Configuring an IBM Cloud account

Before you can install OKD, you must configure an IBM Cloud account.

IBM Cloud using installer-provisioned infrastructure is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.

Prerequisites

  • You have an IBM Cloud account with a subscription. You cannot install OKD on a free or trial IBM Cloud account.

Quotas and limits on IBM Cloud

The OKD cluster uses a number of IBM Cloud components, and the default quotas and limits affect your ability to install OKD clusters. If you use certain cluster configurations, deploy your cluster in certain regions, or run multiple clusters from your account, you might need to request additional resources for your IBM Cloud account.

For a comprehensive list of the default IBM Cloud VPC quotas and service limits, see IBM Cloud’s documentation for Quotas and service limits.

Virtual Private Cloud (VPC)

Each OKD cluster creates its own VPC. The default quota of VPCs per region is 10 and will allow 10 clusters. To have more than 10 clusters in a single region, you must increase this quota.

Application load balancer

By default, each cluster creates three application load balancers (ALBs):

  • Internal load balancer for the master API server

  • External load balancer for the master API server

  • Load balancer for the router

You can create additional LoadBalancer service objects to create additional ALBs. The default quota of VPC ALBs are 50 per region. To have more than 50 ALBs, you must increase this quota.

VPC ALBs are supported. Classic ALBs are not supported for IBM Cloud.

Floating IP address

By default, the installation program distributes control plane and compute machines across all availability zones within a region to provision the cluster in a highly available configuration. In each availability zone, a public gateway is created and requires a separate floating IP address.

The default quota for a floating IP address is 20 addresses per availability zone. The default cluster configuration yields three floating IP addresses:

  • Two floating IP addresses in the us-east-1 primary zone. The IP address associated with the bootstrap node is removed after installation.

  • One floating IP address in the us-east-2 secondary zone.

  • One floating IP address in the us-east-3 secondary zone.

IBM Cloud can support up to 19 clusters per region in an account. If you plan to have more than 19 default clusters, you must increase this quota.

Virtual Server Instances (VSI)

By default, a cluster creates VSIs using bx2-4x16 profiles, which includes the following resources by default:

  • 4 vCPUs

  • 16 GB RAM

The following nodes are created:

  • One bx2-4x16 bootstrap machine, which is removed after the installation is complete

  • Three bx2-4x16 control plane nodes

  • Three bx2-4x16 compute nodes

For more information, see IBM Cloud’s documentation on supported profiles.

Table 1. VSI component quotas and limits
VSI componentDefault IBM Cloud quotaDefault cluster configurationMaximum number of clusters

vCPU

200 vCPUs per region

28 vCPUs, or 24 vCPUs after bootstrap removal

8 per region

RAM

1600 GB per region

112 GB, or 96 GB after bootstrap removal

16 per region

Storage

18 TB per region

1050 GB, or 900 GB after bootstrap removal

19 per region

If you plan to exceed the resources stated in the table, you must increase your IBM Cloud account quota.

Block Storage Volumes

For each VPC machine, a block storage device is attached for its boot volume. The default cluster configuration creates seven VPC machines, resulting in seven block storage volumes. Additional Kubernetes persistent volume claims (PVCs) of the IBM Cloud storage class create additional block storage volumes. The default quota of VPC block storage volumes are 300 per region. To have more than 300 volumes, you must increase this quota.

Configuring DNS resolution using Cloud Internet Services

IBM Cloud Internet Services (CIS) is used by the installation program to configure cluster DNS resolution and provide name lookup for the cluster to external resources. Only public DNS is supported with IBM Cloud.

IBM Cloud does not support IPv6, so dual stack or IPv6 environments are not possible.

You must create a domain zone in CIS in the same account as your cluster. You must also ensure the zone is authoritative for the domain. You can do this using a root domain or subdomain.

Prerequisites

Procedure

  1. If you do not already have an existing domain and registrar, you must acquire them. For more information, see IBM’s documentation.

  2. Create a CIS instance to use with your cluster.

    1. Install the CIS plug-in:

      1. $ ibmcloud plugin install cis
    2. Create the CIS instance:

      1. $ ibmcloud cis instance-create <instance_name> standard (1)
      1At a minimum, a Standard plan is required for CIS to manage the cluster subdomain and its DNS records.
  3. Connect an existing domain to your CIS instance.

    1. Set the context instance for CIS:

      1. $ ibmcloud cis instance-set <instance_crn> (1)
      1The instance cloud resource name.
    2. Add the domain for CIS:

      1. $ ibmcloud cis domain-add <domain_name> (1)
      1The fully qualified domain name. You can use either the root domain or subdomain value as the domain name, depending on which you plan to configure.

      A root domain uses the form openshiftcorp.com. A subdomain uses the form clusters.openshiftcorp.com.

  4. Open the CIS web console, navigate to the Overview page, and note your CIS name servers. These name servers will be used in the next step.

  5. Configure the name servers for your domains or subdomains at the domain’s registrar or DNS provider. For more information, see IBM Cloud’s documentation.

IBM Cloud IAM Policies and API Key

To install OKD into your IBM Cloud account, the installation program requires an IAM API key, which provides authentication and authorization to access IBM Cloud service APIs. You can use an existing IAM API key that contains the required policies or create a new one.

For an IBM Cloud IAM overview, see the IBM Cloud documentation.

Required access policies

You must assign the required access policies to your IBM Cloud account.

Table 2. Required access policies
Service typeServiceAccess policy scopePlatform accessService access

Account management

IAM Identity Service

All resources or a subset of resources [1]

Editor, Operator, Viewer, Administrator

Service ID creator

Account management [2]

Identity and Access Management

All resources

Editor, Operator, Viewer, Administrator

IAM services

Cloud Object Storage

All resources or a subset of resources [1]

Editor, Operator, Viewer, Administrator

Reader, Writer, Manager, Content Reader, Object Reader, Object Writer

IAM services

Internet Services

All resources or a subset of resources [1]

Editor, Operator, Viewer, Administrator

Reader, Writer, Manager

IAM services

VPC Infrastructure Services

All resources or a subset of resources [1]

Editor, Operator, Viewer, Administrator

Reader, Writer, Manager

  1. The policy access scope should be set based on how granular you want to assign access. The scope can be set to All resources or Resources based on selected attributes.

  2. Optional: This access policy is only required if you want the installation program to create a resource group. For more information on resource groups, see IBM Cloud’s documentation.

Access policy assignment

In IBM Cloud IAM, access policies can be attached to different subjects:

  • Access group (Recommended)

  • Service ID

  • User

The recommended method is to define IAM access policies in an access group. This helps organize all the access required for OKD and enables you to onboard users and service IDs to this group. You can also assign access to users and service IDs directly, if desired.

Creating an API key

You must create a user API key or a service ID API key for your IBM Cloud account.

Prerequisites

  • You have assigned the required access policies to your IBM Cloud account.

  • You have attached you IAM access policies to an access group, or other appropriate resource.

Procedure

  • Create an API key, depending on how you defined your IAM access policies.

    For example, if you assigned your access policies to a user, you must create a user API key. If you assigned your access policies to a service ID, you must create a service ID API key. If your access policies are assigned to an access group, you can use either API key type. For more information on IBM Cloud API keys, see Understanding API keys.

Supported IBM Cloud regions

You can deploy an OKD cluster to the following regions:

  • au-syd (Sydney, Australia)

  • ca-tor (Toronto, Canada)

  • eu-de (Frankfurt, Germany)

  • eu-gb (London, United Kingdom)

  • jp-osa (Osaka, Japan)

  • jp-tok (Tokyo, Japan)

  • us-east (Washington DC, United States)

  • us-south (Dallas, United States)

Next steps