In OpenShift Container Platform version 4.11, you can install a cluster into a shared Virtual Private Cloud (VPC) on Google Cloud Platform (GCP) that uses infrastructure that you provide. In this context, a cluster installed into a shared VPC is a cluster that is configured to use a VPC from a project different from where the cluster is being deployed.

A shared VPC enables an organization to connect resources from multiple projects to a common VPC network. You can communicate within the organization securely and efficiently by using internal IPs from that network. For more information about shared VPC, see Shared VPC overview in the GCP documentation.

The steps for performing a user-provided infrastructure installation into a shared VPC are outlined here. Several Deployment Manager templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods.

The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OpenShift Container Platform. Several Deployment Manager templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods; the templates are just an example.


Certificate signing requests management

Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager only approves the kubelet client CSRs. The machine-approver cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.

Internet access for OpenShift Container Platform

In OpenShift Container Platform 4.11, you require access to the internet to install your cluster.

You must have internet access to:

  • Access OpenShift Cluster Manager to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.

  • Access Quay.io to obtain the packages that are required to install your cluster.

  • Obtain the packages that are required to perform cluster updates.

If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the required content and use it to populate a mirror registry with the installation packages. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.

Configuring the GCP project that hosts your cluster

Before you can install OpenShift Container Platform, you must configure a Google Cloud Platform (GCP) project to host it.

Creating a GCP project

To install OpenShift Container Platform, you must create a project in your Google Cloud Platform (GCP) account to host the cluster.

  • Create a project to host your OpenShift Container Platform cluster. See Creating and Managing Projects in the GCP documentation.

    Your GCP project must use the Premium Network Service Tier if you are using installer-provisioned infrastructure. The Standard Network Service Tier is not supported for clusters installed using the installation program. The installation program configures internal load balancing for the api-int.<cluster_name>.<base_domain> URL; the Premium Tier is required for internal load balancing.

Enabling API services in GCP

Your Google Cloud Platform (GCP) project requires access to several API services to complete OpenShift Container Platform installation.

  • You created a project to host your cluster.

  • Enable the following required API services in the project that hosts your cluster. You may also enable optional API services which are not required for installation. See Enabling services in the GCP documentation.

    Table 1. Required API services
    API service Console service name

    Compute Engine API


    Cloud Resource Manager API


    Google DNS API


    IAM Service Account Credentials API


    Identity and Access Management (IAM) API


    Table 2. Optional API services
    API service Console service name

    Cloud Deployment Manager V2 API


    Google Cloud APIs


    Service Management API


    Service Usage API


    Google Cloud Storage JSON API


    Cloud Storage


GCP account limits

The OpenShift Container Platform cluster uses a number of Google Cloud Platform (GCP) components, but the default Quotas do not affect your ability to install a default OpenShift Container Platform cluster.

A default cluster, which contains three compute and three control plane machines, uses the following resources. Note that some resources are required only during the bootstrap process and are removed after the cluster deploys.

Table 3. GCP resources used in a default cluster
Service Component Location Total resources required Resources removed after bootstrap

Service account





Firewall rules





Forwarding rules





Health checks






























Target pools





If any of the quotas are insufficient during installation, the installation program displays an error that states both which quota was exceeded and the region.

Be sure to consider your actual cluster size, planned cluster growth, and any usage from other clusters that are associated with your account. The CPU, static IP addresses, and persistent disk SSD (storage) quotas are the ones that are most likely to be insufficient.

If you plan to deploy your cluster in one of the following regions, you will exceed the maximum storage quota and are likely to exceed the CPU quota limit:

  • asia-east2

  • asia-northeast2

  • asia-south1

  • australia-southeast1

  • europe-north1

  • europe-west2

  • europe-west3

  • europe-west6

  • northamerica-northeast1

  • southamerica-east1

  • us-west2

You can increase resource quotas from the GCP console, but you might need to file a support ticket. Be sure to plan your cluster size early so that you can allow time to resolve the support ticket before you install your OpenShift Container Platform cluster.

Creating a service account in GCP

OpenShift Container Platform requires a Google Cloud Platform (GCP) service account that provides authentication and authorization to access data in the Google APIs. If you do not have an existing IAM service account that contains the required roles in your project, you must create one.

  • You created a project to host your cluster.

  1. Create a service account in the project that you use to host your OpenShift Container Platform cluster. See Creating a service account in the GCP documentation.

  2. Grant the service account the appropriate permissions. You can either grant the individual permissions that follow or assign the Owner role to it. See Granting roles to a service account for specific resources.

    While making the service account an owner of the project is the easiest way to gain the required permissions, it means that service account has complete control over the project. You must determine if the risk that comes from offering that power is acceptable.

  3. Create the service account key in JSON format. See Creating service account keys in the GCP documentation.

    The service account key is required to create a cluster.

Required GCP permissions

When you attach the Owner role to the service account that you create, you grant that service account all permissions, including those that are required to install OpenShift Container Platform. To deploy an OpenShift Container Platform cluster, the service account requires the following permissions. If you deploy your cluster into an existing VPC, the service account does not require certain networking permissions, which are noted in the following lists:

Required roles for the installation program
  • Compute Admin

  • Security Admin

  • Service Account Admin

  • Service Account User

  • Storage Admin

Required roles for creating network resources during installation
  • DNS Administrator

Required roles for user-provisioned GCP infrastructure
  • Deployment Manager Editor

  • Service Account Key Admin

Optional roles

For the cluster to create new limited credentials for its Operators, add the following role:

  • Service Account Key Admin

The roles are applied to the service accounts that the control plane and compute machines use:

Table 4. GCP service account permissions
Account Roles

Control Plane









Supported GCP regions

You can deploy an OpenShift Container Platform cluster to the following Google Cloud Platform (GCP) regions:

  • asia-east1 (Changhua County, Taiwan)

  • asia-east2 (Hong Kong)

  • asia-northeast1 (Tokyo, Japan)

  • asia-northeast2 (Osaka, Japan)

  • asia-northeast3 (Seoul, South Korea)

  • asia-south1 (Mumbai, India)

  • asia-south2 (Delhi, India)

  • asia-southeast1 (Jurong West, Singapore)

  • asia-southeast2 (Jakarta, Indonesia)

  • australia-southeast1 (Sydney, Australia)

  • australia-southeast2 (Melbourne, Australia)

  • europe-central2 (Warsaw, Poland)

  • europe-north1 (Hamina, Finland)

  • europe-southwest1 (Madrid, Spain)

  • europe-west1 (St. Ghislain, Belgium)

  • europe-west2 (London, England, UK)

  • europe-west3 (Frankfurt, Germany)

  • europe-west4 (Eemshaven, Netherlands)

  • europe-west6 (Zürich, Switzerland)

  • europe-west8 (Milan, Italy)

  • europe-west9 (Paris, France)

  • northamerica-northeast1 (Montréal, Québec, Canada)

  • northamerica-northeast2 (Toronto, Ontario, Canada)

  • southamerica-east1 (São Paulo, Brazil)

  • southamerica-west1 (Santiago, Chile)

  • us-central1 (Council Bluffs, Iowa, USA)

  • us-east1 (Moncks Corner, South Carolina, USA)

  • us-east4 (Ashburn, Northern Virginia, USA)

  • us-east5 (Columbus, Ohio)

  • us-south1 (Dallas, Texas)

  • us-west1 (The Dalles, Oregon, USA)

  • us-west2 (Los Angeles, California, USA)

  • us-west3 (Salt Lake City, Utah, USA)

  • us-west4 (Las Vegas, Nevada, USA)

Installing and configuring CLI tools for GCP

To install OpenShift Container Platform on Google Cloud Platform (GCP) using user-provisioned infrastructure, you must install and configure the CLI tools for GCP.

  • You created a project to host your cluster.

  • You created a service account and granted it the required permissions.

  1. Install the following binaries in $PATH:

    • gcloud

    • gsutil

    See Install the latest Cloud SDK version in the GCP documentation.

  2. Authenticate using the gcloud tool with your configured service account.

    See Authorizing with a service account in the GCP documentation.

Requirements for a cluster with user-provisioned infrastructure

For a cluster that contains user-provisioned infrastructure, you must deploy all of the required machines.

This section describes the requirements for deploying OpenShift Container Platform on user-provisioned infrastructure.

Required machines for cluster installation

The smallest OpenShift Container Platform clusters require the following hosts:

Table 5. Minimum required hosts
Hosts Description

One temporary bootstrap machine

The cluster requires the bootstrap machine to deploy the OpenShift Container Platform cluster on the three control plane machines. You can remove the bootstrap machine after you install the cluster.

Three control plane machines

The control plane machines run the Kubernetes and OpenShift Container Platform services that form the control plane.

At least two compute machines, which are also known as worker machines.