

    If you plan to install an OKD cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the x86_64 architecture, do not create a key that uses the ed25519 algorithm. Instead, create a key that uses the rsa or ecdsa algorithm.

  2. View the public SSH key:

    1. $ cat <path>/<file_name>.pub

    For example, run the following to view the ~/.ssh/id_rsa.pub public key:

    1. $ cat ~/.ssh/id_rsa.pub

  3. Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the ./openshift-install gather command.

    On some distributions, default SSH private key identities such as ~/.ssh/id_rsa and ~/.ssh/id_dsa are managed automatically.

    1. If the ssh-agent process is not already running for your local user, start it as a background task:

      1. $ eval "$(ssh-agent -s)"

      Example output

      1. Agent pid 31874

      If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA.

  4. Add your SSH private key to the ssh-agent:

    1. $ ssh-add <path>/<file_name> (1)
    1Specify the path and file name for your SSH private key, such as ~/.ssh/id_rsa

    Example output

    1. Identity added: /home/<you>/<path>/<file_name> (<computer_name>)

Next steps

  • When you install OKD, provide the SSH public key to the installation program. If you install a cluster on infrastructure that you provision, you must provide the key to the installation program.

Creating the installation files for AWS

To install OKD on Amazon Web Services (AWS) using user-provisioned infrastructure, you must generate the files that the installation program needs to deploy your cluster and modify them so that the cluster creates only the machines that it will use. You generate and customize the install-config.yaml file, Kubernetes manifests, and Ignition config files. You also have the option to first set up a separate var partition during the preparation phases of installation.

Optional: Creating a separate /var partition

It is recommended that disk partitioning for OKD be left to the installer. However, there are cases where you might want to create separate partitions in a part of the filesystem that you expect to grow.

OKD supports the addition of a single partition to attach storage to either the /var partition or a subdirectory of /var. For example:

  • /var/lib/containers: Holds container-related content that can grow as more images and containers are added to a system.

  • /var/lib/etcd: Holds data that you might want to keep separate for purposes such as performance optimization of etcd storage.

  • /var: Holds data that you might want to keep separate for purposes such as auditing.

Storing the contents of a /var directory separately makes it easier to grow storage for those areas as needed and reinstall OKD at a later date and keep that data intact. With this method, you will not have to pull all your containers again, nor will you have to copy massive log files when you update systems.

Because /var must be in place before a fresh installation of Fedora CoreOS (FCOS), the following procedure sets up the separate /var partition by creating a machine config manifest that is inserted during the openshift-install preparation phases of an OKD installation.

If you follow the steps to create a separate /var partition in this procedure, it is not necessary to create the Kubernetes manifest and Ignition config files again as described later in this section.

Procedure

  1. Create a directory to hold the OKD installation files:

    1. $ mkdir $HOME/clusterconfig

  2. Run openshift-install to create a set of files in the manifest and openshift subdirectories. Answer the system questions as you are prompted:

    1. $ openshift-install create manifests --dir $HOME/clusterconfig

    Example output

    1. ? SSH Public Key ...
    2. INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials"
    3. INFO Consuming Install Config from target directory
    4. INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift

  3. Optional: Confirm that the installation program created manifests in the clusterconfig/openshift directory:

    1. $ ls $HOME/clusterconfig/openshift/

    Example output

    1. 99_kubeadmin-password-secret.yaml
    2. 99_openshift-cluster-api_master-machines-0.yaml
    3. 99_openshift-cluster-api_master-machines-1.yaml
    4. 99_openshift-cluster-api_master-machines-2.yaml
    5. ...

  4. Create a Butane config that configures the additional partition. For example, name the file $HOME/clusterconfig/98-var-partition.bu, change the disk device name to the name of the storage device on the worker systems, and set the storage size as appropriate. This example places the /var directory on a separate partition:

    1. variant: openshift
    2. version: 4.9.0
    3. metadata:
    4.   labels:
    5.     machineconfiguration.openshift.io/role: worker
    6.   name: 98-var-partition
    7. storage:
    8.   disks:
    9.   - device: /dev/<device_name> (1)
    10.     partitions:
    11.     - label: var
    12.       start_mib: <partition_start_offset> (2)
    13.       size_mib: <partition_size> (3)
    14.   filesystems:
    15.     - device: /dev/disk/by-partlabel/var
    16.       path: /var
    17.       format: xfs
    18.       mount_options: [defaults, prjquota] (4)
    19.       with_mount_unit: true
    1The storage device name of the disk that you want to partition.
    2When adding a data partition to the boot disk, a minimum value of 25000 MiB (Mebibytes) is recommended. The root file system is automatically resized to fill all available space up to the specified offset. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of FCOS might overwrite the beginning of the data partition.
    3The size of the data partition in mebibytes.
    4The prjquota mount option must be enabled for filesystems used for container storage.

    When creating a separate /var partition, you cannot use different instance types for worker nodes, if the different instance types do not have the same device name.

  5. Create a manifest from the Butane config and save it to the clusterconfig/openshift directory. For example, run the following command:

    1. $ butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml

  6. Run openshift-install again to create Ignition configs from a set of files in the manifest and openshift subdirectories:

    1. $ openshift-install create ignition-configs --dir $HOME/clusterconfig
    2. $ ls $HOME/clusterconfig/
    3. auth  bootstrap.ign  master.ign  metadata.json  worker.ign

Now you can use the Ignition config files as input to the installation procedures to install Fedora CoreOS (FCOS) systems.

Creating the installation configuration file

Generate and customize the installation configuration file that the installation program needs to deploy your cluster.

Prerequisites

  • You obtained the OKD installation program for user-provisioned infrastructure and the pull secret for your cluster.

  • You checked that you are deploying your cluster to a region with an accompanying Fedora CoreOS (FCOS) AMI published by Red Hat. If you are deploying to a region that requires a custom AMI, such as an AWS GovCloud region, you must create the install-config.yaml file manually.

Procedure

  1. Create the install-config.yaml file.

    1. Change to the directory that contains the installation program and run the following command:

      1. $ ./openshift-install create install-config --dir <installation_directory> (1)
      1For <installation_directory>, specify the directory name to store the files that the installation program creates.

      Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OKD version.

    2. At the prompts, provide the configuration details for your cloud:

      1. Optional: Select an SSH key to use to access your cluster machines.

        For production OKD clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agent process uses.

      2. Select aws as the platform to target.

      3. If you do not have an AWS profile stored on your computer, enter the AWS access key ID and secret access key for the user that you configured to run the installation program.

        The AWS access key ID and secret access key are stored in ~/.aws/credentials in the home directory of the current user on the installation host. You are prompted for the credentials by the installation program if the credentials for the exported profile are not present in the file. Any credentials that you provide to the installation program are stored in the file.

      4. Select the AWS region to deploy the cluster to.

      5. Select the base domain for the Route 53 service that you configured for your cluster.

      6. Enter a descriptive name for your cluster.

      7. Paste the pull secret that you obtained from the Pull Secret page on the Red Hat OpenShift Cluster Manager site. This field is optional.

  1. Optional: Back up the install-config.yaml file.

    The install-config.yaml file is consumed during the installation process. If you want to reuse the file, you must back it up now.

Additional resources

Configuring the cluster-wide proxy during installation

Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OKD cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.

Prerequisites

  • You have an existing install-config.yaml file.

  • You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the Proxy object’s spec.noProxy field to bypass the proxy if necessary.

    The Proxy object status.noProxy field is populated with the values of the networking.machineNetwork[].cidr, networking.clusterNetwork[].cidr, and networking.serviceNetwork[] fields from your installation configuration.

    For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the Proxy object status.noProxy field is also populated with the instance metadata endpoint (169.254.169.254).

  • If your cluster is on AWS, you added the ec2.<region>.amazonaws.com, elasticloadbalancing.<region>.amazonaws.com, and s3.<region>.amazonaws.com endpoints to your VPC endpoint. These endpoints are required to complete requests from the nodes to the AWS EC2 API. Because the proxy works on the container level, not the node level, you must route these requests to the AWS EC2 API through the AWS private network. Adding the public IP address of the EC2 API to your allowlist in your proxy server is not sufficient.

Procedure

  1. Edit your install-config.yaml file and add the proxy settings. For example:

    1. apiVersion: v1
    2. baseDomain: my.domain.com
    3. proxy:
    4.   httpProxy: http://<username>:<pswd>@<ip>:<port> (1)
    5.   httpsProxy: https://<username>:<pswd>@<ip>:<port> (2)
    6.   noProxy: example.com (3)
    7. additionalTrustBundle: | (4)
    8.     -----BEGIN CERTIFICATE-----
    9.     <MY_TRUSTED_CA_CERT>
    10.     -----END CERTIFICATE-----
    11. ...
    1A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an httpProxy value.
    2A proxy URL to use for creating HTTPS connections outside the cluster. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an httpsProxy value.
    3A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with . to match subdomains only. For example, .y.com matches x.y.com, but not y.com. Use * to bypass the proxy for all destinations.
    4If provided, the installation program generates a config map that is named user-ca-bundle in the openshift-config namespace to hold the additional CA certificates. If you provide additionalTrustBundle and at least one proxy setting, the Proxy object is configured to reference the user-ca-bundle config map in the trustedCA field. The Cluster Network Operator then creates a trusted-ca-bundle config map that merges the contents specified for the trustedCA parameter with the FCOS trust bundle. The additionalTrustBundle field is required unless the proxy’s identity certificate is signed by an authority from the FCOS trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.

    The installation program does not support the proxy readinessEndpoints field.

  2. Save the file and reference it when installing OKD.

The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.

Only the Proxy object named cluster is supported, and no additional proxies can be created.

Creating the Kubernetes manifest and Ignition config files

Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.

The installation configuration file transforms into the Kubernetes manifests. The manifests wrap into the Ignition configuration files, which are later used to configure the cluster machines.

The Ignition config files that the OKD installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.

Prerequisites

  • You obtained the OKD installation program.

  • You created the install-config.yaml installation configuration file.

Procedure

  1. Change to the directory that contains the OKD installation program and generate the Kubernetes manifests for the cluster:

    1. $ ./openshift-install create manifests --dir <installation_directory> (1)

    Example output

    1. INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials"
    2. INFO Consuming Install Config from target directory
    3. INFO Manifests created in: install_dir/manifests and install_dir/openshift
    1For <installation_directory>, specify the installation directory that contains the install-config.yaml file you created.

  2. Remove the Kubernetes manifest files that define the control plane machines:

    1. $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml

    By removing these files, you prevent the cluster from automatically generating control plane machines.

  3. Remove the Kubernetes manifest files that define the worker machines:

    1. $ rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml

    Because you create and manage the worker machines yourself, you do not need to initialize these machines.

  4. Check that the mastersSchedulable parameter in the <installation_directory>/manifests/cluster-scheduler-02-config.yml Kubernetes manifest file is set to false. This setting prevents pods from being scheduled on the control plane machines:

    1. Open the <installation_directory>/manifests/cluster-scheduler-02-config.yml file.

    2. Locate the mastersSchedulable parameter and ensure that it is set to false.

    3. Save and exit the file.

  5. Optional: If you do not want the Ingress Operator to create DNS records on your behalf, remove the privateZone and publicZone sections from the <installation_directory>/manifests/cluster-dns-02-config.yml DNS configuration file:

    1. apiVersion: config.openshift.io/v1
    2. kind: DNS
    3. metadata:
    4.   creationTimestamp: null
    5.   name: cluster
    6. spec:
    7.   baseDomain: example.openshift.com
    8.   privateZone: (1)
    9.     id: mycluster-100419-private-zone
    10.   publicZone: (1)
    11.     id: example.openshift.com
    12. status: {}
    1Remove this section completely.

    If you do so, you must add ingress DNS records manually in a later step.

  6. To create the Ignition configuration files, run the following command from the directory that contains the installation program:

    1. $ ./openshift-install create ignition-configs --dir <installation_directory> (1)
    1For <installation_directory>, specify the same installation directory.

    Ignition config files are created for the bootstrap, control plane, and compute nodes in the installation directory. The kubeadmin-password and kubeconfig files are created in the ./<installation_directory>/auth directory:

    1. .
    2. ├── auth
    3.    ├── kubeadmin-password
    4.    └── kubeconfig
    5. ├── bootstrap.ign
    6. ├── master.ign
    7. ├── metadata.json
    8. └── worker.ign

Extracting the infrastructure name

The Ignition config files contain a unique cluster identifier that you can use to uniquely identify your cluster in Amazon Web Services (AWS). The infrastructure name is also used to locate the appropriate AWS resources during an OKD installation. The provided CloudFormation templates contain references to this infrastructure name, so you must extract it.

Prerequisites

  • You obtained the OKD installation program and the pull secret for your cluster.

  • You generated the Ignition config files for your cluster.

  • You installed the jq package.

Procedure

  • To extract and view the infrastructure name from the Ignition config file metadata, run the following command:

    1. $ jq -r .infraID <installation_directory>/metadata.json (1)
    1For <installation_directory>, specify the path to the directory that you stored the installation files in.

    Example output

    1. openshift-vw9j6 (1)
    1The output of this command is your cluster name and a random string.

Creating a VPC in AWS

You must create a Virtual Private Cloud (VPC) in Amazon Web Services (AWS) for your OKD cluster to use. You can customize the VPC to meet your requirements, including VPN and route tables.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the VPC.

If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

Procedure

  1. Create a JSON file that contains the parameter values that the template requires:

    1. [
    2.   {
    3.     "ParameterKey": "VpcCidr", (1)
    4.     "ParameterValue": "10.0.0.0/16" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "AvailabilityZoneCount", (3)
    8.     "ParameterValue": "1" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "SubnetBits", (5)
    12.     "ParameterValue": "12" (6)
    13.   }
    14. ]
    1The CIDR block for the VPC.
    2Specify a CIDR block in the format x.x.x.x/16-24.
    3The number of availability zones to deploy the VPC in.
    4Specify an integer between 1 and 3.
    5The size of each subnet in each availability zone.
    6Specify an integer between 5 and 13, where 5 is /27 and 13 is /19.

  2. Copy the template from the CloudFormation template for the VPC section of this topic and save it as a YAML file on your computer. This template describes the VPC that your cluster requires.

  3. Launch the CloudFormation template to create a stack of AWS resources that represent the VPC:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml (2)
    3.      --parameters file://<parameters>.json (3)
    1<name> is the name for the CloudFormation stack, such as cluster-vpc. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-vpc/dbedae40-2fd3-11eb-820e-12a48460849f

  4. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

    After the StackStatus displays CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:

    VpcId

    The ID of your VPC.

    PublicSubnetIds

    The IDs of the new public subnets.

    PrivateSubnetIds

    The IDs of the new private subnets.

CloudFormation template for the VPC

You can use the following CloudFormation template to deploy the VPC that you need for your OKD cluster.

CloudFormation template for the VPC

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for Best Practice VPC with 1-3 AZs
  4. Parameters:
  5.   VpcCidr:
  6.     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-4]))$
  7.     ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24.
  8.     Default: 10.0.0.0/16
  9.     Description: CIDR block for VPC.
  10.     Type: String
  11.   AvailabilityZoneCount:
  12.     ConstraintDescription: "The number of availability zones. (Min: 1, Max: 3)"
  13.     MinValue: 1
  14.     MaxValue: 3
  15.     Default: 1
  16.     Description: "How many AZs to create VPC subnets for. (Min: 1, Max: 3)"
  17.     Type: Number
  18.   SubnetBits:
  19.     ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/19-27.
  20.     MinValue: 5
  21.     MaxValue: 13
  22.     Default: 12
  23.     Description: "Size of each subnet to create within the availability zones. (Min: 5 = /27, Max: 13 = /19)"
  24.     Type: Number
  26. Metadata:
  27.   AWS::CloudFormation::Interface:
  28.     ParameterGroups:
  29.     - Label:
  30.         default: "Network Configuration"
  31.       Parameters:
  32.       - VpcCidr
  33.       - SubnetBits
  34.     - Label:
  35.         default: "Availability Zones"
  36.       Parameters:
  37.       - AvailabilityZoneCount
  38.     ParameterLabels:
  39.       AvailabilityZoneCount:
  40.         default: "Availability Zone Count"
  41.       VpcCidr:
  42.         default: "VPC CIDR"
  43.       SubnetBits:
  44.         default: "Bits Per Subnet"
  46. Conditions:
  47.   DoAz3: !Equals [3, !Ref AvailabilityZoneCount]
  48.   DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3]
  50. Resources:
  51.   VPC:
  52.     Type: "AWS::EC2::VPC"
  53.     Properties:
  54.       EnableDnsSupport: "true"
  55.       EnableDnsHostnames: "true"
  56.       CidrBlock: !Ref VpcCidr
  57.   PublicSubnet:
  58.     Type: "AWS::EC2::Subnet"
  59.     Properties:
  60.       VpcId: !Ref VPC
  61.       CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  62.       AvailabilityZone: !Select
  63.       - 0
  64.       - Fn::GetAZs: !Ref "AWS::Region"
  65.   PublicSubnet2:
  66.     Type: "AWS::EC2::Subnet"
  67.     Condition: DoAz2
  68.     Properties:
  69.       VpcId: !Ref VPC
  70.       CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  71.       AvailabilityZone: !Select
  72.       - 1
  73.       - Fn::GetAZs: !Ref "AWS::Region"
  74.   PublicSubnet3:
  75.     Type: "AWS::EC2::Subnet"
  76.     Condition: DoAz3
  77.     Properties:
  78.       VpcId: !Ref VPC
  79.       CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  80.       AvailabilityZone: !Select
  81.       - 2
  82.       - Fn::GetAZs: !Ref "AWS::Region"
  83.   InternetGateway:
  84.     Type: "AWS::EC2::InternetGateway"
  85.   GatewayToInternet:
  86.     Type: "AWS::EC2::VPCGatewayAttachment"
  87.     Properties:
  88.       VpcId: !Ref VPC
  89.       InternetGatewayId: !Ref InternetGateway
  90.   PublicRouteTable:
  91.     Type: "AWS::EC2::RouteTable"
  92.     Properties:
  93.       VpcId: !Ref VPC
  94.   PublicRoute:
  95.     Type: "AWS::EC2::Route"
  96.     DependsOn: GatewayToInternet
  97.     Properties:
  98.       RouteTableId: !Ref PublicRouteTable
  99.       DestinationCidrBlock: 0.0.0.0/0
  100.       GatewayId: !Ref InternetGateway
  101.   PublicSubnetRouteTableAssociation:
  102.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  103.     Properties:
  104.       SubnetId: !Ref PublicSubnet
  105.       RouteTableId: !Ref PublicRouteTable
  106.   PublicSubnetRouteTableAssociation2:
  107.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  108.     Condition: DoAz2
  109.     Properties:
  110.       SubnetId: !Ref PublicSubnet2
  111.       RouteTableId: !Ref PublicRouteTable
  112.   PublicSubnetRouteTableAssociation3:
  113.     Condition: DoAz3
  114.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  115.     Properties:
  116.       SubnetId: !Ref PublicSubnet3
  117.       RouteTableId: !Ref PublicRouteTable
  118.   PrivateSubnet:
  119.     Type: "AWS::EC2::Subnet"
  120.     Properties:
  121.       VpcId: !Ref VPC
  122.       CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  123.       AvailabilityZone: !Select
  124.       - 0
  125.       - Fn::GetAZs: !Ref "AWS::Region"
  126.   PrivateRouteTable:
  127.     Type: "AWS::EC2::RouteTable"
  128.     Properties:
  129.       VpcId: !Ref VPC
  130.   PrivateSubnetRouteTableAssociation:
  131.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  132.     Properties:
  133.       SubnetId: !Ref PrivateSubnet
  134.       RouteTableId: !Ref PrivateRouteTable
  135.   NAT:
  136.     DependsOn:
  137.     - GatewayToInternet
  138.     Type: "AWS::EC2::NatGateway"
  139.     Properties:
  140.       AllocationId:
  141.         "Fn::GetAtt":
  142.         - EIP
  143.         - AllocationId
  144.       SubnetId: !Ref PublicSubnet
  145.   EIP:
  146.     Type: "AWS::EC2::EIP"
  147.     Properties:
  148.       Domain: vpc
  149.   Route:
  150.     Type: "AWS::EC2::Route"
  151.     Properties:
  152.       RouteTableId:
  153.         Ref: PrivateRouteTable
  154.       DestinationCidrBlock: 0.0.0.0/0
  155.       NatGatewayId:
  156.         Ref: NAT
  157.   PrivateSubnet2:
  158.     Type: "AWS::EC2::Subnet"
  159.     Condition: DoAz2
  160.     Properties:
  161.       VpcId: !Ref VPC
  162.       CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  163.       AvailabilityZone: !Select
  164.       - 1
  165.       - Fn::GetAZs: !Ref "AWS::Region"
  166.   PrivateRouteTable2:
  167.     Type: "AWS::EC2::RouteTable"
  168.     Condition: DoAz2
  169.     Properties:
  170.       VpcId: !Ref VPC
  171.   PrivateSubnetRouteTableAssociation2:
  172.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  173.     Condition: DoAz2
  174.     Properties:
  175.       SubnetId: !Ref PrivateSubnet2
  176.       RouteTableId: !Ref PrivateRouteTable2
  177.   NAT2:
  178.     DependsOn:
  179.     - GatewayToInternet
  180.     Type: "AWS::EC2::NatGateway"
  181.     Condition: DoAz2
  182.     Properties:
  183.       AllocationId:
  184.         "Fn::GetAtt":
  185.         - EIP2
  186.         - AllocationId
  187.       SubnetId: !Ref PublicSubnet2
  188.   EIP2:
  189.     Type: "AWS::EC2::EIP"
  190.     Condition: DoAz2
  191.     Properties:
  192.       Domain: vpc
  193.   Route2:
  194.     Type: "AWS::EC2::Route"
  195.     Condition: DoAz2
  196.     Properties:
  197.       RouteTableId:
  198.         Ref: PrivateRouteTable2
  199.       DestinationCidrBlock: 0.0.0.0/0
  200.       NatGatewayId:
  201.         Ref: NAT2
  202.   PrivateSubnet3:
  203.     Type: "AWS::EC2::Subnet"
  204.     Condition: DoAz3
  205.     Properties:
  206.       VpcId: !Ref VPC
  207.       CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
  208.       AvailabilityZone: !Select
  209.       - 2
  210.       - Fn::GetAZs: !Ref "AWS::Region"
  211.   PrivateRouteTable3:
  212.     Type: "AWS::EC2::RouteTable"
  213.     Condition: DoAz3
  214.     Properties:
  215.       VpcId: !Ref VPC
  216.   PrivateSubnetRouteTableAssociation3:
  217.     Type: "AWS::EC2::SubnetRouteTableAssociation"
  218.     Condition: DoAz3
  219.     Properties:
  220.       SubnetId: !Ref PrivateSubnet3
  221.       RouteTableId: !Ref PrivateRouteTable3
  222.   NAT3:
  223.     DependsOn:
  224.     - GatewayToInternet
  225.     Type: "AWS::EC2::NatGateway"
  226.     Condition: DoAz3
  227.     Properties:
  228.       AllocationId:
  229.         "Fn::GetAtt":
  230.         - EIP3
  231.         - AllocationId
  232.       SubnetId: !Ref PublicSubnet3
  233.   EIP3:
  234.     Type: "AWS::EC2::EIP"
  235.     Condition: DoAz3
  236.     Properties:
  237.       Domain: vpc
  238.   Route3:
  239.     Type: "AWS::EC2::Route"
  240.     Condition: DoAz3
  241.     Properties:
  242.       RouteTableId:
  243.         Ref: PrivateRouteTable3
  244.       DestinationCidrBlock: 0.0.0.0/0
  245.       NatGatewayId:
  246.         Ref: NAT3
  247.   S3Endpoint:
  248.     Type: AWS::EC2::VPCEndpoint
  249.     Properties:
  250.       PolicyDocument:
  251.         Version: 2012-10-17
  252.         Statement:
  253.         - Effect: Allow
  254.           Principal: '*'
  255.           Action:
  256.           - '*'
  257.           Resource:
  258.           - '*'
  259.       RouteTableIds:
  260.       - !Ref PublicRouteTable
  261.       - !Ref PrivateRouteTable
  262.       - !If [DoAz2, !Ref PrivateRouteTable2, !Ref "AWS::NoValue"]
  263.       - !If [DoAz3, !Ref PrivateRouteTable3, !Ref "AWS::NoValue"]
  264.       ServiceName: !Join
  265.       - ''
  266.       - - com.amazonaws.
  267.         - !Ref 'AWS::Region'
  268.         - .s3
  269.       VpcId: !Ref VPC
  271. Outputs:
  272.   VpcId:
  273.     Description: ID of the new VPC.
  274.     Value: !Ref VPC
  275.   PublicSubnetIds:
  276.     Description: Subnet IDs of the public subnets.
  277.     Value:
  278.       !Join [
  279.         ",",
  280.         [!Ref PublicSubnet, !If [DoAz2, !Ref PublicSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PublicSubnet3, !Ref "AWS::NoValue"]]
  281.       ]
  282.   PrivateSubnetIds:
  283.     Description: Subnet IDs of the private subnets.
  284.     Value:
  285.       !Join [
  286.         ",",
  287.         [!Ref PrivateSubnet, !If [DoAz2, !Ref PrivateSubnet2, !Ref "AWS::NoValue"], !If [DoAz3, !Ref PrivateSubnet3, !Ref "AWS::NoValue"]]
  288.       ]

Additional resources

Creating networking and load balancing components in AWS

You must configure networking and classic or network load balancing in Amazon Web Services (AWS) that your OKD cluster can use.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the networking and load balancing components that your OKD cluster requires. The template also creates a hosted zone and subnet tags.

You can run the template multiple times within a single Virtual Private Cloud (VPC).

If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

Procedure

  1. Obtain the hosted zone ID for the Route 53 base domain that you specified in the install-config.yaml file for your cluster. You can obtain details about your hosted zone by running the following command:

    1. $ aws route53 list-hosted-zones-by-name --dns-name <route53_domain> (1)
    1For the <route53_domain>, specify the Route 53 base domain that you used when you generated the install-config.yaml file for the cluster.

    Example output

    1. mycluster.example.com.    False    100
    2. HOSTEDZONES    65F8F38E-2268-B835-E15C-AB55336FCBFA    /hostedzone/Z21IXYZABCZ2A4    mycluster.example.com.    10

    In the example output, the hosted zone ID is Z21IXYZABCZ2A4.

  2. Create a JSON file that contains the parameter values that the template requires:

    1. [
    2.   {
    3.     "ParameterKey": "ClusterName", (1)
    4.     "ParameterValue": "mycluster" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "InfrastructureName", (3)
    8.     "ParameterValue": "mycluster-<random_string>" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "HostedZoneId", (5)
    12.     "ParameterValue": "<random_string>" (6)
    13.   },
    14.   {
    15.     "ParameterKey": "HostedZoneName", (7)
    16.     "ParameterValue": "example.com" (8)
    17.   },
    18.   {
    19.     "ParameterKey": "PublicSubnets", (9)
    20.     "ParameterValue": "subnet-<random_string>" (10)
    21.   },
    22.   {
    23.     "ParameterKey": "PrivateSubnets", (11)
    24.     "ParameterValue": "subnet-<random_string>" (12)
    25.   },
    26.   {
    27.     "ParameterKey": "VpcId", (13)
    28.     "ParameterValue": "vpc-<random_string>" (14)
    29.   }
    30. ]
    1A short, representative cluster name to use for hostnames, etc.
    2Specify the cluster name that you used when you generated the install-config.yaml file for the cluster.
    3The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
    4Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format <cluster-name>-<random-string>.
    5The Route 53 public zone ID to register the targets with.
    6Specify the Route 53 public zone ID, which as a format similar to Z21IXYZABCZ2A4. You can obtain this value from the AWS console.
    7The Route 53 zone to register the targets with.
    8Specify the Route 53 base domain that you used when you generated the install-config.yaml file for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
    9The public subnets that you created for your VPC.
    10Specify the PublicSubnetIds value from the output of the CloudFormation template for the VPC.
    11The private subnets that you created for your VPC.
    12Specify the PrivateSubnetIds value from the output of the CloudFormation template for the VPC.
    13The VPC that you created for the cluster.
    14Specify the VpcId value from the output of the CloudFormation template for the VPC.

  3. Copy the template from the CloudFormation template for the network and load balancers section of this topic and save it as a YAML file on your computer. This template describes the networking and load balancing objects that your cluster requires.

    If you are deploying your cluster to an AWS government or secret region, you must update the InternalApiServerRecord in the CloudFormation template to use CNAME records. Records of type ALIAS are not supported for AWS government regions.

  4. Launch the CloudFormation template to create a stack of AWS resources that provide the networking and load balancing components:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml (2)
    3.      --parameters file://<parameters>.json (3)
    4.      --capabilities CAPABILITY_NAMED_IAM (4)
    1<name> is the name for the CloudFormation stack, such as cluster-dns. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.
    4You must explicitly declare the CAPABILITY_NAMED_IAM capability because the provided template creates some AWS::IAM::Role resources.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-dns/cd3e5de0-2fd4-11eb-5cf0-12be5c33a183

  5. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

    After the StackStatus displays CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:

    PrivateHostedZoneId

    Hosted zone ID for the private DNS.

    ExternalApiLoadBalancerName

    Full name of the external API load balancer.

    InternalApiLoadBalancerName

    Full name of the internal API load balancer.

    ApiServerDnsName

    Full hostname of the API server.

    RegisterNlbIpTargetsLambda

    Lambda ARN useful to help register/deregister IP targets for these load balancers.

    ExternalApiTargetGroupArn

    ARN of external API target group.

    InternalApiTargetGroupArn

    ARN of internal API target group.

    InternalServiceTargetGroupArn

    ARN of internal service target group.

CloudFormation template for the network and load balancers

You can use the following CloudFormation template to deploy the networking objects and load balancers that you need for your OKD cluster.

CloudFormation template for the network and load balancers

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for OpenShift Cluster Network Elements (Route53 & LBs)
  4. Parameters:
  5.   ClusterName:
  6.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  7.     MaxLength: 27
  8.     MinLength: 1
  9.     ConstraintDescription: Cluster name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  10.     Description: A short, representative cluster name to use for host names and other identifying names.
  11.     Type: String
  12.   InfrastructureName:
  13.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  14.     MaxLength: 27
  15.     MinLength: 1
  16.     ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  17.     Description: A short, unique cluster ID used to tag cloud resources and identify items owned or used by the cluster.
  18.     Type: String
  19.   HostedZoneId:
  20.     Description: The Route53 public zone ID to register the targets with, such as Z21IXYZABCZ2A4.
  21.     Type: String
  22.   HostedZoneName:
  23.     Description: The Route53 zone to register the targets with, such as example.com. Omit the trailing period.
  24.     Type: String
  25.     Default: "example.com"
  26.   PublicSubnets:
  27.     Description: The internet-facing subnets.
  28.     Type: List<AWS::EC2::Subnet::Id>
  29.   PrivateSubnets:
  30.     Description: The internal subnets.
  31.     Type: List<AWS::EC2::Subnet::Id>
  32.   VpcId:
  33.     Description: The VPC-scoped resources will belong to this VPC.
  34.     Type: AWS::EC2::VPC::Id
  36. Metadata:
  37.   AWS::CloudFormation::Interface:
  38.     ParameterGroups:
  39.     - Label:
  40.         default: "Cluster Information"
  41.       Parameters:
  42.       - ClusterName
  43.       - InfrastructureName
  44.     - Label:
  45.         default: "Network Configuration"
  46.       Parameters:
  47.       - VpcId
  48.       - PublicSubnets
  49.       - PrivateSubnets
  50.     - Label:
  51.         default: "DNS"
  52.       Parameters:
  53.       - HostedZoneName
  54.       - HostedZoneId
  55.     ParameterLabels:
  56.       ClusterName:
  57.         default: "Cluster Name"
  58.       InfrastructureName:
  59.         default: "Infrastructure Name"
  60.       VpcId:
  61.         default: "VPC ID"
  62.       PublicSubnets:
  63.         default: "Public Subnets"
  64.       PrivateSubnets:
  65.         default: "Private Subnets"
  66.       HostedZoneName:
  67.         default: "Public Hosted Zone Name"
  68.       HostedZoneId:
  69.         default: "Public Hosted Zone ID"
  71. Resources:
  72.   ExtApiElb:
  73.     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  74.     Properties:
  75.       Name: !Join ["-", [!Ref InfrastructureName, "ext"]]
  76.       IpAddressType: ipv4
  77.       Subnets: !Ref PublicSubnets
  78.       Type: network
  80.   IntApiElb:
  81.     Type: AWS::ElasticLoadBalancingV2::LoadBalancer
  82.     Properties:
  83.       Name: !Join ["-", [!Ref InfrastructureName, "int"]]
  84.       Scheme: internal
  85.       IpAddressType: ipv4
  86.       Subnets: !Ref PrivateSubnets
  87.       Type: network
  89.   IntDns:
  90.     Type: "AWS::Route53::HostedZone"
  91.     Properties:
  92.       HostedZoneConfig:
  93.         Comment: "Managed by CloudFormation"
  94.       Name: !Join [".", [!Ref ClusterName, !Ref HostedZoneName]]
  95.       HostedZoneTags:
  96.       - Key: Name
  97.         Value: !Join ["-", [!Ref InfrastructureName, "int"]]
  98.       - Key: !Join ["", ["kubernetes.io/cluster/", !Ref InfrastructureName]]
  99.         Value: "owned"
  100.       VPCs:
  101.       - VPCId: !Ref VpcId
  102.         VPCRegion: !Ref "AWS::Region"
  104.   ExternalApiServerRecord:
  105.     Type: AWS::Route53::RecordSetGroup
  106.     Properties:
  107.       Comment: Alias record for the API server
  108.       HostedZoneId: !Ref HostedZoneId
  109.       RecordSets:
  110.       - Name:
  111.           !Join [
  112.             ".",
  113.             ["api", !Ref ClusterName, !Join ["", [!Ref HostedZoneName, "."]]],
  114.           ]
  115.         Type: A
  116.         AliasTarget:
  117.           HostedZoneId: !GetAtt ExtApiElb.CanonicalHostedZoneID
  118.           DNSName: !GetAtt ExtApiElb.DNSName
  120.   InternalApiServerRecord:
  121.     Type: AWS::Route53::RecordSetGroup
  122.     Properties:
  123.       Comment: Alias record for the API server
  124.       HostedZoneId: !Ref IntDns
  125.       RecordSets:
  126.       - Name:
  127.           !Join [
  128.             ".",
  129.             ["api", !Ref ClusterName, !Join ["", [!Ref HostedZoneName, "."]]],
  130.           ]
  131.         Type: A
  132.         AliasTarget:
  133.           HostedZoneId: !GetAtt IntApiElb.CanonicalHostedZoneID
  134.           DNSName: !GetAtt IntApiElb.DNSName
  135.       - Name:
  136.           !Join [
  137.             ".",
  138.             ["api-int", !Ref ClusterName, !Join ["", [!Ref HostedZoneName, "."]]],
  139.           ]
  140.         Type: A
  141.         AliasTarget:
  142.           HostedZoneId: !GetAtt IntApiElb.CanonicalHostedZoneID
  143.           DNSName: !GetAtt IntApiElb.DNSName
  145.   ExternalApiListener:
  146.     Type: AWS::ElasticLoadBalancingV2::Listener
  147.     Properties:
  148.       DefaultActions:
  149.       - Type: forward
  150.         TargetGroupArn:
  151.           Ref: ExternalApiTargetGroup
  152.       LoadBalancerArn:
  153.         Ref: ExtApiElb
  154.       Port: 6443
  155.       Protocol: TCP
  157.   ExternalApiTargetGroup:
  158.     Type: AWS::ElasticLoadBalancingV2::TargetGroup
  159.     Properties:
  160.       HealthCheckIntervalSeconds: 10
  161.       HealthCheckPath: "/readyz"
  162.       HealthCheckPort: 6443
  163.       HealthCheckProtocol: HTTPS
  164.       HealthyThresholdCount: 2
  165.       UnhealthyThresholdCount: 2
  166.       Port: 6443
  167.       Protocol: TCP
  168.       TargetType: ip
  169.       VpcId:
  170.         Ref: VpcId
  171.       TargetGroupAttributes:
  172.       - Key: deregistration_delay.timeout_seconds
  173.         Value: 60
  175.   InternalApiListener:
  176.     Type: AWS::ElasticLoadBalancingV2::Listener
  177.     Properties:
  178.       DefaultActions:
  179.       - Type: forward
  180.         TargetGroupArn:
  181.           Ref: InternalApiTargetGroup
  182.       LoadBalancerArn:
  183.         Ref: IntApiElb
  184.       Port: 6443
  185.       Protocol: TCP
  187.   InternalApiTargetGroup:
  188.     Type: AWS::ElasticLoadBalancingV2::TargetGroup
  189.     Properties:
  190.       HealthCheckIntervalSeconds: 10
  191.       HealthCheckPath: "/readyz"
  192.       HealthCheckPort: 6443
  193.       HealthCheckProtocol: HTTPS
  194.       HealthyThresholdCount: 2
  195.       UnhealthyThresholdCount: 2
  196.       Port: 6443
  197.       Protocol: TCP
  198.       TargetType: ip
  199.       VpcId:
  200.         Ref: VpcId
  201.       TargetGroupAttributes:
  202.       - Key: deregistration_delay.timeout_seconds
  203.         Value: 60
  205.   InternalServiceInternalListener:
  206.     Type: AWS::ElasticLoadBalancingV2::Listener
  207.     Properties:
  208.       DefaultActions:
  209.       - Type: forward
  210.         TargetGroupArn:
  211.           Ref: InternalServiceTargetGroup
  212.       LoadBalancerArn:
  213.         Ref: IntApiElb
  214.       Port: 22623
  215.       Protocol: TCP
  217.   InternalServiceTargetGroup:
  218.     Type: AWS::ElasticLoadBalancingV2::TargetGroup
  219.     Properties:
  220.       HealthCheckIntervalSeconds: 10
  221.       HealthCheckPath: "/healthz"
  222.       HealthCheckPort: 22623
  223.       HealthCheckProtocol: HTTPS
  224.       HealthyThresholdCount: 2
  225.       UnhealthyThresholdCount: 2
  226.       Port: 22623
  227.       Protocol: TCP
  228.       TargetType: ip
  229.       VpcId:
  230.         Ref: VpcId
  231.       TargetGroupAttributes:
  232.       - Key: deregistration_delay.timeout_seconds
  233.         Value: 60
  235.   RegisterTargetLambdaIamRole:
  236.     Type: AWS::IAM::Role
  237.     Properties:
  238.       RoleName: !Join ["-", [!Ref InfrastructureName, "nlb", "lambda", "role"]]
  239.       AssumeRolePolicyDocument:
  240.         Version: "2012-10-17"
  241.         Statement:
  242.         - Effect: "Allow"
  243.           Principal:
  244.             Service:
  245.             - "lambda.amazonaws.com"
  246.           Action:
  247.           - "sts:AssumeRole"
  248.       Path: "/"
  249.       Policies:
  250.       - PolicyName: !Join ["-", [!Ref InfrastructureName, "master", "policy"]]
  251.         PolicyDocument:
  252.           Version: "2012-10-17"
  253.           Statement:
  254.           - Effect: "Allow"
  255.             Action:
  256.               [
  257.                 "elasticloadbalancing:RegisterTargets",
  258.                 "elasticloadbalancing:DeregisterTargets",
  259.               ]
  260.             Resource: !Ref InternalApiTargetGroup
  261.           - Effect: "Allow"
  262.             Action:
  263.               [
  264.                 "elasticloadbalancing:RegisterTargets",
  265.                 "elasticloadbalancing:DeregisterTargets",
  266.               ]
  267.             Resource: !Ref InternalServiceTargetGroup
  268.           - Effect: "Allow"
  269.             Action:
  270.               [
  271.                 "elasticloadbalancing:RegisterTargets",
  272.                 "elasticloadbalancing:DeregisterTargets",
  273.               ]
  274.             Resource: !Ref ExternalApiTargetGroup
  276.   RegisterNlbIpTargets:
  277.     Type: "AWS::Lambda::Function"
  278.     Properties:
  279.       Handler: "index.handler"
  280.       Role:
  281.         Fn::GetAtt:
  282.         - "RegisterTargetLambdaIamRole"
  283.         - "Arn"
  284.       Code:
  285.         ZipFile: |
  286.           import json
  287.           import boto3
  288.           import cfnresponse
  289.           def handler(event, context):
  290.             elb = boto3.client('elbv2')
  291.             if event['RequestType'] == 'Delete':
  292.               elb.deregister_targets(TargetGroupArn=event['ResourceProperties']['TargetArn'],Targets=[{'Id': event['ResourceProperties']['TargetIp']}])
  293.             elif event['RequestType'] == 'Create':
  294.               elb.register_targets(TargetGroupArn=event['ResourceProperties']['TargetArn'],Targets=[{'Id': event['ResourceProperties']['TargetIp']}])
  295.             responseData = {}
  296.             cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData, event['ResourceProperties']['TargetArn']+event['ResourceProperties']['TargetIp'])
  297.       Runtime: "python3.7"
  298.       Timeout: 120
  300.   RegisterSubnetTagsLambdaIamRole:
  301.     Type: AWS::IAM::Role
  302.     Properties:
  303.       RoleName: !Join ["-", [!Ref InfrastructureName, "subnet-tags-lambda-role"]]
  304.       AssumeRolePolicyDocument:
  305.         Version: "2012-10-17"
  306.         Statement:
  307.         - Effect: "Allow"
  308.           Principal:
  309.             Service:
  310.             - "lambda.amazonaws.com"
  311.           Action:
  312.           - "sts:AssumeRole"
  313.       Path: "/"
  314.       Policies:
  315.       - PolicyName: !Join ["-", [!Ref InfrastructureName, "subnet-tagging-policy"]]
  316.         PolicyDocument:
  317.           Version: "2012-10-17"
  318.           Statement:
  319.           - Effect: "Allow"
  320.             Action:
  321.               [
  322.                 "ec2:DeleteTags",
  323.                 "ec2:CreateTags"
  324.               ]
  325.             Resource: "arn:aws:ec2:*:*:subnet/*"
  326.           - Effect: "Allow"
  327.             Action:
  328.               [
  329.                 "ec2:DescribeSubnets",
  330.                 "ec2:DescribeTags"
  331.               ]
  332.             Resource: "*"
  334.   RegisterSubnetTags:
  335.     Type: "AWS::Lambda::Function"
  336.     Properties:
  337.       Handler: "index.handler"
  338.       Role:
  339.         Fn::GetAtt:
  340.         - "RegisterSubnetTagsLambdaIamRole"
  341.         - "Arn"
  342.       Code:
  343.         ZipFile: |
  344.           import json
  345.           import boto3
  346.           import cfnresponse
  347.           def handler(event, context):
  348.             ec2_client = boto3.client('ec2')
  349.             if event['RequestType'] == 'Delete':
  350.               for subnet_id in event['ResourceProperties']['Subnets']:
  351.                 ec2_client.delete_tags(Resources=[subnet_id], Tags=[{'Key': 'kubernetes.io/cluster/' + event['ResourceProperties']['InfrastructureName']}]);
  352.             elif event['RequestType'] == 'Create':
  353.               for subnet_id in event['ResourceProperties']['Subnets']:
  354.                 ec2_client.create_tags(Resources=[subnet_id], Tags=[{'Key': 'kubernetes.io/cluster/' + event['ResourceProperties']['InfrastructureName'], 'Value': 'shared'}]);
  355.             responseData = {}
  356.             cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData, event['ResourceProperties']['InfrastructureName']+event['ResourceProperties']['Subnets'][0])
  357.       Runtime: "python3.7"
  358.       Timeout: 120
  360.   RegisterPublicSubnetTags:
  361.     Type: Custom::SubnetRegister
  362.     Properties:
  363.       ServiceToken: !GetAtt RegisterSubnetTags.Arn
  364.       InfrastructureName: !Ref InfrastructureName
  365.       Subnets: !Ref PublicSubnets
  367.   RegisterPrivateSubnetTags:
  368.     Type: Custom::SubnetRegister
  369.     Properties:
  370.       ServiceToken: !GetAtt RegisterSubnetTags.Arn
  371.       InfrastructureName: !Ref InfrastructureName
  372.       Subnets: !Ref PrivateSubnets
  374. Outputs:
  375.   PrivateHostedZoneId:
  376.     Description: Hosted zone ID for the private DNS, which is required for private records.
  377.     Value: !Ref IntDns
  378.   ExternalApiLoadBalancerName:
  379.     Description: Full name of the external API load balancer.
  380.     Value: !GetAtt ExtApiElb.LoadBalancerFullName
  381.   InternalApiLoadBalancerName:
  382.     Description: Full name of the internal API load balancer.
  383.     Value: !GetAtt IntApiElb.LoadBalancerFullName
  384.   ApiServerDnsName:
  385.     Description: Full hostname of the API server, which is required for the Ignition config files.
  386.     Value: !Join [".", ["api-int", !Ref ClusterName, !Ref HostedZoneName]]
  387.   RegisterNlbIpTargetsLambda:
  388.     Description: Lambda ARN useful to help register or deregister IP targets for these load balancers.
  389.     Value: !GetAtt RegisterNlbIpTargets.Arn
  390.   ExternalApiTargetGroupArn:
  391.     Description: ARN of the external API target group.
  392.     Value: !Ref ExternalApiTargetGroup
  393.   InternalApiTargetGroupArn:
  394.     Description: ARN of the internal API target group.
  395.     Value: !Ref InternalApiTargetGroup
  396.   InternalServiceTargetGroupArn:
  397.     Description: ARN of the internal service target group.
  398.     Value: !Ref InternalServiceTargetGroup

If you are deploying your cluster to an AWS government or secret region, you must update the InternalApiServerRecord to use CNAME records. Records of type ALIAS are not supported for AWS government regions. For example:

  1. Type: CNAME
  2. TTL: 10
  3. ResourceRecords:
  4. - !GetAtt IntApiElb.DNSName

Additional resources

Creating security group and roles in AWS

You must create security groups and roles in Amazon Web Services (AWS) for your OKD cluster to use.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the security groups and roles that your OKD cluster requires.

If you do not use the provided CloudFormation template to create your AWS infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

Procedure

  1. Create a JSON file that contains the parameter values that the template requires:

    1. [
    2.   {
    3.     "ParameterKey": "InfrastructureName", (1)
    4.     "ParameterValue": "mycluster-<random_string>" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "VpcCidr", (3)
    8.     "ParameterValue": "10.0.0.0/16" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "PrivateSubnets", (5)
    12.     "ParameterValue": "subnet-<random_string>" (6)
    13.   },
    14.   {
    15.     "ParameterKey": "VpcId", (7)
    16.     "ParameterValue": "vpc-<random_string>" (8)
    17.   }
    18. ]
    1The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
    2Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format <cluster-name>-<random-string>.
    3The CIDR block for the VPC.
    4Specify the CIDR block parameter that you used for the VPC that you defined in the form x.x.x.x/16-24.
    5The private subnets that you created for your VPC.
    6Specify the PrivateSubnetIds value from the output of the CloudFormation template for the VPC.
    7The VPC that you created for the cluster.
    8Specify the VpcId value from the output of the CloudFormation template for the VPC.

  2. Copy the template from the CloudFormation template for security objects section of this topic and save it as a YAML file on your computer. This template describes the security groups and roles that your cluster requires.

  3. Launch the CloudFormation template to create a stack of AWS resources that represent the security groups and roles:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml (2)
    3.      --parameters file://<parameters>.json (3)
    4.      --capabilities CAPABILITY_NAMED_IAM (4)
    1<name> is the name for the CloudFormation stack, such as cluster-sec. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.
    4You must explicitly declare the CAPABILITY_NAMED_IAM capability because the provided template creates some AWS::IAM::Role and AWS::IAM::InstanceProfile resources.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db

  4. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

    After the StackStatus displays CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:

    MasterSecurityGroupId

    Master Security Group ID

    WorkerSecurityGroupId

    Worker Security Group ID

    MasterInstanceProfile

    Master IAM Instance Profile

    WorkerInstanceProfile

    Worker IAM Instance Profile

CloudFormation template for security objects

You can use the following CloudFormation template to deploy the security objects that you need for your OKD cluster.

CloudFormation template for security objects

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for OpenShift Cluster Security Elements (Security Groups & IAM)
  4. Parameters:
  5.   InfrastructureName:
  6.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  7.     MaxLength: 27
  8.     MinLength: 1
  9.     ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  10.     Description: A short, unique cluster ID used to tag cloud resources and identify items owned or used by the cluster.
  11.     Type: String
  12.   VpcCidr:
  13.     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(1[6-9]|2[0-4]))$
  14.     ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/16-24.
  15.     Default: 10.0.0.0/16
  16.     Description: CIDR block for VPC.
  17.     Type: String
  18.   VpcId:
  19.     Description: The VPC-scoped resources will belong to this VPC.
  20.     Type: AWS::EC2::VPC::Id
  21.   PrivateSubnets:
  22.     Description: The internal subnets.
  23.     Type: List<AWS::EC2::Subnet::Id>
  25. Metadata:
  26.   AWS::CloudFormation::Interface:
  27.     ParameterGroups:
  28.     - Label:
  29.         default: "Cluster Information"
  30.       Parameters:
  31.       - InfrastructureName
  32.     - Label:
  33.         default: "Network Configuration"
  34.       Parameters:
  35.       - VpcId
  36.       - VpcCidr
  37.       - PrivateSubnets
  38.     ParameterLabels:
  39.       InfrastructureName:
  40.         default: "Infrastructure Name"
  41.       VpcId:
  42.         default: "VPC ID"
  43.       VpcCidr:
  44.         default: "VPC CIDR"
  45.       PrivateSubnets:
  46.         default: "Private Subnets"
  48. Resources:
  49.   MasterSecurityGroup:
  50.     Type: AWS::EC2::SecurityGroup
  51.     Properties:
  52.       GroupDescription: Cluster Master Security Group
  53.       SecurityGroupIngress:
  54.       - IpProtocol: icmp
  55.         FromPort: 0
  56.         ToPort: 0
  57.         CidrIp: !Ref VpcCidr
  58.       - IpProtocol: tcp
  59.         FromPort: 22
  60.         ToPort: 22
  61.         CidrIp: !Ref VpcCidr
  62.       - IpProtocol: tcp
  63.         ToPort: 6443
  64.         FromPort: 6443
  65.         CidrIp: !Ref VpcCidr
  66.       - IpProtocol: tcp
  67.         FromPort: 22623
  68.         ToPort: 22623
  69.         CidrIp: !Ref VpcCidr
  70.       VpcId: !Ref VpcId
  72.   WorkerSecurityGroup:
  73.     Type: AWS::EC2::SecurityGroup
  74.     Properties:
  75.       GroupDescription: Cluster Worker Security Group
  76.       SecurityGroupIngress:
  77.       - IpProtocol: icmp
  78.         FromPort: 0
  79.         ToPort: 0
  80.         CidrIp: !Ref VpcCidr
  81.       - IpProtocol: tcp
  82.         FromPort: 22
  83.         ToPort: 22
  84.         CidrIp: !Ref VpcCidr
  85.       VpcId: !Ref VpcId
  87.   MasterIngressEtcd:
  88.     Type: AWS::EC2::SecurityGroupIngress
  89.     Properties:
  90.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  91.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  92.       Description: etcd
  93.       FromPort: 2379
  94.       ToPort: 2380
  95.       IpProtocol: tcp
  97.   MasterIngressVxlan:
  98.     Type: AWS::EC2::SecurityGroupIngress
  99.     Properties:
  100.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  101.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  102.       Description: Vxlan packets
  103.       FromPort: 4789
  104.       ToPort: 4789
  105.       IpProtocol: udp
  107.   MasterIngressWorkerVxlan:
  108.     Type: AWS::EC2::SecurityGroupIngress
  109.     Properties:
  110.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  111.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  112.       Description: Vxlan packets
  113.       FromPort: 4789
  114.       ToPort: 4789
  115.       IpProtocol: udp
  117.   MasterIngressGeneve:
  118.     Type: AWS::EC2::SecurityGroupIngress
  119.     Properties:
  120.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  121.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  122.       Description: Geneve packets
  123.       FromPort: 6081
  124.       ToPort: 6081
  125.       IpProtocol: udp
  127.   MasterIngressWorkerGeneve:
  128.     Type: AWS::EC2::SecurityGroupIngress
  129.     Properties:
  130.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  131.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  132.       Description: Geneve packets
  133.       FromPort: 6081
  134.       ToPort: 6081
  135.       IpProtocol: udp
  137.   MasterIngressIpsecIke:
  138.     Type: AWS::EC2::SecurityGroupIngress
  139.     Properties:
  140.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  141.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  142.       Description: IPsec IKE packets
  143.       FromPort: 500
  144.       ToPort: 500
  145.       IpProtocol: udp
  147.   MasterIngressIpsecNat:
  148.     Type: AWS::EC2::SecurityGroupIngress
  149.     Properties:
  150.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  151.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  152.       Description: IPsec NAT-T packets
  153.       FromPort: 4500
  154.       ToPort: 4500
  155.       IpProtocol: udp
  157.   MasterIngressIpsecEsp:
  158.     Type: AWS::EC2::SecurityGroupIngress
  159.     Properties:
  160.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  161.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  162.       Description: IPsec ESP packets
  163.       IpProtocol: 50
  165.   MasterIngressWorkerIpsecIke:
  166.     Type: AWS::EC2::SecurityGroupIngress
  167.     Properties:
  168.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  169.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  170.       Description: IPsec IKE packets
  171.       FromPort: 500
  172.       ToPort: 500
  173.       IpProtocol: udp
  175.   MasterIngressWorkerIpsecNat:
  176.     Type: AWS::EC2::SecurityGroupIngress
  177.     Properties:
  178.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  179.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  180.       Description: IPsec NAT-T packets
  181.       FromPort: 4500
  182.       ToPort: 4500
  183.       IpProtocol: udp
  185.   MasterIngressWorkerIpsecEsp:
  186.     Type: AWS::EC2::SecurityGroupIngress
  187.     Properties:
  188.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  189.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  190.       Description: IPsec ESP packets
  191.       IpProtocol: 50
  193.   MasterIngressInternal:
  194.     Type: AWS::EC2::SecurityGroupIngress
  195.     Properties:
  196.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  197.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  198.       Description: Internal cluster communication
  199.       FromPort: 9000
  200.       ToPort: 9999
  201.       IpProtocol: tcp
  203.   MasterIngressWorkerInternal:
  204.     Type: AWS::EC2::SecurityGroupIngress
  205.     Properties:
  206.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  207.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  208.       Description: Internal cluster communication
  209.       FromPort: 9000
  210.       ToPort: 9999
  211.       IpProtocol: tcp
  213.   MasterIngressInternalUDP:
  214.     Type: AWS::EC2::SecurityGroupIngress
  215.     Properties:
  216.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  217.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  218.       Description: Internal cluster communication
  219.       FromPort: 9000
  220.       ToPort: 9999
  221.       IpProtocol: udp
  223.   MasterIngressWorkerInternalUDP:
  224.     Type: AWS::EC2::SecurityGroupIngress
  225.     Properties:
  226.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  227.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  228.       Description: Internal cluster communication
  229.       FromPort: 9000
  230.       ToPort: 9999
  231.       IpProtocol: udp
  233.   MasterIngressKube:
  234.     Type: AWS::EC2::SecurityGroupIngress
  235.     Properties:
  236.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  237.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  238.       Description: Kubernetes kubelet, scheduler and controller manager
  239.       FromPort: 10250
  240.       ToPort: 10259
  241.       IpProtocol: tcp
  243.   MasterIngressWorkerKube:
  244.     Type: AWS::EC2::SecurityGroupIngress
  245.     Properties:
  246.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  247.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  248.       Description: Kubernetes kubelet, scheduler and controller manager
  249.       FromPort: 10250
  250.       ToPort: 10259
  251.       IpProtocol: tcp
  253.   MasterIngressIngressServices:
  254.     Type: AWS::EC2::SecurityGroupIngress
  255.     Properties:
  256.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  257.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  258.       Description: Kubernetes ingress services
  259.       FromPort: 30000
  260.       ToPort: 32767
  261.       IpProtocol: tcp
  263.   MasterIngressWorkerIngressServices:
  264.     Type: AWS::EC2::SecurityGroupIngress
  265.     Properties:
  266.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  267.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  268.       Description: Kubernetes ingress services
  269.       FromPort: 30000
  270.       ToPort: 32767
  271.       IpProtocol: tcp
  273.   MasterIngressIngressServicesUDP:
  274.     Type: AWS::EC2::SecurityGroupIngress
  275.     Properties:
  276.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  277.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  278.       Description: Kubernetes ingress services
  279.       FromPort: 30000
  280.       ToPort: 32767
  281.       IpProtocol: udp
  283.   MasterIngressWorkerIngressServicesUDP:
  284.     Type: AWS::EC2::SecurityGroupIngress
  285.     Properties:
  286.       GroupId: !GetAtt MasterSecurityGroup.GroupId
  287.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  288.       Description: Kubernetes ingress services
  289.       FromPort: 30000
  290.       ToPort: 32767
  291.       IpProtocol: udp
  293.   WorkerIngressVxlan:
  294.     Type: AWS::EC2::SecurityGroupIngress
  295.     Properties:
  296.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  297.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  298.       Description: Vxlan packets
  299.       FromPort: 4789
  300.       ToPort: 4789
  301.       IpProtocol: udp
  303.   WorkerIngressMasterVxlan:
  304.     Type: AWS::EC2::SecurityGroupIngress
  305.     Properties:
  306.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  307.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  308.       Description: Vxlan packets
  309.       FromPort: 4789
  310.       ToPort: 4789
  311.       IpProtocol: udp
  313.   WorkerIngressGeneve:
  314.     Type: AWS::EC2::SecurityGroupIngress
  315.     Properties:
  316.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  317.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  318.       Description: Geneve packets
  319.       FromPort: 6081
  320.       ToPort: 6081
  321.       IpProtocol: udp
  323.   WorkerIngressMasterGeneve:
  324.     Type: AWS::EC2::SecurityGroupIngress
  325.     Properties:
  326.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  327.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  328.       Description: Geneve packets
  329.       FromPort: 6081
  330.       ToPort: 6081
  331.       IpProtocol: udp
  333.   WorkerIngressIpsecIke:
  334.     Type: AWS::EC2::SecurityGroupIngress
  335.     Properties:
  336.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  337.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  338.       Description: IPsec IKE packets
  339.       FromPort: 500
  340.       ToPort: 500
  341.       IpProtocol: udp
  343.   WorkerIngressIpsecNat:
  344.     Type: AWS::EC2::SecurityGroupIngress
  345.     Properties:
  346.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  347.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  348.       Description: IPsec NAT-T packets
  349.       FromPort: 4500
  350.       ToPort: 4500
  351.       IpProtocol: udp
  353.   WorkerIngressIpsecEsp:
  354.     Type: AWS::EC2::SecurityGroupIngress
  355.     Properties:
  356.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  357.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  358.       Description: IPsec ESP packets
  359.       IpProtocol: 50
  361.   WorkerIngressMasterIpsecIke:
  362.     Type: AWS::EC2::SecurityGroupIngress
  363.     Properties:
  364.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  365.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  366.       Description: IPsec IKE packets
  367.       FromPort: 500
  368.       ToPort: 500
  369.       IpProtocol: udp
  371.   WorkerIngressMasterIpsecNat:
  372.     Type: AWS::EC2::SecurityGroupIngress
  373.     Properties:
  374.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  375.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  376.       Description: IPsec NAT-T packets
  377.       FromPort: 4500
  378.       ToPort: 4500
  379.       IpProtocol: udp
  381.   WorkerIngressMasterIpsecEsp:
  382.     Type: AWS::EC2::SecurityGroupIngress
  383.     Properties:
  384.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  385.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  386.       Description: IPsec ESP packets
  387.       IpProtocol: 50
  389.   WorkerIngressInternal:
  390.     Type: AWS::EC2::SecurityGroupIngress
  391.     Properties:
  392.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  393.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  394.       Description: Internal cluster communication
  395.       FromPort: 9000
  396.       ToPort: 9999
  397.       IpProtocol: tcp
  399.   WorkerIngressMasterInternal:
  400.     Type: AWS::EC2::SecurityGroupIngress
  401.     Properties:
  402.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  403.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  404.       Description: Internal cluster communication
  405.       FromPort: 9000
  406.       ToPort: 9999
  407.       IpProtocol: tcp
  409.   WorkerIngressInternalUDP:
  410.     Type: AWS::EC2::SecurityGroupIngress
  411.     Properties:
  412.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  413.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  414.       Description: Internal cluster communication
  415.       FromPort: 9000
  416.       ToPort: 9999
  417.       IpProtocol: udp
  419.   WorkerIngressMasterInternalUDP:
  420.     Type: AWS::EC2::SecurityGroupIngress
  421.     Properties:
  422.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  423.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  424.       Description: Internal cluster communication
  425.       FromPort: 9000
  426.       ToPort: 9999
  427.       IpProtocol: udp
  429.   WorkerIngressKube:
  430.     Type: AWS::EC2::SecurityGroupIngress
  431.     Properties:
  432.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  433.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  434.       Description: Kubernetes secure kubelet port
  435.       FromPort: 10250
  436.       ToPort: 10250
  437.       IpProtocol: tcp
  439.   WorkerIngressWorkerKube:
  440.     Type: AWS::EC2::SecurityGroupIngress
  441.     Properties:
  442.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  443.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  444.       Description: Internal Kubernetes communication
  445.       FromPort: 10250
  446.       ToPort: 10250
  447.       IpProtocol: tcp
  449.   WorkerIngressIngressServices:
  450.     Type: AWS::EC2::SecurityGroupIngress
  451.     Properties:
  452.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  453.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  454.       Description: Kubernetes ingress services
  455.       FromPort: 30000
  456.       ToPort: 32767
  457.       IpProtocol: tcp
  459.   WorkerIngressMasterIngressServices:
  460.     Type: AWS::EC2::SecurityGroupIngress
  461.     Properties:
  462.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  463.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  464.       Description: Kubernetes ingress services
  465.       FromPort: 30000
  466.       ToPort: 32767
  467.       IpProtocol: tcp
  469.   WorkerIngressIngressServicesUDP:
  470.     Type: AWS::EC2::SecurityGroupIngress
  471.     Properties:
  472.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  473.       SourceSecurityGroupId: !GetAtt WorkerSecurityGroup.GroupId
  474.       Description: Kubernetes ingress services
  475.       FromPort: 30000
  476.       ToPort: 32767
  477.       IpProtocol: udp
  479.   WorkerIngressMasterIngressServicesUDP:
  480.     Type: AWS::EC2::SecurityGroupIngress
  481.     Properties:
  482.       GroupId: !GetAtt WorkerSecurityGroup.GroupId
  483.       SourceSecurityGroupId: !GetAtt MasterSecurityGroup.GroupId
  484.       Description: Kubernetes ingress services
  485.       FromPort: 30000
  486.       ToPort: 32767
  487.       IpProtocol: udp
  489.   MasterIamRole:
  490.     Type: AWS::IAM::Role
  491.     Properties:
  492.       AssumeRolePolicyDocument:
  493.         Version: "2012-10-17"
  494.         Statement:
  495.         - Effect: "Allow"
  496.           Principal:
  497.             Service:
  498.             - "ec2.amazonaws.com"
  499.           Action:
  500.           - "sts:AssumeRole"
  501.       Policies:
  502.       - PolicyName: !Join ["-", [!Ref InfrastructureName, "master", "policy"]]
  503.         PolicyDocument:
  504.           Version: "2012-10-17"
  505.           Statement:
  506.           - Effect: "Allow"
  507.             Action:
  508.             - "ec2:AttachVolume"
  509.             - "ec2:AuthorizeSecurityGroupIngress"
  510.             - "ec2:CreateSecurityGroup"
  511.             - "ec2:CreateTags"
  512.             - "ec2:CreateVolume"
  513.             - "ec2:DeleteSecurityGroup"
  514.             - "ec2:DeleteVolume"
  515.             - "ec2:Describe*"
  516.             - "ec2:DetachVolume"
  517.             - "ec2:ModifyInstanceAttribute"
  518.             - "ec2:ModifyVolume"
  519.             - "ec2:RevokeSecurityGroupIngress"
  520.             - "elasticloadbalancing:AddTags"
  521.             - "elasticloadbalancing:AttachLoadBalancerToSubnets"
  522.             - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer"
  523.             - "elasticloadbalancing:CreateListener"
  524.             - "elasticloadbalancing:CreateLoadBalancer"
  525.             - "elasticloadbalancing:CreateLoadBalancerPolicy"
  526.             - "elasticloadbalancing:CreateLoadBalancerListeners"
  527.             - "elasticloadbalancing:CreateTargetGroup"
  528.             - "elasticloadbalancing:ConfigureHealthCheck"
  529.             - "elasticloadbalancing:DeleteListener"
  530.             - "elasticloadbalancing:DeleteLoadBalancer"
  531.             - "elasticloadbalancing:DeleteLoadBalancerListeners"
  532.             - "elasticloadbalancing:DeleteTargetGroup"
  533.             - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
  534.             - "elasticloadbalancing:DeregisterTargets"
  535.             - "elasticloadbalancing:Describe*"
  536.             - "elasticloadbalancing:DetachLoadBalancerFromSubnets"
  537.             - "elasticloadbalancing:ModifyListener"
  538.             - "elasticloadbalancing:ModifyLoadBalancerAttributes"
  539.             - "elasticloadbalancing:ModifyTargetGroup"
  540.             - "elasticloadbalancing:ModifyTargetGroupAttributes"
  541.             - "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
  542.             - "elasticloadbalancing:RegisterTargets"
  543.             - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
  544.             - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
  545.             - "kms:DescribeKey"
  546.             Resource: "*"
  548.   MasterInstanceProfile:
  549.     Type: "AWS::IAM::InstanceProfile"
  550.     Properties:
  551.       Roles:
  552.       - Ref: "MasterIamRole"
  554.   WorkerIamRole:
  555.     Type: AWS::IAM::Role
  556.     Properties:
  557.       AssumeRolePolicyDocument:
  558.         Version: "2012-10-17"
  559.         Statement:
  560.         - Effect: "Allow"
  561.           Principal:
  562.             Service:
  563.             - "ec2.amazonaws.com"
  564.           Action:
  565.           - "sts:AssumeRole"
  566.       Policies:
  567.       - PolicyName: !Join ["-", [!Ref InfrastructureName, "worker", "policy"]]
  568.         PolicyDocument:
  569.           Version: "2012-10-17"
  570.           Statement:
  571.           - Effect: "Allow"
  572.             Action:
  573.             - "ec2:DescribeInstances"
  574.             - "ec2:DescribeRegions"
  575.             Resource: "*"
  577.   WorkerInstanceProfile:
  578.     Type: "AWS::IAM::InstanceProfile"
  579.     Properties:
  580.       Roles:
  581.       - Ref: "WorkerIamRole"
  583. Outputs:
  584.   MasterSecurityGroupId:
  585.     Description: Master Security Group ID
  586.     Value: !GetAtt MasterSecurityGroup.GroupId
  588.   WorkerSecurityGroupId:
  589.     Description: Worker Security Group ID
  590.     Value: !GetAtt WorkerSecurityGroup.GroupId
  592.   MasterInstanceProfile:
  593.     Description: Master IAM Instance Profile
  594.     Value: !Ref MasterInstanceProfile
  596.   WorkerInstanceProfile:
  597.     Description: Worker IAM Instance Profile
  598.     Value: !Ref WorkerInstanceProfile

Additional resources

Accessing FCOS AMIs with stream metadata

In OKD, stream metadata provides standardized metadata about FCOS in the JSON format and injects the metadata into the cluster. Stream metadata is a stable format that supports multiple architectures and is intended to be self-documenting for maintaining automation.

You can use the coreos print-stream-json sub-command of openshift-install to access information about the boot images in the stream metadata format. This command provides a method for printing stream metadata in a scriptable, machine-readable format.

For user-provisioned installations, the openshift-install binary contains references to the version of FCOS boot images that are tested for use with OKD, such as the AWS AMI.

Procedure

To parse the stream metadata, use one of the following methods:

  • From a Go program, use the official stream-metadata-go library at https://github.com/coreos/stream-metadata-go. You can also view example code in the library.

  • From another programming language, such as Python or Ruby, use the JSON library of your preferred programming language.

  • From a command-line utility that handles JSON data, such as jq:

    • Print the current x86_64 AMI for an AWS region, such as us-west-1:

      1. $ openshift-install coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-west-1"].image'

      Example output

      1. ami-0d3e625f84626bbda

      The output of this command is the AWS AMI ID for the us-west-1 region. The AMI must belong to the same region as the cluster.

FCOS AMIs for the AWS infrastructure

Red Hat provides Fedora CoreOS (FCOS) AMIs that are valid for the various AWS regions that you can manually specify for your OKD nodes.

By importing your own AMI, you can also install to regions that do not have a published FCOS AMI.

AWS regions without a published FCOS AMI

You can deploy an OKD cluster to Amazon Web Services (AWS) regions without native support for a Fedora CoreOS (FCOS) Amazon Machine Image (AMI) or the AWS software development kit (SDK). If a published AMI is not available for an AWS region, you can upload a custom AMI prior to installing the cluster.

If you are deploying to a region not supported by the AWS SDK and you do not specify a custom AMI, the installation program copies the us-east-1 AMI to the user account automatically. Then the installation program creates the control plane machines with encrypted EBS volumes using the default or user-specified Key Management Service (KMS) key. This allows the AMI to follow the same process workflow as published FCOS AMIs.

A region without native support for an FCOS AMI is not available to select from the terminal during cluster creation because it is not published. However, you can install to this region by configuring the custom AMI in the install-config.yaml file.

Uploading a custom FCOS AMI in AWS

If you are deploying to a custom Amazon Web Services (AWS) region, you must upload a custom Fedora CoreOS (FCOS) Amazon Machine Image (AMI) that belongs to that region.

Prerequisites

Procedure

  1. Export your AWS profile as an environment variable:

    1. $ export AWS_PROFILE=<aws_profile> (1)

  2. Export the region to associate with your custom AMI as an environment variable:

    1. $ export AWS_DEFAULT_REGION=<aws_region> (1)

  3. Export the version of FCOS you uploaded to Amazon S3 as an environment variable:

    1. $ export RHCOS_VERSION=<version> (1)
    1The FCOS VMDK version, like 4.9.0.

  4. Export the Amazon S3 bucket name as an environment variable:

    1. $ export VMIMPORT_BUCKET_NAME=<s3_bucket_name>

  5. Create the containers.json file and define your FCOS VMDK file:

    1. $ cat <<EOF > containers.json
    2. {
    3.    "Description": "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64",
    4.    "Format": "vmdk",
    5.    "UserBucket": {
    6.       "S3Bucket": "${VMIMPORT_BUCKET_NAME}",
    7.       "S3Key": "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64.vmdk"
    8.    }
    9. }
    10. EOF

  6. Import the FCOS disk as an Amazon EBS snapshot:

    1. $ aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \
    2.      --description "<description>" \ (1)
    3.      --disk-container "file://<file_path>/containers.json" (2)
    1The description of your FCOS disk being imported, like rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64.
    2The file path to the JSON file describing your FCOS disk. The JSON file should contain your Amazon S3 bucket name and key.

  7. Check the status of the image import:

    1. $ watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}

    Example output

    1. {
    2.     "ImportSnapshotTasks": [
    3.         {
    4.             "Description": "rhcos-4.7.0-x86_64-aws.x86_64",
    5.             "ImportTaskId": "import-snap-fh6i8uil",
    6.             "SnapshotTaskDetail": {
    7.                 "Description": "rhcos-4.7.0-x86_64-aws.x86_64",
    8.                 "DiskImageSize": 819056640.0,
    9.                 "Format": "VMDK",
    10.                 "SnapshotId": "snap-06331325870076318",
    11.                 "Status": "completed",
    12.                 "UserBucket": {
    13.                     "S3Bucket": "external-images",
    14.                     "S3Key": "rhcos-4.7.0-x86_64-aws.x86_64.vmdk"
    15.                 }
    16.             }
    17.         }
    18.     ]
    19. }

    Copy the SnapshotId to register the image.

  8. Create a custom FCOS AMI from the FCOS snapshot:

    1. $ aws ec2 register-image \
    2.    --region ${AWS_DEFAULT_REGION} \
    3.    --architecture x86_64 \ (1)
    4.    --description "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64" \ (2)
    5.    --ena-support \
    6.    --name "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64" \ (3)
    7.    --virtualization-type hvm \
    8.    --root-device-name '/dev/xvda' \
    9.    --block-device-mappings 'DeviceName=/dev/xvda,Ebs={DeleteOnTermination=true,SnapshotId=<snapshot_ID>}' (4)
    1The FCOS VMDK architecture type, like x86_64, s390x, or ppc64le.
    2The Description from the imported snapshot.
    3The name of the FCOS AMI.
    4The SnapshotID from the imported snapshot.

To learn more about these APIs, see the AWS documentation for importing snapshots and creating EBS-backed AMIs.

Creating the bootstrap node in AWS

You must create the bootstrap node in Amazon Web Services (AWS) to use during OKD cluster initialization.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the bootstrap node that your OKD installation requires.

If you do not use the provided CloudFormation template to create your bootstrap node, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

  • You created and configured DNS, load balancers, and listeners in AWS.

  • You created the security groups and roles required for your cluster in AWS.

Procedure

  1. Provide a location to serve the bootstrap.ign Ignition config file to your cluster. This file is located in your installation directory. One way to do this is to create an S3 bucket in your cluster’s region and upload the Ignition config file to it.

    The provided CloudFormation Template assumes that the Ignition config files for your cluster are served from an S3 bucket. If you choose to serve the files from another location, you must modify the templates.

    If you are deploying to a region that has endpoints that differ from the AWS SDK, or you are providing your own custom endpoints, you must use a presigned URL for your S3 bucket instead of the s3:// schema.

    The bootstrap Ignition config file does contain secrets, like X.509 keys. The following steps provide basic security for the S3 bucket. To provide additional security, you can enable an S3 bucket policy to allow only certain users, such as the OpenShift IAM user, to access objects that the bucket contains. You can avoid S3 entirely and serve your bootstrap Ignition config file from any address that the bootstrap machine can reach.

    1. Create the bucket:

      1. $ aws s3 mb s3://<cluster-name>-infra (1)
      1<cluster-name>-infra is the bucket name. When creating the install-config.yaml file, replace <cluster-name> with the name specified for the cluster.

    2. Upload the bootstrap.ign Ignition config file to the bucket:

      1. $ aws s3 cp <installation_directory>/bootstrap.ign s3://<cluster-name>-infra/bootstrap.ign (1)
      1For <installation_directory>, specify the path to the directory that you stored the installation files in.

    3. Verify that the file uploaded:

      1. $ aws s3 ls s3://<cluster-name>-infra/

      Example output

      1. 2019-04-03 16:15:16     314878 bootstrap.ign

  2. Create a JSON file that contains the parameter values that the template requires:

    1. [
    2.   {
    3.     "ParameterKey": "InfrastructureName", (1)
    4.     "ParameterValue": "mycluster-<random_string>" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "RhcosAmi", (3)
    8.     "ParameterValue": "ami-<random_string>" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "AllowedBootstrapSshCidr", (5)
    12.     "ParameterValue": "0.0.0.0/0" (6)
    13.   },
    14.   {
    15.     "ParameterKey": "PublicSubnet", (7)
    16.     "ParameterValue": "subnet-<random_string>" (8)
    17.   },
    18.   {
    19.     "ParameterKey": "MasterSecurityGroupId", (9)
    20.     "ParameterValue": "sg-<random_string>" (10)
    21.   },
    22.   {
    23.     "ParameterKey": "VpcId", (11)
    24.     "ParameterValue": "vpc-<random_string>" (12)
    25.   },
    26.   {
    27.     "ParameterKey": "BootstrapIgnitionLocation", (13)
    28.     "ParameterValue": "s3://<bucket_name>/bootstrap.ign" (14)
    29.   },
    30.   {
    31.     "ParameterKey": "AutoRegisterELB", (15)
    32.     "ParameterValue": "yes" (16)
    33.   },
    34.   {
    35.     "ParameterKey": "RegisterNlbIpTargetsLambdaArn", (17)
    36.     "ParameterValue": "arn:aws:lambda:<region>:<account_number>:function:<dns_stack_name>-RegisterNlbIpTargets-<random_string>" (18)
    37.   },
    38.   {
    39.     "ParameterKey": "ExternalApiTargetGroupArn", (19)
    40.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Exter-<random_string>" (20)
    41.   },
    42.   {
    43.     "ParameterKey": "InternalApiTargetGroupArn", (21)
    44.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Inter-<random_string>" (22)
    45.   },
    46.   {
    47.     "ParameterKey": "InternalServiceTargetGroupArn", (23)
    48.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Inter-<random_string>" (24)
    49.   }
    50. ]
    1The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
    2Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format <cluster-name>-<random-string>.
    3Current Fedora CoreOS (FCOS) AMI to use for the bootstrap node.
    4Specify a valid AWS::EC2::Image::Id value.
    5CIDR block to allow SSH access to the bootstrap node.
    6Specify a CIDR block in the format x.x.x.x/16-24.
    7The public subnet that is associated with your VPC to launch the bootstrap node into.
    8Specify the PublicSubnetIds value from the output of the CloudFormation template for the VPC.
    9The master security group ID (for registering temporary rules)
    10Specify the MasterSecurityGroupId value from the output of the CloudFormation template for the security group and roles.
    11The VPC created resources will belong to.
    12Specify the VpcId value from the output of the CloudFormation template for the VPC.
    13Location to fetch bootstrap Ignition config file from.
    14Specify the S3 bucket and file name in the form s3://<bucket_name>/bootstrap.ign.
    15Whether or not to register a network load balancer (NLB).
    16Specify yes or no. If you specify yes, you must provide a Lambda Amazon Resource Name (ARN) value.
    17The ARN for NLB IP target registration lambda group.
    18Specify the RegisterNlbIpTargetsLambda value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    19The ARN for external API load balancer target group.
    20Specify the ExternalApiTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    21The ARN for internal API load balancer target group.
    22Specify the InternalApiTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    23The ARN for internal service load balancer target group.
    24Specify the InternalServiceTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.

  3. Copy the template from the CloudFormation template for the bootstrap machine section of this topic and save it as a YAML file on your computer. This template describes the bootstrap machine that your cluster requires.

  4. Launch the CloudFormation template to create a stack of AWS resources that represent the bootstrap node:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml (2)
    3.      --parameters file://<parameters>.json (3)
    4.      --capabilities CAPABILITY_NAMED_IAM (4)
    1<name> is the name for the CloudFormation stack, such as cluster-bootstrap. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.
    4You must explicitly declare the CAPABILITY_NAMED_IAM capability because the provided template creates some AWS::IAM::Role and AWS::IAM::InstanceProfile resources.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-bootstrap/12944486-2add-11eb-9dee-12dace8e3a83

  5. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

    After the StackStatus displays CREATE_COMPLETE, the output displays values for the following parameters. You must provide these parameter values to the other CloudFormation templates that you run to create your cluster:

    BootstrapInstanceId

    The bootstrap Instance ID.

    BootstrapPublicIp

    The bootstrap node public IP address.

    BootstrapPrivateIp

    The bootstrap node private IP address.

CloudFormation template for the bootstrap machine

You can use the following CloudFormation template to deploy the bootstrap machine that you need for your OKD cluster.

CloudFormation template for the bootstrap machine

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for OpenShift Cluster Bootstrap (EC2 Instance, Security Groups and IAM)
  4. Parameters:
  5.   InfrastructureName:
  6.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  7.     MaxLength: 27
  8.     MinLength: 1
  9.     ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  10.     Description: A short, unique cluster ID used to tag cloud resources and identify items owned or used by the cluster.
  11.     Type: String
  12.   RhcosAmi:
  13.     Description: Current Red Hat Enterprise Linux CoreOS AMI to use for bootstrap.
  14.     Type: AWS::EC2::Image::Id
  15.   AllowedBootstrapSshCidr:
  16.     AllowedPattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|1[0-9]|2[0-9]|3[0-2]))$
  17.     ConstraintDescription: CIDR block parameter must be in the form x.x.x.x/0-32.
  18.     Default: 0.0.0.0/0
  19.     Description: CIDR block to allow SSH access to the bootstrap node.
  20.     Type: String
  21.   PublicSubnet:
  22.     Description: The public subnet to launch the bootstrap node into.
  23.     Type: AWS::EC2::Subnet::Id
  24.   MasterSecurityGroupId:
  25.     Description: The master security group ID for registering temporary rules.
  26.     Type: AWS::EC2::SecurityGroup::Id
  27.   VpcId:
  28.     Description: The VPC-scoped resources will belong to this VPC.
  29.     Type: AWS::EC2::VPC::Id
  30.   BootstrapIgnitionLocation:
  31.     Default: s3://my-s3-bucket/bootstrap.ign
  32.     Description: Ignition config file location.
  33.     Type: String
  34.   AutoRegisterELB:
  35.     Default: "yes"
  36.     AllowedValues:
  37.     - "yes"
  38.     - "no"
  39.     Description: Do you want to invoke NLB registration, which requires a Lambda ARN parameter?
  40.     Type: String
  41.   RegisterNlbIpTargetsLambdaArn:
  42.     Description: ARN for NLB IP target registration lambda.
  43.     Type: String
  44.   ExternalApiTargetGroupArn:
  45.     Description: ARN for external API load balancer target group.
  46.     Type: String
  47.   InternalApiTargetGroupArn:
  48.     Description: ARN for internal API load balancer target group.
  49.     Type: String
  50.   InternalServiceTargetGroupArn:
  51.     Description: ARN for internal service load balancer target group.
  52.     Type: String
  54. Metadata:
  55.   AWS::CloudFormation::Interface:
  56.     ParameterGroups:
  57.     - Label:
  58.         default: "Cluster Information"
  59.       Parameters:
  60.       - InfrastructureName
  61.     - Label:
  62.         default: "Host Information"
  63.       Parameters:
  64.       - RhcosAmi
  65.       - BootstrapIgnitionLocation
  66.       - MasterSecurityGroupId
  67.     - Label:
  68.         default: "Network Configuration"
  69.       Parameters:
  70.       - VpcId
  71.       - AllowedBootstrapSshCidr
  72.       - PublicSubnet
  73.     - Label:
  74.         default: "Load Balancer Automation"
  75.       Parameters:
  76.       - AutoRegisterELB
  77.       - RegisterNlbIpTargetsLambdaArn
  78.       - ExternalApiTargetGroupArn
  79.       - InternalApiTargetGroupArn
  80.       - InternalServiceTargetGroupArn
  81.     ParameterLabels:
  82.       InfrastructureName:
  83.         default: "Infrastructure Name"
  84.       VpcId:
  85.         default: "VPC ID"
  86.       AllowedBootstrapSshCidr:
  87.         default: "Allowed SSH Source"
  88.       PublicSubnet:
  89.         default: "Public Subnet"
  90.       RhcosAmi:
  91.         default: "Red Hat Enterprise Linux CoreOS AMI ID"
  92.       BootstrapIgnitionLocation:
  93.         default: "Bootstrap Ignition Source"
  94.       MasterSecurityGroupId:
  95.         default: "Master Security Group ID"
  96.       AutoRegisterELB:
  97.         default: "Use Provided ELB Automation"
  99. Conditions:
  100.   DoRegistration: !Equals ["yes", !Ref AutoRegisterELB]
  102. Resources:
  103.   BootstrapIamRole:
  104.     Type: AWS::IAM::Role
  105.     Properties:
  106.       AssumeRolePolicyDocument:
  107.         Version: "2012-10-17"
  108.         Statement:
  109.         - Effect: "Allow"
  110.           Principal:
  111.             Service:
  112.             - "ec2.amazonaws.com"
  113.           Action:
  114.           - "sts:AssumeRole"
  115.       Path: "/"
  116.       Policies:
  117.       - PolicyName: !Join ["-", [!Ref InfrastructureName, "bootstrap", "policy"]]
  118.         PolicyDocument:
  119.           Version: "2012-10-17"
  120.           Statement:
  121.           - Effect: "Allow"
  122.             Action: "ec2:Describe*"
  123.             Resource: "*"
  124.           - Effect: "Allow"
  125.             Action: "ec2:AttachVolume"
  126.             Resource: "*"
  127.           - Effect: "Allow"
  128.             Action: "ec2:DetachVolume"
  129.             Resource: "*"
  130.           - Effect: "Allow"
  131.             Action: "s3:GetObject"
  132.             Resource: "*"
  134.   BootstrapInstanceProfile:
  135.     Type: "AWS::IAM::InstanceProfile"
  136.     Properties:
  137.       Path: "/"
  138.       Roles:
  139.       - Ref: "BootstrapIamRole"
  141.   BootstrapSecurityGroup:
  142.     Type: AWS::EC2::SecurityGroup
  143.     Properties:
  144.       GroupDescription: Cluster Bootstrap Security Group
  145.       SecurityGroupIngress:
  146.       - IpProtocol: tcp
  147.         FromPort: 22
  148.         ToPort: 22
  149.         CidrIp: !Ref AllowedBootstrapSshCidr
  150.       - IpProtocol: tcp
  151.         ToPort: 19531
  152.         FromPort: 19531
  153.         CidrIp: 0.0.0.0/0
  154.       VpcId: !Ref VpcId
  156.   BootstrapInstance:
  157.     Type: AWS::EC2::Instance
  158.     Properties:
  159.       ImageId: !Ref RhcosAmi
  160.       IamInstanceProfile: !Ref BootstrapInstanceProfile
  161.       InstanceType: "i3.large"
  162.       NetworkInterfaces:
  163.       - AssociatePublicIpAddress: "true"
  164.         DeviceIndex: "0"
  165.         GroupSet:
  166.         - !Ref "BootstrapSecurityGroup"
  167.         - !Ref "MasterSecurityGroupId"
  168.         SubnetId: !Ref "PublicSubnet"
  169.       UserData:
  170.         Fn::Base64: !Sub
  171.         - '{"ignition":{"config":{"replace":{"source":"${S3Loc}"}},"version":"3.1.0"}}'
  172.         - {
  173.           S3Loc: !Ref BootstrapIgnitionLocation
  174.         }
  176.   RegisterBootstrapApiTarget:
  177.     Condition: DoRegistration
  178.     Type: Custom::NLBRegister
  179.     Properties:
  180.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  181.       TargetArn: !Ref ExternalApiTargetGroupArn
  182.       TargetIp: !GetAtt BootstrapInstance.PrivateIp
  184.   RegisterBootstrapInternalApiTarget:
  185.     Condition: DoRegistration
  186.     Type: Custom::NLBRegister
  187.     Properties:
  188.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  189.       TargetArn: !Ref InternalApiTargetGroupArn
  190.       TargetIp: !GetAtt BootstrapInstance.PrivateIp
  192.   RegisterBootstrapInternalServiceTarget:
  193.     Condition: DoRegistration
  194.     Type: Custom::NLBRegister
  195.     Properties:
  196.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  197.       TargetArn: !Ref InternalServiceTargetGroupArn
  198.       TargetIp: !GetAtt BootstrapInstance.PrivateIp
  200. Outputs:
  201.   BootstrapInstanceId:
  202.     Description: Bootstrap Instance ID.
  203.     Value: !Ref BootstrapInstance
  205.   BootstrapPublicIp:
  206.     Description: The bootstrap node public IP address.
  207.     Value: !GetAtt BootstrapInstance.PublicIp
  209.   BootstrapPrivateIp:
  210.     Description: The bootstrap node private IP address.
  211.     Value: !GetAtt BootstrapInstance.PrivateIp

Additional resources

Creating the control plane machines in AWS

You must create the control plane machines in Amazon Web Services (AWS) that your cluster will use.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent the control plane nodes.

The CloudFormation template creates a stack that represents three control plane nodes.

If you do not use the provided CloudFormation template to create your control plane nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

  • You created and configured DNS, load balancers, and listeners in AWS.

  • You created the security groups and roles required for your cluster in AWS.

  • You created the bootstrap machine.

Procedure

  1. Create a JSON file that contains the parameter values that the template requires:

    1. [
    2.   {
    3.     "ParameterKey": "InfrastructureName", (1)
    4.     "ParameterValue": "mycluster-<random_string>" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "RhcosAmi", (3)
    8.     "ParameterValue": "ami-<random_string>" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "AutoRegisterDNS", (5)
    12.     "ParameterValue": "yes" (6)
    13.   },
    14.   {
    15.     "ParameterKey": "PrivateHostedZoneId", (7)
    16.     "ParameterValue": "<random_string>" (8)
    17.   },
    18.   {
    19.     "ParameterKey": "PrivateHostedZoneName", (9)
    20.     "ParameterValue": "mycluster.example.com" (10)
    21.   },
    22.   {
    23.     "ParameterKey": "Master0Subnet", (11)
    24.     "ParameterValue": "subnet-<random_string>" (12)
    25.   },
    26.   {
    27.     "ParameterKey": "Master1Subnet", (11)
    28.     "ParameterValue": "subnet-<random_string>" (12)
    29.   },
    30.   {
    31.     "ParameterKey": "Master2Subnet", (11)
    32.     "ParameterValue": "subnet-<random_string>" (12)
    33.   },
    34.   {
    35.     "ParameterKey": "MasterSecurityGroupId", (13)
    36.     "ParameterValue": "sg-<random_string>" (14)
    37.   },
    38.   {
    39.     "ParameterKey": "IgnitionLocation", (15)
    40.     "ParameterValue": "https://api-int.<cluster_name>.<domain_name>:22623/config/master" (16)
    41.   },
    42.   {
    43.     "ParameterKey": "CertificateAuthorities", (17)
    44.     "ParameterValue": "data:text/plain;charset=utf-8;base64,ABC...xYz==" (18)
    45.   },
    46.   {
    47.     "ParameterKey": "MasterInstanceProfileName", (19)
    48.     "ParameterValue": "<roles_stack>-MasterInstanceProfile-<random_string>" (20)
    49.   },
    50.   {
    51.     "ParameterKey": "MasterInstanceType", (21)
    52.     "ParameterValue": "m5.xlarge" (22)
    53.   },
    54.   {
    55.     "ParameterKey": "AutoRegisterELB", (23)
    56.     "ParameterValue": "yes" (24)
    57.   },
    58.   {
    59.     "ParameterKey": "RegisterNlbIpTargetsLambdaArn", (25)
    60.     "ParameterValue": "arn:aws:lambda:<region>:<account_number>:function:<dns_stack_name>-RegisterNlbIpTargets-<random_string>" (26)
    61.   },
    62.   {
    63.     "ParameterKey": "ExternalApiTargetGroupArn", (27)
    64.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Exter-<random_string>" (28)
    65.   },
    66.   {
    67.     "ParameterKey": "InternalApiTargetGroupArn", (29)
    68.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Inter-<random_string>" (30)
    69.   },
    70.   {
    71.     "ParameterKey": "InternalServiceTargetGroupArn", (31)
    72.     "ParameterValue": "arn:aws:elasticloadbalancing:<region>:<account_number>:targetgroup/<dns_stack_name>-Inter-<random_string>" (32)
    73.   }
    74. ]
    1The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
    2Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format <cluster-name>-<random-string>.
    3CurrentFedora CoreOS (FCOS) AMI to use for the control plane machines.
    4Specify an AWS::EC2::Image::Id value.
    5Whether or not to perform DNS etcd registration.
    6Specify yes or no. If you specify yes, you must provide hosted zone information.
    7The Route 53 private zone ID to register the etcd targets with.
    8Specify the PrivateHostedZoneId value from the output of the CloudFormation template for DNS and load balancing.
    9The Route 53 zone to register the targets with.
    10Specify <cluster_name>.<domain_name> where <domain_name> is the Route 53 base domain that you used when you generated install-config.yaml file for the cluster. Do not include the trailing period (.) that is displayed in the AWS console.
    11A subnet, preferably private, to launch the control plane machines on.
    12Specify a subnet from the PrivateSubnets value from the output of the CloudFormation template for DNS and load balancing.
    13The master security group ID to associate with control plane nodes.
    14Specify the MasterSecurityGroupId value from the output of the CloudFormation template for the security group and roles.
    15The location to fetch control plane Ignition config file from.
    16Specify the generated Ignition config file location, https://api-int.<cluster_name>.<domain_name>:22623/config/master.
    17The base64 encoded certificate authority string to use.
    18Specify the value from the master.ign file that is in the installation directory. This value is the long string with the format data:text/plain;charset=utf-8;base64,ABC…​xYz==.
    19The IAM profile to associate with control plane nodes.
    20Specify the MasterInstanceProfile parameter value from the output of the CloudFormation template for the security group and roles.
    21The type of AWS instance to use for the control plane machines.
    22Allowed values:

    • m4.xlarge

    • m4.2xlarge

    • m4.4xlarge

    • m4.10xlarge

    • m4.16xlarge

    • m5.xlarge

    • m5.2xlarge

    • m5.4xlarge

    • m5.8xlarge

    • m5.12xlarge

    • m5.16xlarge

    • m5a.xlarge

    • m5a.2xlarge

    • m5a.4xlarge

    • m5a.8xlarge

    • m5a.12xlarge

    • m5a.16xlarge

    • c4.2xlarge

    • c4.4xlarge

    • c4.8xlarge

    • c5.2xlarge

    • c5.4xlarge

    • c5.9xlarge

    • c5.12xlarge

    • c5.18xlarge

    • c5.24xlarge

    • c5a.2xlarge

    • c5a.4xlarge

    • c5a.8xlarge

    • c5a.12xlarge

    • c5a.16xlarge

    • c5a.24xlarge

    • r4.xlarge

    • r4.2xlarge

    • r4.4xlarge

    • r4.8xlarge

    • r4.16xlarge

    • r5.xlarge

    • r5.2xlarge

    • r5.4xlarge

    • r5.8xlarge

    • r5.12xlarge

    • r5.16xlarge

    • r5.24xlarge

    • r5a.xlarge

    • r5a.2xlarge

    • r5a.4xlarge

    • r5a.8xlarge

    • r5a.12xlarge

    • r5a.16xlarge

    • r5a.24xlarge

    23Whether or not to register a network load balancer (NLB).
    24Specify yes or no. If you specify yes, you must provide a Lambda Amazon Resource Name (ARN) value.
    25The ARN for NLB IP target registration lambda group.
    26Specify the RegisterNlbIpTargetsLambda value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    27The ARN for external API load balancer target group.
    28Specify the ExternalApiTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    29The ARN for internal API load balancer target group.
    30Specify the InternalApiTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.
    31The ARN for internal service load balancer target group.
    32Specify the InternalServiceTargetGroupArn value from the output of the CloudFormation template for DNS and load balancing. Use arn:aws-us-gov if deploying the cluster to an AWS GovCloud region.

  2. Copy the template from the CloudFormation template for control plane machines section of this topic and save it as a YAML file on your computer. This template describes the control plane machines that your cluster requires.

  3. If you specified an m5 instance type as the value for MasterInstanceType, add that instance type to the MasterInstanceType.AllowedValues parameter in the CloudFormation template.

  4. Launch the CloudFormation template to create a stack of AWS resources that represent the control plane nodes:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml (2)
    3.      --parameters file://<parameters>.json (3)
    1<name> is the name for the CloudFormation stack, such as cluster-control-plane. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-control-plane/21c7e2b0-2ee2-11eb-c6f6-0aa34627df4b

    The CloudFormation template creates a stack that represents three control plane nodes.

  5. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

CloudFormation template for control plane machines

You can use the following CloudFormation template to deploy the control plane machines that you need for your OKD cluster.

CloudFormation template for control plane machines

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for OpenShift Cluster Node Launch (EC2 master instances)
  4. Parameters:
  5.   InfrastructureName:
  6.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  7.     MaxLength: 27
  8.     MinLength: 1
  9.     ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  10.     Description: A short, unique cluster ID used to tag nodes for the kubelet cloud provider.
  11.     Type: String
  12.   RhcosAmi:
  13.     Description: Current Red Hat Enterprise Linux CoreOS AMI to use for bootstrap.
  14.     Type: AWS::EC2::Image::Id
  15.   AutoRegisterDNS:
  16.     Default: "yes"
  17.     AllowedValues:
  18.     - "yes"
  19.     - "no"
  20.     Description: Do you want to invoke DNS etcd registration, which requires Hosted Zone information?
  21.     Type: String
  22.   PrivateHostedZoneId:
  23.     Description: The Route53 private zone ID to register the etcd targets with, such as Z21IXYZABCZ2A4.
  24.     Type: String
  25.   PrivateHostedZoneName:
  26.     Description: The Route53 zone to register the targets with, such as cluster.example.com. Omit the trailing period.
  27.     Type: String
  28.   Master0Subnet:
  29.     Description: The subnets, recommend private, to launch the master nodes into.
  30.     Type: AWS::EC2::Subnet::Id
  31.   Master1Subnet:
  32.     Description: The subnets, recommend private, to launch the master nodes into.
  33.     Type: AWS::EC2::Subnet::Id
  34.   Master2Subnet:
  35.     Description: The subnets, recommend private, to launch the master nodes into.
  36.     Type: AWS::EC2::Subnet::Id
  37.   MasterSecurityGroupId:
  38.     Description: The master security group ID to associate with master nodes.
  39.     Type: AWS::EC2::SecurityGroup::Id
  40.   IgnitionLocation:
  41.     Default: https://api-int.$CLUSTER_NAME.$DOMAIN:22623/config/master
  42.     Description: Ignition config file location.
  43.     Type: String
  44.   CertificateAuthorities:
  45.     Default: data:text/plain;charset=utf-8;base64,ABC...xYz==
  46.     Description: Base64 encoded certificate authority string to use.
  47.     Type: String
  48.   MasterInstanceProfileName:
  49.     Description: IAM profile to associate with master nodes.
  50.     Type: String
  51.   MasterInstanceType:
  52.     Default: m5.xlarge
  53.     Type: String
  55.   AutoRegisterELB:
  56.     Default: "yes"
  57.     AllowedValues:
  58.     - "yes"
  59.     - "no"
  60.     Description: Do you want to invoke NLB registration, which requires a Lambda ARN parameter?
  61.     Type: String
  62.   RegisterNlbIpTargetsLambdaArn:
  63.     Description: ARN for NLB IP target registration lambda. Supply the value from the cluster infrastructure or select "no" for AutoRegisterELB.
  64.     Type: String
  65.   ExternalApiTargetGroupArn:
  66.     Description: ARN for external API load balancer target group. Supply the value from the cluster infrastructure or select "no" for AutoRegisterELB.
  67.     Type: String
  68.   InternalApiTargetGroupArn:
  69.     Description: ARN for internal API load balancer target group. Supply the value from the cluster infrastructure or select "no" for AutoRegisterELB.
  70.     Type: String
  71.   InternalServiceTargetGroupArn:
  72.     Description: ARN for internal service load balancer target group. Supply the value from the cluster infrastructure or select "no" for AutoRegisterELB.
  73.     Type: String
  75. Metadata:
  76.   AWS::CloudFormation::Interface:
  77.     ParameterGroups:
  78.     - Label:
  79.         default: "Cluster Information"
  80.       Parameters:
  81.       - InfrastructureName
  82.     - Label:
  83.         default: "Host Information"
  84.       Parameters:
  85.       - MasterInstanceType
  86.       - RhcosAmi
  87.       - IgnitionLocation
  88.       - CertificateAuthorities
  89.       - MasterSecurityGroupId
  90.       - MasterInstanceProfileName
  91.     - Label:
  92.         default: "Network Configuration"
  93.       Parameters:
  94.       - VpcId
  95.       - AllowedBootstrapSshCidr
  96.       - Master0Subnet
  97.       - Master1Subnet
  98.       - Master2Subnet
  99.     - Label:
  100.         default: "DNS"
  101.       Parameters:
  102.       - AutoRegisterDNS
  103.       - PrivateHostedZoneName
  104.       - PrivateHostedZoneId
  105.     - Label:
  106.         default: "Load Balancer Automation"
  107.       Parameters:
  108.       - AutoRegisterELB
  109.       - RegisterNlbIpTargetsLambdaArn
  110.       - ExternalApiTargetGroupArn
  111.       - InternalApiTargetGroupArn
  112.       - InternalServiceTargetGroupArn
  113.     ParameterLabels:
  114.       InfrastructureName:
  115.         default: "Infrastructure Name"
  116.       VpcId:
  117.         default: "VPC ID"
  118.       Master0Subnet:
  119.         default: "Master-0 Subnet"
  120.       Master1Subnet:
  121.         default: "Master-1 Subnet"
  122.       Master2Subnet:
  123.         default: "Master-2 Subnet"
  124.       MasterInstanceType:
  125.         default: "Master Instance Type"
  126.       MasterInstanceProfileName:
  127.         default: "Master Instance Profile Name"
  128.       RhcosAmi:
  129.         default: "Red Hat Enterprise Linux CoreOS AMI ID"
  130.       BootstrapIgnitionLocation:
  131.         default: "Master Ignition Source"
  132.       CertificateAuthorities:
  133.         default: "Ignition CA String"
  134.       MasterSecurityGroupId:
  135.         default: "Master Security Group ID"
  136.       AutoRegisterDNS:
  137.         default: "Use Provided DNS Automation"
  138.       AutoRegisterELB:
  139.         default: "Use Provided ELB Automation"
  140.       PrivateHostedZoneName:
  141.         default: "Private Hosted Zone Name"
  142.       PrivateHostedZoneId:
  143.         default: "Private Hosted Zone ID"
  145. Conditions:
  146.   DoRegistration: !Equals ["yes", !Ref AutoRegisterELB]
  147.   DoDns: !Equals ["yes", !Ref AutoRegisterDNS]
  149. Resources:
  150.   Master0:
  151.     Type: AWS::EC2::Instance
  152.     Properties:
  153.       ImageId: !Ref RhcosAmi
  154.       BlockDeviceMappings:
  155.       - DeviceName: /dev/xvda
  156.         Ebs:
  157.           VolumeSize: "120"
  158.           VolumeType: "gp2"
  159.       IamInstanceProfile: !Ref MasterInstanceProfileName
  160.       InstanceType: !Ref MasterInstanceType
  161.       NetworkInterfaces:
  162.       - AssociatePublicIpAddress: "false"
  163.         DeviceIndex: "0"
  164.         GroupSet:
  165.         - !Ref "MasterSecurityGroupId"
  166.         SubnetId: !Ref "Master0Subnet"
  167.       UserData:
  168.         Fn::Base64: !Sub
  169.         - '{"ignition":{"config":{"merge":[{"source":"${SOURCE}"}]},"security":{"tls":{"certificateAuthorities":[{"source":"${CA_BUNDLE}"}]}},"version":"3.1.0"}}'
  170.         - {
  171.           SOURCE: !Ref IgnitionLocation,
  172.           CA_BUNDLE: !Ref CertificateAuthorities,
  173.         }
  174.       Tags:
  175.       - Key: !Join ["", ["kubernetes.io/cluster/", !Ref InfrastructureName]]
  176.         Value: "shared"
  178.   RegisterMaster0:
  179.     Condition: DoRegistration
  180.     Type: Custom::NLBRegister
  181.     Properties:
  182.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  183.       TargetArn: !Ref ExternalApiTargetGroupArn
  184.       TargetIp: !GetAtt Master0.PrivateIp
  186.   RegisterMaster0InternalApiTarget:
  187.     Condition: DoRegistration
  188.     Type: Custom::NLBRegister
  189.     Properties:
  190.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  191.       TargetArn: !Ref InternalApiTargetGroupArn
  192.       TargetIp: !GetAtt Master0.PrivateIp
  194.   RegisterMaster0InternalServiceTarget:
  195.     Condition: DoRegistration
  196.     Type: Custom::NLBRegister
  197.     Properties:
  198.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  199.       TargetArn: !Ref InternalServiceTargetGroupArn
  200.       TargetIp: !GetAtt Master0.PrivateIp
  202.   Master1:
  203.     Type: AWS::EC2::Instance
  204.     Properties:
  205.       ImageId: !Ref RhcosAmi
  206.       BlockDeviceMappings:
  207.       - DeviceName: /dev/xvda
  208.         Ebs:
  209.           VolumeSize: "120"
  210.           VolumeType: "gp2"
  211.       IamInstanceProfile: !Ref MasterInstanceProfileName
  212.       InstanceType: !Ref MasterInstanceType
  213.       NetworkInterfaces:
  214.       - AssociatePublicIpAddress: "false"
  215.         DeviceIndex: "0"
  216.         GroupSet:
  217.         - !Ref "MasterSecurityGroupId"
  218.         SubnetId: !Ref "Master1Subnet"
  219.       UserData:
  220.         Fn::Base64: !Sub
  221.         - '{"ignition":{"config":{"merge":[{"source":"${SOURCE}"}]},"security":{"tls":{"certificateAuthorities":[{"source":"${CA_BUNDLE}"}]}},"version":"3.1.0"}}'
  222.         - {
  223.           SOURCE: !Ref IgnitionLocation,
  224.           CA_BUNDLE: !Ref CertificateAuthorities,
  225.         }
  226.       Tags:
  227.       - Key: !Join ["", ["kubernetes.io/cluster/", !Ref InfrastructureName]]
  228.         Value: "shared"
  230.   RegisterMaster1:
  231.     Condition: DoRegistration
  232.     Type: Custom::NLBRegister
  233.     Properties:
  234.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  235.       TargetArn: !Ref ExternalApiTargetGroupArn
  236.       TargetIp: !GetAtt Master1.PrivateIp
  238.   RegisterMaster1InternalApiTarget:
  239.     Condition: DoRegistration
  240.     Type: Custom::NLBRegister
  241.     Properties:
  242.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  243.       TargetArn: !Ref InternalApiTargetGroupArn
  244.       TargetIp: !GetAtt Master1.PrivateIp
  246.   RegisterMaster1InternalServiceTarget:
  247.     Condition: DoRegistration
  248.     Type: Custom::NLBRegister
  249.     Properties:
  250.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  251.       TargetArn: !Ref InternalServiceTargetGroupArn
  252.       TargetIp: !GetAtt Master1.PrivateIp
  254.   Master2:
  255.     Type: AWS::EC2::Instance
  256.     Properties:
  257.       ImageId: !Ref RhcosAmi
  258.       BlockDeviceMappings:
  259.       - DeviceName: /dev/xvda
  260.         Ebs:
  261.           VolumeSize: "120"
  262.           VolumeType: "gp2"
  263.       IamInstanceProfile: !Ref MasterInstanceProfileName
  264.       InstanceType: !Ref MasterInstanceType
  265.       NetworkInterfaces:
  266.       - AssociatePublicIpAddress: "false"
  267.         DeviceIndex: "0"
  268.         GroupSet:
  269.         - !Ref "MasterSecurityGroupId"
  270.         SubnetId: !Ref "Master2Subnet"
  271.       UserData:
  272.         Fn::Base64: !Sub
  273.         - '{"ignition":{"config":{"merge":[{"source":"${SOURCE}"}]},"security":{"tls":{"certificateAuthorities":[{"source":"${CA_BUNDLE}"}]}},"version":"3.1.0"}}'
  274.         - {
  275.           SOURCE: !Ref IgnitionLocation,
  276.           CA_BUNDLE: !Ref CertificateAuthorities,
  277.         }
  278.       Tags:
  279.       - Key: !Join ["", ["kubernetes.io/cluster/", !Ref InfrastructureName]]
  280.         Value: "shared"
  282.   RegisterMaster2:
  283.     Condition: DoRegistration
  284.     Type: Custom::NLBRegister
  285.     Properties:
  286.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  287.       TargetArn: !Ref ExternalApiTargetGroupArn
  288.       TargetIp: !GetAtt Master2.PrivateIp
  290.   RegisterMaster2InternalApiTarget:
  291.     Condition: DoRegistration
  292.     Type: Custom::NLBRegister
  293.     Properties:
  294.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  295.       TargetArn: !Ref InternalApiTargetGroupArn
  296.       TargetIp: !GetAtt Master2.PrivateIp
  298.   RegisterMaster2InternalServiceTarget:
  299.     Condition: DoRegistration
  300.     Type: Custom::NLBRegister
  301.     Properties:
  302.       ServiceToken: !Ref RegisterNlbIpTargetsLambdaArn
  303.       TargetArn: !Ref InternalServiceTargetGroupArn
  304.       TargetIp: !GetAtt Master2.PrivateIp
  306.   EtcdSrvRecords:
  307.     Condition: DoDns
  308.     Type: AWS::Route53::RecordSet
  309.     Properties:
  310.       HostedZoneId: !Ref PrivateHostedZoneId
  311.       Name: !Join [".", ["_etcd-server-ssl._tcp", !Ref PrivateHostedZoneName]]
  312.       ResourceRecords:
  313.       - !Join [
  314.         " ",
  315.         ["0 10 2380", !Join [".", ["etcd-0", !Ref PrivateHostedZoneName]]],
  316.       ]
  317.       - !Join [
  318.         " ",
  319.         ["0 10 2380", !Join [".", ["etcd-1", !Ref PrivateHostedZoneName]]],
  320.       ]
  321.       - !Join [
  322.         " ",
  323.         ["0 10 2380", !Join [".", ["etcd-2", !Ref PrivateHostedZoneName]]],
  324.       ]
  325.       TTL: 60
  326.       Type: SRV
  328.   Etcd0Record:
  329.     Condition: DoDns
  330.     Type: AWS::Route53::RecordSet
  331.     Properties:
  332.       HostedZoneId: !Ref PrivateHostedZoneId
  333.       Name: !Join [".", ["etcd-0", !Ref PrivateHostedZoneName]]
  334.       ResourceRecords:
  335.       - !GetAtt Master0.PrivateIp
  336.       TTL: 60
  337.       Type: A
  339.   Etcd1Record:
  340.     Condition: DoDns
  341.     Type: AWS::Route53::RecordSet
  342.     Properties:
  343.       HostedZoneId: !Ref PrivateHostedZoneId
  344.       Name: !Join [".", ["etcd-1", !Ref PrivateHostedZoneName]]
  345.       ResourceRecords:
  346.       - !GetAtt Master1.PrivateIp
  347.       TTL: 60
  348.       Type: A
  350.   Etcd2Record:
  351.     Condition: DoDns
  352.     Type: AWS::Route53::RecordSet
  353.     Properties:
  354.       HostedZoneId: !Ref PrivateHostedZoneId
  355.       Name: !Join [".", ["etcd-2", !Ref PrivateHostedZoneName]]
  356.       ResourceRecords:
  357.       - !GetAtt Master2.PrivateIp
  358.       TTL: 60
  359.       Type: A
  361. Outputs:
  362.   PrivateIPs:
  363.     Description: The control-plane node private IP addresses.
  364.     Value:
  365.       !Join [
  366.         ",",
  367.         [!GetAtt Master0.PrivateIp, !GetAtt Master1.PrivateIp, !GetAtt Master2.PrivateIp]
  368.       ]

Additional resources

Creating the worker nodes in AWS

You can create worker nodes in Amazon Web Services (AWS) for your cluster to use.

You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources that represent a worker node.

The CloudFormation template creates a stack that represents one worker node. You must create a stack for each worker node.

If you do not use the provided CloudFormation template to create your worker nodes, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

  • You created and configured DNS, load balancers, and listeners in AWS.

  • You created the security groups and roles required for your cluster in AWS.

  • You created the bootstrap machine.

  • You created the control plane machines.

Procedure

  1. Create a JSON file that contains the parameter values that the CloudFormation template requires:

    1. [
    2.   {
    3.     "ParameterKey": "InfrastructureName", (1)
    4.     "ParameterValue": "mycluster-<random_string>" (2)
    5.   },
    6.   {
    7.     "ParameterKey": "RhcosAmi", (3)
    8.     "ParameterValue": "ami-<random_string>" (4)
    9.   },
    10.   {
    11.     "ParameterKey": "Subnet", (5)
    12.     "ParameterValue": "subnet-<random_string>" (6)
    13.   },
    14.   {
    15.     "ParameterKey": "WorkerSecurityGroupId", (7)
    16.     "ParameterValue": "sg-<random_string>" (8)
    17.   },
    18.   {
    19.     "ParameterKey": "IgnitionLocation", (9)
    20.     "ParameterValue": "https://api-int.<cluster_name>.<domain_name>:22623/config/worker" (10)
    21.   },
    22.   {
    23.     "ParameterKey": "CertificateAuthorities", (11)
    24.     "ParameterValue": "" (12)
    25.   },
    26.   {
    27.     "ParameterKey": "WorkerInstanceProfileName", (13)
    28.     "ParameterValue": "" (14)
    29.   },
    30.   {
    31.     "ParameterKey": "WorkerInstanceType", (15)
    32.     "ParameterValue": "m4.2xlarge" (16)
    33.   }
    34. ]
    1The name for your cluster infrastructure that is encoded in your Ignition config files for the cluster.
    2Specify the infrastructure name that you extracted from the Ignition config file metadata, which has the format <cluster-name>-<random-string>.
    3Current Fedora CoreOS (FCOS) AMI to use for the worker nodes.
    4Specify an AWS::EC2::Image::Id value.
    5A subnet, preferably private, to launch the worker nodes on.
    6Specify a subnet from the PrivateSubnets value from the output of the CloudFormation template for DNS and load balancing.
    7The worker security group ID to associate with worker nodes.
    8Specify the WorkerSecurityGroupId value from the output of the CloudFormation template for the security group and roles.
    9The location to fetch bootstrap Ignition config file from.
    10Specify the generated Ignition config location, https://api-int.<cluster_name>.<domain_name>:22623/config/worker.
    11Base64 encoded certificate authority string to use.
    12Specify the value from the worker.ign file that is in the installation directory. This value is the long string with the format data:text/plain;charset=utf-8;base64,ABC…​xYz==.
    13The IAM profile to associate with worker nodes.
    14Specify the WorkerInstanceProfile parameter value from the output of the CloudFormation template for the security group and roles.
    15The type of AWS instance to use for the control plane machines.
    16Allowed values:

    • m4.large

    • m4.xlarge

    • m4.2xlarge

    • m4.4xlarge

    • m4.10xlarge

    • m4.16xlarge

    • m5.large

    • m5.xlarge

    • m5.2xlarge

    • m5.4xlarge

    • m5.8xlarge

    • m5.12xlarge

    • m5.16xlarge

    • m5a.large

    • m5a.xlarge

    • m5a.2xlarge

    • m5a.4xlarge

    • m5a.8xlarge

    • m5a.12xlarge

    • m5a.16xlarge

    • c4.large

    • c4.xlarge

    • c4.2xlarge

    • c4.4xlarge

    • c4.8xlarge

    • c5.large

    • c5.xlarge

    • c5.2xlarge

    • c5.4xlarge

    • c5.9xlarge

    • c5.12xlarge

    • c5.18xlarge

    • c5.24xlarge

    • c5a.large

    • c5a.xlarge

    • c5a.2xlarge

    • c5a.4xlarge

    • c5a.8xlarge

    • c5a.12xlarge

    • c5a.16xlarge

    • c5a.24xlarge

    • r4.large

    • r4.xlarge

    • r4.2xlarge

    • r4.4xlarge

    • r4.8xlarge

    • r4.16xlarge

    • r5.large

    • r5.xlarge

    • r5.2xlarge

    • r5.4xlarge

    • r5.8xlarge

    • r5.12xlarge

    • r5.16xlarge

    • r5.24xlarge

    • r5a.large

    • r5a.xlarge

    • r5a.2xlarge

    • r5a.4xlarge

    • r5a.8xlarge

    • r5a.12xlarge

    • r5a.16xlarge

    • r5a.24xlarge

    • t3.large

    • t3.xlarge

    • t3.2xlarge

    • t3a.large

    • t3a.xlarge

    • t3a.2xlarge

  2. Copy the template from the CloudFormation template for worker machines section of this topic and save it as a YAML file on your computer. This template describes the networking objects and load balancers that your cluster requires.

  3. If you specified an m5 instance type as the value for WorkerInstanceType, add that instance type to the WorkerInstanceType.AllowedValues parameter in the CloudFormation template.

  4. Launch the CloudFormation template to create a stack of AWS resources that represent a worker node:

    You must enter the command on a single line.

    1. $ aws cloudformation create-stack --stack-name <name> (1)
    2.      --template-body file://<template>.yaml \ (2)
    3.      --parameters file://<parameters>.json (3)
    1<name> is the name for the CloudFormation stack, such as cluster-worker-1. You need the name of this stack if you remove the cluster.
    2<template> is the relative path to and name of the CloudFormation template YAML file that you saved.
    3<parameters> is the relative path to and name of the CloudFormation parameters JSON file.

    Example output

    1. arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-worker-1/729ee301-1c2a-11eb-348f-sd9888c65b59

    The CloudFormation template creates a stack that represents one worker node.

  5. Confirm that the template components exist:

    1. $ aws cloudformation describe-stacks --stack-name <name>

  6. Continue to create worker stacks until you have created enough worker machines for your cluster. You can create additional worker stacks by referencing the same template and parameter files and specifying a different stack name.

    You must create at least two worker machines, so you must create at least two stacks that use this CloudFormation template.

CloudFormation template for worker machines

You can use the following CloudFormation template to deploy the worker machines that you need for your OKD cluster.

CloudFormation template for worker machines

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Description: Template for OpenShift Cluster Node Launch (EC2 worker instance)
  4. Parameters:
  5.   InfrastructureName:
  6.     AllowedPattern: ^([a-zA-Z][a-zA-Z0-9\-]{0,26})$
  7.     MaxLength: 27
  8.     MinLength: 1
  9.     ConstraintDescription: Infrastructure name must be alphanumeric, start with a letter, and have a maximum of 27 characters.
  10.     Description: A short, unique cluster ID used to tag nodes for the kubelet cloud provider.
  11.     Type: String
  12.   RhcosAmi:
  13.     Description: Current Red Hat Enterprise Linux CoreOS AMI to use for bootstrap.
  14.     Type: AWS::EC2::Image::Id
  15.   Subnet:
  16.     Description: The subnets, recommend private, to launch the master nodes into.
  17.     Type: AWS::EC2::Subnet::Id
  18.   WorkerSecurityGroupId:
  19.     Description: The master security group ID to associate with master nodes.
  20.     Type: AWS::EC2::SecurityGroup::Id
  21.   IgnitionLocation:
  22.     Default: https://api-int.$CLUSTER_NAME.$DOMAIN:22623/config/worker
  23.     Description: Ignition config file location.
  24.     Type: String
  25.   CertificateAuthorities:
  26.     Default: data:text/plain;charset=utf-8;base64,ABC...xYz==
  27.     Description: Base64 encoded certificate authority string to use.
  28.     Type: String
  29.   WorkerInstanceProfileName:
  30.     Description: IAM profile to associate with master nodes.
  31.     Type: String
  32.   WorkerInstanceType:
  33.     Default: m5.large
  34.     Type: String
  36. Metadata:
  37.   AWS::CloudFormation::Interface:
  38.     ParameterGroups:
  39.     - Label:
  40.         default: "Cluster Information"
  41.       Parameters:
  42.       - InfrastructureName
  43.     - Label:
  44.         default: "Host Information"
  45.       Parameters:
  46.       - WorkerInstanceType
  47.       - RhcosAmi
  48.       - IgnitionLocation
  49.       - CertificateAuthorities
  50.       - WorkerSecurityGroupId
  51.       - WorkerInstanceProfileName
  52.     - Label:
  53.         default: "Network Configuration"
  54.       Parameters:
  55.       - Subnet
  56.     ParameterLabels:
  57.       Subnet:
  58.         default: "Subnet"
  59.       InfrastructureName:
  60.         default: "Infrastructure Name"
  61.       WorkerInstanceType:
  62.         default: "Worker Instance Type"
  63.       WorkerInstanceProfileName:
  64.         default: "Worker Instance Profile Name"
  65.       RhcosAmi:
  66.         default: "Red Hat Enterprise Linux CoreOS AMI ID"
  67.       IgnitionLocation:
  68.         default: "Worker Ignition Source"
  69.       CertificateAuthorities:
  70.         default: "Ignition CA String"
  71.       WorkerSecurityGroupId:
  72.         default: "Worker Security Group ID"
  74. Resources:
  75.   Worker0:
  76.     Type: AWS::EC2::Instance
  77.     Properties:
  78.       ImageId: !Ref RhcosAmi
  79.       BlockDeviceMappings:
  80.       - DeviceName: /dev/xvda
  81.         Ebs:
  82.           VolumeSize: "120"
  83.           VolumeType: "gp2"
  84.       IamInstanceProfile: !Ref WorkerInstanceProfileName
  85.       InstanceType: !Ref WorkerInstanceType
  86.       NetworkInterfaces:
  87.       - AssociatePublicIpAddress: "false"
  88.         DeviceIndex: "0"
  89.         GroupSet:
  90.         - !Ref "WorkerSecurityGroupId"
  91.         SubnetId: !Ref "Subnet"
  92.       UserData:
  93.         Fn::Base64: !Sub
  94.         - '{"ignition":{"config":{"merge":[{"source":"${SOURCE}"}]},"security":{"tls":{"certificateAuthorities":[{"source":"${CA_BUNDLE}"}]}},"version":"3.1.0"}}'
  95.         - {
  96.           SOURCE: !Ref IgnitionLocation,
  97.           CA_BUNDLE: !Ref CertificateAuthorities,
  98.         }
  99.       Tags:
  100.       - Key: !Join ["", ["kubernetes.io/cluster/", !Ref InfrastructureName]]
  101.         Value: "shared"
  103. Outputs:
  104.   PrivateIP:
  105.     Description: The compute node private IP address.
  106.     Value: !GetAtt Worker0.PrivateIp

Additional resources

Initializing the bootstrap sequence on AWS with user-provisioned infrastructure

After you create all of the required infrastructure in Amazon Web Services (AWS), you can start the bootstrap sequence that initializes the OKD control plane.

Prerequisites

  • You configured an AWS account.

  • You added your AWS keys and region to your local AWS profile by running aws configure.

  • You generated the Ignition config files for your cluster.

  • You created and configured a VPC and associated subnets in AWS.

  • You created and configured DNS, load balancers, and listeners in AWS.

  • You created the security groups and roles required for your cluster in AWS.

  • You created the bootstrap machine.

  • You created the control plane machines.

  • You created the worker nodes.

Procedure

  1. Change to the directory that contains the installation program and start the bootstrap process that initializes the OKD control plane:

    1. $ ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \ (1)
    2.     --log-level=info (2)
    1For <installation_directory>, specify the path to the directory that you stored the installation files in.
    2To view different installation details, specify warn, debug, or error instead of info.

    Example output

    1. INFO Waiting up to 20m0s for the Kubernetes API at https://api.mycluster.example.com:6443...
    2. INFO API v1.22.1 up
    3. INFO Waiting up to 30m0s for bootstrapping to complete...
    4. INFO It is now safe to remove the bootstrap resources
    5. INFO Time elapsed: 1s

    If the command exits without a FATAL warning, your OKD control plane has initialized.

    After the control plane initializes, it sets up the compute nodes and installs additional services in the form of Operators.

Additional resources

Installing the OpenShift CLI by downloading the binary

You can install the OpenShift CLI (oc) to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.

If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD 4.9. Download and install the new version of oc.

Installing the OpenShift CLI on Linux

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure

  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.tar.gz.

  3. Unpack the archive:

    1. $ tar xvzf <file>

  4. Place the oc binary in a directory that is on your PATH.

    To check your PATH, execute the following command:

    1. $ echo $PATH

After you install the OpenShift CLI, it is available using the oc command:

  1. $ oc <command>

Installing the OpenShift CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure

  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.zip.

  3. Unzip the archive with a ZIP program.

  4. Move the oc binary to a directory that is on your PATH.

    To check your PATH, open the command prompt and execute the following command:

    1. C:\> path

After you install the OpenShift CLI, it is available using the oc command:

  1. C:\> oc <command>

Installing the OpenShift CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure

  1. Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.

  2. Download oc.tar.gz.

  3. Unpack and unzip the archive.

  4. Move the oc binary to a directory on your PATH.

    To check your PATH, open a terminal and execute the following command:

    1. $ echo $PATH

After you install the OpenShift CLI, it is available using the oc command:

  1. $ oc <command>

Logging in to the cluster by using the CLI

You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OKD installation.

Prerequisites

  • You deployed an OKD cluster.

  • You installed the oc CLI.

Procedure

  1. Export the kubeadmin credentials:

    1. $ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)
    1For <installation_directory>, specify the path to the directory that you stored the installation files in.

  2. Verify you can run oc commands successfully using the exported configuration:

    1. $ oc whoami

    Example output

    1. system:admin

Approving the certificate signing requests for your machines

When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.

Prerequisites

  • You added machines to your cluster.

Procedure

  1. Confirm that the cluster recognizes the machines:

    1. $ oc get nodes

    Example output

    1. NAME      STATUS    ROLES   AGE  VERSION
    2. master-0  Ready     master  63m  v1.22.1
    3. master-1  Ready     master  63m  v1.22.1
    4. master-2  Ready     master  64m  v1.22.1

    The output lists all of the machines that you created.

    The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved.

  2. Review the pending CSRs and ensure that you see the client requests with the Pending or Approved status for each machine that you added to the cluster:

    1. $ oc get csr

    Example output

    1. NAME        AGE     REQUESTOR                                                                   CONDITION
    2. csr-8b2br   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
    3. csr-8vnps   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
    4. ...

    In this example, two machines are joining the cluster. You might see more approved CSRs in the list.

  3. If the CSRs were not approved, after all of the pending CSRs for the machines you added are in Pending status, approve the CSRs for your cluster machines:

    Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the machine-approver if the Kubelet requests a new certificate with identical parameters.

    For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the oc exec, oc rsh, and oc logs commands cannot succeed, because a serving certificate is required when the API server connects to the kubelet. Any operation that contacts the Kubelet endpoint requires this certificate approval to be in place. The method must watch for new CSRs, confirm that the CSR was submitted by the node-bootstrapper service account in the system:node or system:admin groups, and confirm the identity of the node.

    • To approve them individually, run the following command for each valid CSR:

      1. $ oc adm certificate approve <csr_name> (1)
      1<csr_name> is the name of a CSR from the list of current CSRs.

    • To approve all pending CSRs, run the following command:

      1. $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve

      Some Operators might not become available until some CSRs are approved.

  4. Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster:

    1. $ oc get csr

    Example output

    1. NAME        AGE     REQUESTOR                                                                   CONDITION
    2. csr-bfd72   5m26s   system:node:ip-10-0-50-126.us-east-2.compute.internal                       Pending
    3. csr-c57lv   5m26s   system:node:ip-10-0-95-157.us-east-2.compute.internal                       Pending
    4. ...

  5. If the remaining CSRs are not approved, and are in the Pending status, approve the CSRs for your cluster machines:

    • To approve them individually, run the following command for each valid CSR:

      1. $ oc adm certificate approve <csr_name> (1)
      1<csr_name> is the name of a CSR from the list of current CSRs.

    • To approve all pending CSRs, run the following command:

      1. $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve

  6. After all client and server CSRs have been approved, the machines have the Ready status. Verify this by running the following command:

    1. $ oc get nodes

    Example output

    1. NAME      STATUS    ROLES   AGE  VERSION
    2. master-0  Ready     master  73m  v1.22.1
    3. master-1  Ready     master  73m  v1.22.1
    4. master-2  Ready     master  74m  v1.22.1
    5. worker-0  Ready     worker  11m  v1.22.1
    6. worker-1  Ready     worker  11m  v1.22.1

    It can take a few minutes after approval of the server CSRs for the machines to transition to the Ready status.

Additional information

Initial Operator configuration

After the control plane initializes, you must immediately configure some Operators so that they all become available.

Prerequisites

  • Your control plane has initialized.

Procedure

  1. Watch the cluster components come online:

    1. $ watch -n5 oc get clusteroperators

    Example output

    1. NAME                                       VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
    2. authentication                             4.9.0     True        False         False      19m
    3. baremetal                                  4.9.0     True        False         False      37m
    4. cloud-credential                           4.9.0     True        False         False      40m
    5. cluster-autoscaler                         4.9.0     True        False         False      37m
    6. config-operator                            4.9.0     True        False         False      38m
    7. console                                    4.9.0     True        False         False      26m
    8. csi-snapshot-controller                    4.9.0     True        False         False      37m
    9. dns                                        4.9.0     True        False         False      37m
    10. etcd                                       4.9.0     True        False         False      36m
    11. image-registry                             4.9.0     True        False         False      31m
    12. ingress                                    4.9.0     True        False         False      30m
    13. insights                                   4.9.0     True        False         False      31m
    14. kube-apiserver                             4.9.0     True        False         False      26m
    15. kube-controller-manager                    4.9.0     True        False         False      36m
    16. kube-scheduler                             4.9.0     True        False         False      36m
    17. kube-storage-version-migrator              4.9.0     True        False         False      37m
    18. machine-api                                4.9.0     True        False         False      29m
    19. machine-approver                           4.9.0     True        False         False      37m
    20. machine-config                             4.9.0     True        False         False      36m
    21. marketplace                                4.9.0     True        False         False      37m
    22. monitoring                                 4.9.0     True        False         False      29m
    23. network                                    4.9.0     True        False         False      38m
    24. node-tuning                                4.9.0     True        False         False      37m
    25. openshift-apiserver                        4.9.0     True        False         False      32m
    26. openshift-controller-manager               4.9.0     True        False         False      30m
    27. openshift-samples                          4.9.0     True        False         False      32m
    28. operator-lifecycle-manager                 4.9.0     True        False         False      37m
    29. operator-lifecycle-manager-catalog         4.9.0     True        False         False      37m
    30. operator-lifecycle-manager-packageserver   4.9.0     True        False         False      32m
    31. service-ca                                 4.9.0     True        False         False      38m
    32. storage                                    4.9.0     True        False         False      37m

  2. Configure the Operators that are not available.

Image registry storage configuration

Amazon Web Services provides default storage, which means the Image Registry Operator is available after installation. However, if the Registry Operator cannot create an S3 bucket and automatically configure storage, you must manually configure registry storage.

Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.

Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.

You can configure registry storage for user-provisioned infrastructure in AWS to deploy OKD to hidden regions. See Configuring the registry for AWS user-provisioned infrastructure for more information.

Configuring registry storage for AWS with user-provisioned infrastructure

During installation, your cloud credentials are sufficient to create an Amazon S3 bucket and the Registry Operator will automatically configure storage.

If the Registry Operator cannot create an S3 bucket and automatically configure storage, you can create an S3 bucket and configure storage with the following procedure.

Prerequisites

  • You have a cluster on AWS with user-provisioned infrastructure.

  • For Amazon S3 storage, the secret is expected to contain two keys:

    • REGISTRY_STORAGE_S3_ACCESSKEY

    • REGISTRY_STORAGE_S3_SECRETKEY

Procedure

Use the following procedure if the Registry Operator cannot create an S3 bucket and automatically configure storage.

  1. Set up a Bucket Lifecycle Policy to abort incomplete multipart uploads that are one day old.

  2. Fill in the storage configuration in configs.imageregistry.operator.openshift.io/cluster:

    1. $ oc edit configs.imageregistry.operator.openshift.io/cluster

    Example configuration

    1. storage:
    2.   s3:
    3.     bucket: <bucket-name>
    4.     region: <region-name>

To secure your registry images in AWS, block public access to the S3 bucket.

Configuring storage for the image registry in non-production clusters

You must configure storage for the Image Registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

Procedure

  • To set the image registry storage to an empty directory:

    1. $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'

    Configure this option for only non-production clusters.

    If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error:

    1. Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found

    Wait a few minutes and run the command again.

Deleting the bootstrap resources

After you complete the initial Operator configuration for the cluster, remove the bootstrap resources from Amazon Web Services (AWS).

Prerequisites

  • You completed the initial Operator configuration for your cluster.

Procedure

  1. Delete the bootstrap resources. If you used the CloudFormation template, delete its stack:

    • Delete the stack by using the AWS CLI:

      1. $ aws cloudformation delete-stack --stack-name <name> (1)
      1<name> is the name of your bootstrap stack.

    • Delete the stack by using the AWS CloudFormation console.

Creating the Ingress DNS Records

If you removed the DNS Zone configuration, manually create DNS records that point to the Ingress load balancer. You can create either a wildcard record or specific records. While the following procedure uses A records, you can use other record types that you require, such as CNAME or alias.

Prerequisites

Procedure

  1. Determine the routes to create.

    • To create a wildcard record, use *.apps.<cluster_name>.<domain_name>, where <cluster_name> is your cluster name, and <domain_name> is the Route 53 base domain for your OKD cluster.

    • To create specific records, you must create a record for each route that your cluster uses, as shown in the output of the following command:

      1. $ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes

      Example output

      1. oauth-openshift.apps.<cluster_name>.<domain_name>
      2. console-openshift-console.apps.<cluster_name>.<domain_name>
      3. downloads-openshift-console.apps.<cluster_name>.<domain_name>
      4. alertmanager-main-openshift-monitoring.apps.<cluster_name>.<domain_name>
      5. grafana-openshift-monitoring.apps.<cluster_name>.<domain_name>
      6. prometheus-k8s-openshift-monitoring.apps.<cluster_name>.<domain_name>

  2. Retrieve the Ingress Operator load balancer status and note the value of the external IP address that it uses, which is shown in the EXTERNAL-IP column:

    1. $ oc -n openshift-ingress get service router-default

    Example output

    1. NAME             TYPE           CLUSTER-IP      EXTERNAL-IP                            PORT(S)                      AGE
    2. router-default   LoadBalancer   172.30.62.215   ab3...28.us-east-2.elb.amazonaws.com   80:31499/TCP,443:30693/TCP   5m

  3. Locate the hosted zone ID for the load balancer:

    1. $ aws elb describe-load-balancers | jq -r '.LoadBalancerDescriptions[] | select(.DNSName == "<external_ip>").CanonicalHostedZoneNameID' (1)
    1For <external_ip>, specify the value of the external IP address of the Ingress Operator load balancer that you obtained.

    Example output

    1. Z3AADJGX6KTTL2

    The output of this command is the load balancer hosted zone ID.

  4. Obtain the public hosted zone ID for your cluster’s domain:

    1. $ aws route53 list-hosted-zones-by-name \
    2.             --dns-name "<domain_name>" \ (1)
    3.             --query 'HostedZones[? Config.PrivateZone != `true` && Name == `<domain_name>.`].Id' (1)
    4.             --output text
    1For <domain_name>, specify the Route 53 base domain for your OKD cluster.

    Example output

    1. /hostedzone/Z3URY6TWQ91KVV

    The public hosted zone ID for your domain is shown in the command output. In this example, it is Z3URY6TWQ91KVV.

  5. Add the alias records to your private zone:

    1. $ aws route53 change-resource-record-sets --hosted-zone-id "<private_hosted_zone_id>" --change-batch '{ (1)
    2. >   "Changes": [
    3. >     {
    4. >       "Action": "CREATE",
    5. >       "ResourceRecordSet": {
    6. >         "Name": "\\052.apps.<cluster_domain>", (2)
    7. >         "Type": "A",
    8. >         "AliasTarget":{
    9. >           "HostedZoneId": "<hosted_zone_id>", (3)
    10. >           "DNSName": "<external_ip>.", (4)
    11. >           "EvaluateTargetHealth": false
    12. >         }
    13. >       }
    14. >     }
    15. >   ]
    16. > }'
    1For <private_hosted_zone_id>, specify the value from the output of the CloudFormation template for DNS and load balancing.
    2For <cluster_domain>, specify the domain or subdomain that you use with your OKD cluster.
    3For <hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
    4For <external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.

  6. Add the records to your public zone:

    1. $ aws route53 change-resource-record-sets --hosted-zone-id "<public_hosted_zone_id>"" --change-batch '{ (1)
    2. >   "Changes": [
    3. >     {
    4. >       "Action": "CREATE",
    5. >       "ResourceRecordSet": {
    6. >         "Name": "\\052.apps.<cluster_domain>", (2)
    7. >         "Type": "A",
    8. >         "AliasTarget":{
    9. >           "HostedZoneId": "<hosted_zone_id>", (3)
    10. >           "DNSName": "<external_ip>.", (4)
    11. >           "EvaluateTargetHealth": false
    12. >         }
    13. >       }
    14. >     }
    15. >   ]
    16. > }'
    1For <public_hosted_zone_id>, specify the public hosted zone for your domain.
    2For <cluster_domain>, specify the domain or subdomain that you use with your OKD cluster.
    3For <hosted_zone_id>, specify the public hosted zone ID for the load balancer that you obtained.
    4For <external_ip>, specify the value of the external IP address of the Ingress Operator load balancer. Ensure that you include the trailing period (.) in this parameter value.

Completing an AWS installation on user-provisioned infrastructure

After you start the OKD installation on Amazon Web Service (AWS) user-provisioned infrastructure, monitor the deployment to completion.

Prerequisites

  • You removed the bootstrap node for an OKD cluster on user-provisioned AWS infrastructure.

  • You installed the oc CLI.

Procedure

  • From the directory that contains the installation program, complete the cluster installation:

    1. $ ./openshift-install --dir <installation_directory> wait-for install-complete (1)
    1For <installation_directory>, specify the path to the directory that you stored the installation files in.

    Example output

    1. INFO Waiting up to 40m0s for the cluster at https://api.mycluster.example.com:6443 to initialize...
    2. INFO Waiting up to 10m0s for the openshift-console route to be created...
    3. INFO Install complete!
    4. INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig'
    5. INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com
    6. INFO Login to the console with user: "kubeadmin", and password: "4vYBz-Fe5en-ymBEc-Wt6NL"
    7. INFO Time elapsed: 1s

    The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.

Logging in to the cluster by using the web console

The kubeadmin user exists by default after an OKD installation. You can log in to your cluster as the kubeadmin user by using the OKD web console.

Prerequisites

  • You have access to the installation host.

  • You completed a cluster installation and all cluster Operators are available.

Procedure

  1. Obtain the password for the kubeadmin user from the kubeadmin-password file on the installation host:

    1. $ cat <installation_directory>/auth/kubeadmin-password

    Alternatively, you can obtain the kubeadmin password from the <installation_directory>/.openshift_install.log log file on the installation host.

  2. List the OKD web console route:

    1. $ oc get routes -n openshift-console | grep 'console-openshift'

    Alternatively, you can obtain the OKD route from the <installation_directory>/.openshift_install.log log file on the installation host.

    Example output

    1. console     console-openshift-console.apps.<cluster_name>.<base_domain>            console     https   reencrypt/Redirect   None

  3. Navigate to the route detailed in the output of the preceding command in a web browser and log in as the kubeadmin user.

Additional resources

Additional resources

Additional resources

  • See Working with stacks in the AWS documentation for more information about AWS CloudFormation stacks.

Next steps