$ ibmcloud plugin install cis
Before you can install OpenShift Container Platform, you must configure an IBM Cloud account.
IBM Power Virtual Server using installer-provisioned infrastructure is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
You have an IBM Cloud account with a subscription. You cannot install OpenShift Container Platform on a free or on a trial IBM Cloud account.
The OpenShift Container Platform cluster uses several IBM Cloud and IBM Power Virtual Server components, and the default quotas and limits affect your ability to install OpenShift Container Platform clusters. If you use certain cluster configurations, deploy your cluster in certain regions, or run multiple clusters from your account, you might need to request additional resources for your IBM Cloud VPC account.
For a comprehensive list of the default IBM Cloud VPC quotas and service limits, see the IBM Cloud documentation for Quotas and service limits.
Each OpenShift Container Platform cluster creates its own Virtual Private Cloud (VPC). The default quota of VPCs per region is 10. If you have 10 VPCs created, you will need to increase your quota before attempting an installation.
By default, each cluster creates two application load balancers (ALBs):
Internal load balancer for the control plane API server
External load balancer for the control plane API server
You can create additional LoadBalancer
service objects to create additional ALBs. The default quota of VPC ALBs are 50 per region. To have more than 50 ALBs, you must increase this quota.
VPC ALBs are supported. Classic ALBs are not supported for IBM Power Virtual Server.
There is a limit of two cloud connections per IBM Power Virtual Server instance. It is recommended that you have only one cloud connection in your IBM Power Virtual Server instance to serve your cluster.
There is a limit of one Dynamic Host Configuration Protocol (DHCP) service per IBM Power Virtual Server instance.
Due to networking limitations, there is a restriction of one OpenShift cluster installed through IPI per zone per account. This is not configurable.
By default, a cluster creates server instances with the following resources :
0.5 CPUs
32 GB RAM
System Type: s922
Processor Type: uncapped
, shared
Storage Tier: Tier-3
The following nodes are created:
One bootstrap machine, which is removed after the installation is complete
Three control plane nodes
Three compute nodes
For more information, see Creating a Power Systems Virtual Server in the IBM Cloud documentation.
How you configure DNS resolution depends on the type of OpenShift Container Platform cluster you are installing:
If you are installing a public cluster, you use IBM Cloud Internet Services (CIS).
If you are installing a private cluster, you use IBM Cloud DNS Services (DNS Services).
The installation program uses IBM Cloud Internet Services (CIS) to configure cluster DNS resolution and provide name lookup for a public cluster.
This offering does not support IPv6, so dual stack or IPv6 environments are not possible. |
You must create a domain zone in CIS in the same account as your cluster. You must also ensure the zone is authoritative for the domain. You can do this using a root domain or subdomain.
You have installed the IBM Cloud CLI.
You have an existing domain and registrar. For more information, see the IBM documentation.
Create a CIS instance to use with your cluster:
Install the CIS plugin:
$ ibmcloud plugin install cis
Log in to IBM Cloud by using the CLI:
$ ibmcloud login
Create the CIS instance:
$ ibmcloud cis instance-create <instance_name> standard (1)
1 | At a minimum, a Standard plan is required for CIS to manage the cluster subdomain and its DNS records. |
Connect an existing domain to your CIS instance:
Set the context instance for CIS:
$ ibmcloud cis instance-set <instance_CRN> (1)
1 | The instance CRN (Cloud Resource Name).
For example: ibmcloud cis instance-set crn:v1:bluemix:public:power-iaas:osa21:a/65b64c1f1c29460d8c2e4bbfbd893c2c:c09233ac-48a5-4ccb-a051-d1cfb3fc7eb5:: |
Add the domain for CIS:
$ ibmcloud cis domain-add <domain_name> (1)
1 | The fully qualified domain name. You can use either the root domain or subdomain value as the domain name, depending on which you plan to configure. |
A root domain uses the form |
Open the CIS web console, navigate to the Overview page, and note your CIS name servers. These name servers will be used in the next step.
Configure the name servers for your domains or subdomains at the domain’s registrar or DNS provider. For more information, see the IBM Cloud documentation.
To install OpenShift Container Platform into your IBM Cloud account, the installation program requires an IAM API key, which provides authentication and authorization to access IBM Cloud service APIs. You can use an existing IAM API key that contains the required policies or create a new one.
For an IBM Cloud IAM overview, see the IBM Cloud documentation.
Role | Access |
---|---|
Viewer, Operator, Editor, Administrator, Reader, Writer, Manager |
Internet Services service in <resource_group> resource group |
Viewer, Operator, Editor, Administrator, User API key creator, Service ID creator |
IAM Identity Service service |
Viewer, Operator, Administrator, Editor, Reader, Writer, Manager, Console Administrator |
VPC Infrastructure Services service in <resource_group> resource group |
Viewer |
Resource Group: Access to view the resource group itself. The resource type should equal |
Role | Access |
---|---|
Viewer |
<resource_group> (Resource Group Created for Your Team) |
Viewer, Operator, Editor, Reader, Writer, Manager |
All service in Default resource group |
Viewer, Reader |
Internet Services service |
Viewer, Operator, Reader, Writer, Manager, Content Reader, Object Reader, Object Writer, Editor |
Cloud Object Storage service |
Viewer |
Default resource group: The resource type should equal |
Viewer, Operator, Editor, Reader, Manager |
Power Systems Virtual Server service in <resource_group> resource group |
Viewer, Operator, Editor, Reader, Writer, Manager, Administrator |
Internet Services service in <resource_group> resource group: CIS functional scope string equals reliability |
Viewer, Operator, Editor |
Direct Link service |
Viewer, Operator, Editor, Administrator, Reader, Writer, Manager, Console Administrator |
VPC Infrastructure Services service <resource_group> resource group |
In IBM Cloud IAM, access policies can be attached to different subjects:
Access group (Recommended)
Service ID
User
The recommended method is to define IAM access policies in an access group. This helps organize all the access required for OpenShift Container Platform and enables you to onboard users and service IDs to this group. You can also assign access to users and service IDs directly, if desired.
You must create a user API key or a service ID API key for your IBM Cloud account.
You have assigned the required access policies to your IBM Cloud account.
You have attached you IAM access policies to an access group, or other appropriate resource.
Create an API key, depending on how you defined your IAM access policies.
For example, if you assigned your access policies to a user, you must create a user API key. If you assigned your access policies to a service ID, you must create a service ID API key. If your access policies are assigned to an access group, you can use either API key type. For more information on IBM Cloud VPC API keys, see Understanding API keys.
You can deploy an OpenShift Container Platform cluster to the following regions:
dal
(Dallas, USA)
dal12
us-east
(Washington DC, USA)
us-east
eu-de
(Frankfurt, Germany)
eu-de-1
eu-de-2
lon
(London, UK)
lon04
lon06
osa
(Osaka, Japan)
osa21
sao
(Sao Paulo, Brazil)
sao01
syd
(Sydney, Australia)
syd04
tok
(Tokyo, Japan)
tok04
tor
(Toronto, Canada)
tor01
You might optionally specify the IBM Cloud VPC region in which the installer will create any VPC components. Supported regions in IBM Cloud are:
us-south
eu-de
eu-gb
jp-osa
au-syd
br-sao
ca-tor
jp-tok