Expanding a cluster with on-premise bare metal nodes

You can expand an OKD cluster deployed on AWS by adding bare-metal nodes to the cluster. By default, a cluster deployed on AWS with OKD 4.11 or earlier has the Baremetal Operator (BMO) disabled. In OKD 4.12 and later releases, the BMO is enabled to support a hybrid cloud consisting of AWS control plane nodes and worker nodes with additional on-premise bare-metal worker nodes.

Expanding an OKD cluster deployed on AWS requires using virtual media with bare-metal nodes that meet the node requirements and firmware requirements for installing with virtual media. A provisioning network is not required, and if present, should be disabled.

Connecting the VPC to the on-premise network

To expand the OKD cluster deployed on AWS with on-premise bare metal nodes, you must establish network connectivity between them. You will need to configure the networking using a virtual private network or AWS Direct Connect between the AWS VPC and your on-premise network. This allows traffic to flow between the on-premise nodes and the AWS nodes.

Additionally, you need to ensure secure access to the Baseboard Management Controllers (BMCs) of the bare metal nodes. When expanding the cluster with the Baremetal Operator, access to the BMCs is required for remotely managing and monitoring the hardware of your on-premise nodes.

To securely access the BMCs, you can create a separate, secure network segment or use a dedicated VPN connection specifically for BMC access. This way, you can isolate the BMC traffic from other network traffic, reducing the risk of unauthorized access or potential vulnerabilities.

Additional resources

• Amazon VPC

• VPC peering

Creating firewall rules for port 6183

Port 6183 is open by default on the control plane. However, you must create a firewall rule for the VPC connection and for the on-premise network for the bare metal nodes to allow inbound and outbound traffic on that port.

Procedure

1. Modify the AWS VPC security group to open port 6183:

   1. Navigate to the Amazon VPC console in the AWS Management Console.

   2. In the left navigation pane, click on Security Groups.

   3. Find and select the security group associated with the OKD cluster.

   4. In the Inbound rules tab, click Edit inbound rules.

   5. Click Add rule and select Custom TCP Rule as the rule type.

   6. In the Port range field, enter 6183.

   7. In the Source field, specify the CIDR block for the on-premise network or the security group ID of the peered VPC (if you have VPC peering) to allow traffic only from the desired sources.

   8. Click Save rules.

2. Modify the AWS VPC network access control lists to open port 6183:

   1. In the Amazon VPC console, click on Network ACLs in the left navigation pane.

   2. Find and select the network ACL associated with your OKD cluster’s VPC.

   3. In the Inbound rules tab, click Edit inbound rules.

   4. Click Add rule and enter a rule number in the Rule # field. Choose a number that doesn’t conflict with existing rules.

   5. Select TCP as the protocol.

   6. In the Port range field, enter 6183.

   7. In the Source field, specify the CIDR block for the on-premise network to allow traffic only from the desired sources.

   8. Click Save to save the new rule.

   9. Repeat the same process for the Outbound rules tab to allow outbound traffic on port 6183.

3. Modify the on-premise network to allow traffic on port 6183:

   1. Execute the following command to identify the zone you want to modify:

      $ sudo firewall-cmd --list-all-zones

   2. To open port 6183 for TCP traffic in the desired zone execute the following command:

      $ sudo firewall-cmd --zone=<zone> --add-port=6183/tcp --permanent

      Replace <zone> with the appropriate zone name.

   3. Reload firewalld to apply the new rule:

      $ sudo firewall-cmd --reload

After you have the networking configured, you can proceed with expanding the cluster.