In OpenShift Container Platform version 4.10, you can install a cluster on your VMware vSphere instance by using installer-provisioned infrastructure.
You reviewed details about the OpenShift Container Platform installation and update processes.
You read the documentation on selecting a cluster installation method and preparing it for users.
You provisioned persistent storage for your cluster. To deploy a private image registry, your storage must provide
ReadWriteMany access modes.
The OpenShift Container Platform installer requires access to port 443 on the vCenter and ESXi hosts. You verified that port 443 is accessible.
If you use a firewall, you confirmed with the administrator that port 443 is accessible. Control plane nodes must be able to reach vCenter and ESXi hosts on port 443 for the installation to succeed.
If you use a firewall, you configured it to allow the sites that your cluster requires access to.
|
Be sure to also review this site list if you are configuring a proxy. |
In OpenShift Container Platform 4.10, you require access to the internet to install your cluster.
You must have internet access to:
Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.
Access Quay.io to obtain the packages that are required to install your cluster.
Obtain the packages that are required to perform cluster updates.
|
If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry. |
You must install the OpenShift Container Platform cluster on a VMware vSphere version 6 or 7 instance that meets the requirements for the components that you use.
| Virtual environment product | Required version |
|---|---|
VM hardware version |
13 or later |
vSphere ESXi hosts |
6.5 or later |
vCenter host |
6.5 or later |
|
Installing a cluster on VMware vSphere version 6.7U3 or earlier and virtual hardware version 13 is now deprecated. These versions are still fully supported, but version 4.11 of OpenShift Container Platform will require vSphere virtual hardware version 15 or later. Hardware version 15 is now the default for vSphere virtual machines in OpenShift Container Platform. To update the hardware version for your vSphere nodes, see the "Updating hardware on nodes running in vSphere" article. If your vSphere nodes are below hardware version 15 or your VMware vSphere version is earlier than 6.7U3, upgrading from OpenShift Container Platform 4.10 to OpenShift Container Platform 4.11 is not available. |
| Component | Minimum supported versions | Description |
|---|---|---|
Hypervisor |
vSphere 6.5 and later with HW version 13 |
This version is the minimum version that Red Hat Enterprise Linux CoreOS (RHCOS) supports. See the Red Hat Enterprise Linux 8 supported hypervisors list. |
Storage with in-tree drivers |
vSphere 6.5 and later |
This plug-in creates vSphere storage by using the in-tree storage drivers for vSphere included in OpenShift Container Platform. |
Optional: Networking (NSX-T) |
vSphere 6.5U3 or vSphere 6.7U2 and later |
vSphere 6.5U3 or vSphere 6.7U2+ are required for OpenShift Container Platform. VMware’s NSX Container Plug-in (NCP) is certified with OpenShift Container Platform 4.6 and NSX-T 3.x+. |
If you use a vSphere version 6.5 instance, consider upgrading to 6.7U3 or 7.0 before you install OpenShift Container Platform.
|
You must ensure that the time on your ESXi hosts is synchronized before you install OpenShift Container Platform. See Edit Time Configuration for a Host in the VMware documentation. |
The following requirements must be met in order to install the CSI Driver Operator:
VMware vSphere version 6.7U3 or later
Virtual machines of hardware version 15 or later
No third-party CSI driver already installed in the cluster
If a third-party CSI driver is present in the cluster, OpenShift Container Platform does not overwrite it. The presence of a third-party CSI driver prevents OpenShift Container Platform from upgrading to 4.11.
To remove a third-party CSI driver, see Removing a third-party vSphere CSI Driver.
To update the hardware version for your vSphere nodes, see Updating hardware on nodes running in vSphere.
Before you install an OpenShift Container Platform cluster on your vCenter that uses infrastructure that the installer provisions, you must prepare your environment.
To install an OpenShift Container Platform cluster in a vCenter, the installation program requires access to an account with privileges to read and create the required resources. Using an account that has global administrative privileges is the simplest way to access all of the necessary permissions.
If you cannot use an account with global administrative privileges, you must create roles to grant the privileges necessary for OpenShift Container Platform cluster installation. While most of the privileges are always required, some are required only if you plan for the installation program to provision a folder to contain the OpenShift Container Platform cluster on your vCenter instance, which is the default behavior. You must create or amend vSphere roles for the specified objects to grant the required privileges.
An additional role is required if the installation program is to create a vSphere virtual machine folder.
| vSphere object for role | When required | Required privileges |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
Always |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder |
|
Additionally, the user requires some ReadOnly permissions, and some of the roles require permission to propogate the permissions to child objects. These settings vary depending on whether or not you install the cluster into an existing folder.
| vSphere object | Folder type | Propagate to children | Permissions required |
|---|---|---|---|
vSphere vCenter |
Always |
False |
Listed required privileges |
vSphere vCenter Datacenter |
Existing folder |
False |
|
Installation program creates the folder |
True |
Listed required privileges |
|
vSphere vCenter Cluster |
Always |
True |
Listed required privileges |
vSphere vCenter Datastore |
Always |
False |
Listed required privileges |
vSphere Switch |
Always |
False |
|
vSphere Port Group |
Always |
False |
Listed required privileges |
vSphere vCenter Virtual Machine Folder |
Existing folder |
True |
Listed required privileges |
For more information about creating an account with only the required privileges, see vSphere Permissions and User Management Tasks in the vSphere documentation.
|
OpenShift Container Platform generally supports compute-only vMotion. Using Storage vMotion can cause issues and is not supported. |
If you are using vSphere volumes in your pods, migrating a VM across datastores either manually or through Storage vMotion causes invalid references within OpenShift Container Platform persistent volume (PV) objects. These references prevent affected pods from starting up and can result in data loss.
Similarly, OpenShift Container Platform does not support selective migration of VMDKs across datastores, using datastore clusters for VM provisioning or for dynamic or static provisioning of PVs, or using a datastore that is part of a datastore cluster for dynamic or static provisioning of PVs.
When you deploy an OpenShift Container Platform cluster that uses installer-provisioned infrastructure, the installation program must be able to create several resources in your vCenter instance.
A standard OpenShift Container Platform installation creates the following vCenter resources:
1 Folder
1 Tag category
1 Tag
Virtual machines:
1 template
1 temporary bootstrap node
3 control plane nodes
3 compute machines
Although these resources use 856 GB of storage, the bootstrap node is destroyed during the cluster installation process. A minimum of 800 GB of storage is required to use a standard cluster.
If you deploy more compute machines, the OpenShift Container Platform cluster will use more storage.
Available resources vary between clusters. The number of possible clusters within a vCenter is limited primarily by available storage space and any limitations on the number of required resources. Be sure to consider both limitations to the vCenter resources that the cluster creates and the resources that you require to deploy a cluster, such as IP addresses and networks.
You must use DHCP for the network and ensure that the DHCP server is configured to provide persistent IP addresses to the cluster machines. All nodes must be in the same VLAN. You cannot scale the cluster using a second VLAN as a Day 2 operation. Additionally, you must create the following networking resources before you install the OpenShift Container Platform cluster:
|
It is recommended that each OpenShift Container Platform node in the cluster must have access to a Network Time Protocol (NTP) server that is discoverable via DHCP. Installation is possible without an NTP server. However, asynchronous server clocks will cause errors, which NTP server prevents. |
An installer-provisioned vSphere installation requires two static IP addresses:
The API address is used to access the cluster API.
The Ingress address is used for cluster ingress traffic.
You must provide these IP addresses to the installation program when you install the OpenShift Container Platform cluster.
You must create DNS records for two static IP addresses in the appropriate DNS server for the vCenter instance that hosts your OpenShift Container Platform cluster. In each record, <cluster_name> is the cluster name and <base_domain> is the cluster base domain that you specify when you install the cluster. A complete DNS record takes the form: <component>.<cluster_name>.<base_domain>..
| Component | Record | Description |
|---|---|---|
API VIP |
|
This DNS A/AAAA or CNAME record must point to the load balancer for the control plane machines. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster. |
Ingress VIP |
|
A wildcard DNS A/AAAA or CNAME record that points to the load balancer that targets the machines that run the Ingress router pods, which are the worker nodes by default. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster. |
During an OpenShift Container Platform installation, you can provide an SSH public key to the installation program. The key is passed to the Red Hat Enterprise Linux CoreOS (RHCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.
After the key is passed to the nodes, you can use the key pair to SSH in to the RHCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.
|
Do not skip this procedure in production environments, where disaster recovery and debugging is required. |
|
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs. |
If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command:
$ ssh-keygen -t ed25519 -N '' -f <path>/<file_name> (1)| 1 | Specify the path and file name, such as ~/.ssh/id_ed25519, of the new SSH key. If you have an existing key pair, ensure your public key is in the your ~/.ssh directory. |
|
If you plan to install an OpenShift Container Platform cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the |
View the public SSH key:
$ cat <path>/<file_name>.pubFor example, run the following to view the ~/.ssh/id_ed25519.pub public key:
$ cat ~/.ssh/id_ed25519.pubAdd the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the ./openshift-install gather command.
|
On some distributions, default SSH private key identities such as |
If the ssh-agent process is not already running for your local user, start it as a background task:
$ eval "$(ssh-agent -s)"Agent pid 31874|
If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. |
Add your SSH private key to the ssh-agent:
$ ssh-add <path>/<file_name> (1)| 1 | Specify the path and file name for your SSH private key, such as ~/.ssh/id_ed25519 |
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)When you install OpenShift Container Platform, provide the SSH public key to the installation program.
Before you install OpenShift Container Platform, download the installation file on a local computer.
You have a computer that runs Linux or macOS, with 500 MB of local disk space
Access the Infrastructure Provider page on the OpenShift Cluster Manager site. If you have a Red Hat account, log in with your credentials. If you do not, create an account.
Select your infrastructure provider.
Navigate to the page for your installation type, download the installation program that corresponds with your host operating system and architecture, and place the file in the directory where you will store the installation configuration files.
|
The installation program creates several files on the computer that you use to install your cluster. You must keep the installation program and the files that the installation program creates after you finish installing the cluster. Both files are required to delete the cluster. |
|
Deleting the files created by the installation program does not remove your cluster, even if the cluster failed during installation. To remove your cluster, complete the OpenShift Container Platform uninstallation procedures for your specific cloud provider. |
Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
$ tar -xvf openshift-install-linux.tar.gzDownload your installation pull secret from the Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OpenShift Container Platform components.
Because the installation program requires access to your vCenter’s API, you must add your vCenter’s trusted root CA certificates to your system trust before you install an OpenShift Container Platform cluster.
From the vCenter home page, download the vCenter’s root CA certificates. Click Download trusted root CA certificates in the vSphere Web Services SDK section. The <vCenter>/certs/download.zip file downloads.
Extract the compressed file that contains the vCenter root CA certificates. The contents of the compressed file resemble the following file structure:
certs
├── lin
│ ├── 108f4d17.0
│ ├── 108f4d17.r1
│ ├── 7e757f6a.0
│ ├── 8e4f8471.0
│ └── 8e4f8471.r0
├── mac
│ ├── 108f4d17.0
│ ├── 108f4d17.r1
│ ├── 7e757f6a.0
│ ├── 8e4f8471.0
│ └── 8e4f8471.r0
└── win
├── 108f4d17.0.crt
├── 108f4d17.r1.crl
├── 7e757f6a.0.crt
├── 8e4f8471.0.crt
└── 8e4f8471.r0.crl
3 directories, 15 files
Add the files for your operating system to the system trust. For example, on a Fedora operating system, run the following command:
# cp certs/lin/* /etc/pki/ca-trust/source/anchorsUpdate your system trust. For example, on a Fedora operating system, run the following command:
# update-ca-trust extractYou can install OpenShift Container Platform on a compatible cloud platform.
|
You can run the |
Obtain the OpenShift Container Platform installation program and the pull secret for your cluster.
Change to the directory that contains the installation program and initialize the cluster deployment:
$ ./openshift-install create cluster --dir <installation_directory> \ (1)
--log-level=info (2)
| 1 | For <installation_directory>, specify the
directory name to store the files that the installation program creates. |
| 2 | To view different installation details, specify warn, debug, or
error instead of info. |
|
Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version. |
Provide values at the prompts:
Optional: Select an SSH key to use to access your cluster machines.
|
For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your |
Select vsphere as the platform to target.
Specify the name of your vCenter instance.
Specify the user name and password for the vCenter account that has the required permissions to create the cluster.
The installation program connects to your vCenter instance.
Select the datacenter in your vCenter instance to connect to.
Select the default vCenter datastore to use.
Select the vCenter cluster to install the OpenShift Container Platform cluster in. The installation program uses the root resource pool of the vSphere cluster as the default resource pool.
Select the network in the vCenter instance that contains the virtual IP addresses and DNS records that you configured.
Enter the virtual IP address that you configured for control plane API access.
Enter the virtual IP address that you configured for cluster ingress.
Enter the base domain. This base domain must be the same one that you used in the DNS records that you configured.
Enter a descriptive name for your cluster. The cluster name must be the same one that you used in the DNS records that you configured.
Paste the pull secret from the Red Hat OpenShift Cluster Manager.
+
When the cluster deployment completes, directions for accessing your cluster,
including a link to its web console and credentials for the kubeadmin user,
display in your terminal.
+ .Example output
... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig' INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com INFO Login to the console with user: "kubeadmin", and password: "4vYBz-Ee6gm-ymBZj-Wt5AL" INFO Time elapsed: 36m22s
+
|
The cluster access and credential information also outputs to |
+
|
+
|
You must not delete the installation program or the files that the installation program creates. Both are required to delete the cluster. |
You can install the OpenShift CLI (oc) to interact with OpenShift Container Platform from a
command-line interface. You can install oc on Linux, Windows, or macOS.
|
If you installed an earlier version of |
You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.10 Linux Client entry and save the file.
Unpack the archive:
$ tar xvzf <file>Place the oc binary in a directory that is on your PATH.
To check your PATH, execute the following command:
$ echo $PATHAfter you install the OpenShift CLI, it is available using the oc command:
$ oc <command>You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.10 Windows Client entry and save the file.
Unzip the archive with a ZIP program.
Move the oc binary to a directory that is on your PATH.
To check your PATH, open the command prompt and execute the following command:
C:\> pathAfter you install the OpenShift CLI, it is available using the oc command:
C:\> oc <command>You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.
Navigate to the OpenShift Container Platform downloads page on the Red Hat Customer Portal.
Select the appropriate version in the Version drop-down menu.
Click Download Now next to the OpenShift v4.10 MacOSX Client entry and save the file.
Unpack and unzip the archive.
Move the oc binary to a directory on your PATH.
To check your PATH, open a terminal and execute the following command:
$ echo $PATHAfter you install the OpenShift CLI, it is available using the oc command:
$ oc <command>You can log in to your cluster as a default system user by exporting the cluster kubeconfig file.
The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server.
The file is specific to a cluster and is created during OpenShift Container Platform installation.
You deployed an OpenShift Container Platform cluster.
You installed the oc CLI.
Export the kubeadmin credentials:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)| 1 | For <installation_directory>, specify the path to the directory that you stored
the installation files in. |
Verify you can run oc commands successfully using the exported configuration:
$ oc whoamisystem:adminAfter you install the cluster, you must create storage for the registry Operator.
On platforms that do not provide shareable object storage, the OpenShift Image
Registry Operator bootstraps itself as Removed. This allows
openshift-installer to complete installations on these platform types.
After installation, you must edit the Image Registry Operator configuration to
switch the managementState from Removed to Managed.
|
The Prometheus console provides an "Image Registry has been removed. |
The Image Registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so that the Registry Operator is made available.
Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.
Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.
As a cluster administrator, following installation you must configure your registry to use storage.
Cluster administrator permissions.
A cluster on VMware vSphere.
Persistent storage provisioned for your cluster, such as Red Hat OpenShift Data Foundation.
|
OpenShift Container Platform supports |
Must have "100Gi" capacity.