×

Before you deploy an OpenShift Container Platform cluster on AWS, you provide parameters to customize your cluster and the platform that hosts it. When you create the install-config.yaml file, you provide values for the required parameters through the command line. You can then modify the install-config.yaml file to customize your cluster further.

Available installation configuration parameters for AWS

The following tables specify the required, optional, and AWS-specific installation configuration parameters that you can set as part of the installation process.

After installation, you cannot modify these parameters in the install-config.yaml file.

Required configuration parameters

Required installation configuration parameters are described in the following table:

Table 1. Required parameters
Parameter Description Values
apiVersion:

The API version for the install-config.yaml content. The current version is v1. The installation program may also support older API versions.

String

baseDomain:

The base domain of your cloud provider. The base domain is used to create routes to your OpenShift Container Platform cluster components. The full DNS name for your cluster is a combination of the baseDomain and metadata.name parameter values that uses the <metadata.name>.<baseDomain> format.

A fully-qualified domain or subdomain name, such as example.com.

metadata:

Kubernetes resource ObjectMeta, from which only the name parameter is consumed.

Object

metadata:
  name:

The name of the cluster. DNS records for the cluster are all subdomains of {{.metadata.name}}.{{.baseDomain}}.

String of lowercase letters, hyphens (-), and periods (.), such as dev.

platform:

The configuration for the specific platform upon which to perform the installation: aws, baremetal, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}. For additional information about platform.<platform> parameters, consult the table for your specific platform that follows.

Object

pullSecret:

Get a pull secret from Red Hat OpenShift Cluster Manager to authenticate downloading container images for OpenShift Container Platform components from services such as Quay.io.

{
   "auths":{
      "cloud.openshift.com":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      },
      "quay.io":{
         "auth":"b3Blb=",
         "email":"you@example.com"
      }
   }
}

Network configuration parameters

You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or provide different IP address blocks than the defaults.

Only IPv4 addresses are supported.

Globalnet is not supported with Red Hat OpenShift Data Foundation disaster recovery solutions. For regional disaster recovery scenarios, ensure that you use a nonoverlapping range of private IP addresses for the cluster and service networks in each cluster.

Table 2. Network parameters
Parameter Description Values
networking:

The configuration for the cluster network.

Object

You cannot modify parameters specified by the networking object after installation.

networking:
  networkType:

The Red Hat OpenShift Networking network plugin to install.

OVNKubernetes. OVNKubernetes is a CNI plugin for Linux networks and hybrid networks that contain both Linux and Windows servers. The default value is OVNKubernetes.

networking:
  clusterNetwork:

The IP address blocks for pods.

The default value is 10.128.0.0/14 with a host prefix of /23.

If you specify multiple IP address blocks, the blocks must not overlap.

An array of objects. For example:

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
networking:
  clusterNetwork:
    cidr:

Required if you use networking.clusterNetwork. An IP address block.

An IPv4 network.

An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between 0 and 32.

networking:
  clusterNetwork:
    hostPrefix:

The subnet prefix length to assign to each individual node. For example, if hostPrefix is set to 23 then each node is assigned a /23 subnet out of the given cidr. A hostPrefix value of 23 provides 510 (2^(32 - 23) - 2) pod IP addresses.

A subnet prefix.

The default value is 23.

networking:
  serviceNetwork:

The IP address block for services. The default value is 172.30.0.0/16.

The OVN-Kubernetes network plugins supports only a single IP address block for the service network.

An array with an IP address block in CIDR format. For example:

networking:
  serviceNetwork:
   - 172.30.0.0/16
networking:
  machineNetwork:

The IP address blocks for machines.

If you specify multiple IP address blocks, the blocks must not overlap.

An array of objects. For example:

networking:
  machineNetwork:
  - cidr: 10.0.0.0/16
networking:
  machineNetwork:
    cidr:

Required if you use networking.machineNetwork. An IP address block. The default value is 10.0.0.0/16 for all platforms other than libvirt and IBM Power® Virtual Server. For libvirt, the default value is 192.168.126.0/24. For IBM Power® Virtual Server, the default value is 192.168.0.0/24.

An IP network block in CIDR notation.

For example, 10.0.0.0/16.

Set the networking.machineNetwork to match the CIDR that the preferred NIC resides in.

Optional configuration parameters

Optional installation configuration parameters are described in the following table:

Table 3. Optional parameters
Parameter Description Values
additionalTrustBundle:

A PEM-encoded X.509 certificate bundle that is added to the nodes' trusted certificate store. This trust bundle may also be used when a proxy has been configured.

String

capabilities:

Controls the installation of optional core cluster components. You can reduce the footprint of your OpenShift Container Platform cluster by disabling optional components. For more information, see the "Cluster capabilities" page in Installing.

String array

capabilities:
  baselineCapabilitySet:

Selects an initial set of optional capabilities to enable. Valid values are None, v4.11, v4.12 and vCurrent. The default value is vCurrent.

String

capabilities:
  additionalEnabledCapabilities:

Extends the set of optional capabilities beyond what you specify in baselineCapabilitySet. You may specify multiple capabilities in this parameter.

String array

cpuPartitioningMode:

Enables workload partitioning, which isolates OpenShift Container Platform services, cluster management workloads, and infrastructure pods to run on a reserved set of CPUs. Workload partitioning can only be enabled during installation and cannot be disabled after installation. While this field enables workload partitioning, it does not configure workloads to use specific CPUs. For more information, see the Workload partitioning page in the Scalability and Performance section.

None or AllNodes. None is the default value.

compute:

The configuration for the machines that comprise the compute nodes.

Array of MachinePool objects.

compute:
  architecture:

Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are amd64 and arm64. Not all installation options support the 64-bit ARM architecture. To verify if your installation option is supported on your platform, see Supported installation methods for different platforms in Selecting a cluster installation method and preparing it for users.

String

compute:
  hyperthreading:

Whether to enable or disable simultaneous multithreading, or hyperthreading, on compute machines. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores.

If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance.

Enabled or Disabled

compute:
  name:

Required if you use compute. The name of the machine pool.

worker

compute:
  platform:

Required if you use compute. Use this parameter to specify the cloud provider to host the worker machines. This parameter value must match the controlPlane.platform parameter value.

aws, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}

compute:
  replicas:

The number of compute machines, which are also known as worker machines, to provision.

A positive integer greater than or equal to 2. The default value is 3.

featureSet:

Enables the cluster for a feature set. A feature set is a collection of OpenShift Container Platform features that are not enabled by default. For more information about enabling a feature set during installation, see "Enabling features using feature gates".

String. The name of the feature set to enable, such as TechPreviewNoUpgrade.

controlPlane:

The configuration for the machines that comprise the control plane.

Array of MachinePool objects.

controlPlane:
  architecture:

Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are amd64 and arm64. Not all installation options support the 64-bit ARM architecture. To verify if your installation option is supported on your platform, see Supported installation methods for different platforms in Selecting a cluster installation method and preparing it for users.

String

controlPlane:
  hyperthreading:

Whether to enable or disable simultaneous multithreading, or hyperthreading, on control plane machines. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores.

If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance.

Enabled or Disabled

controlPlane:
  name:

Required if you use controlPlane. The name of the machine pool.

master

controlPlane:
  platform:

Required if you use controlPlane. Use this parameter to specify the cloud provider that hosts the control plane machines. This parameter value must match the compute.platform parameter value.

aws, azure, gcp, ibmcloud, nutanix, openstack, powervs, vsphere, or {}

controlPlane:
  replicas:

The number of control plane machines to provision.

Supported values are 3, or 1 when deploying single-node OpenShift.

credentialsMode:

The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported.

Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the "Managing cloud provider credentials" entry in the Authentication and authorization content.

Mint, Passthrough, Manual or an empty string ("").

fips:

Enable or disable FIPS mode. The default is false (disabled). If FIPS mode is enabled, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.

To enable FIPS mode for your cluster, you must run the installation program from a Red Hat Enterprise Linux (RHEL) computer configured to operate in FIPS mode. For more information about configuring FIPS mode on RHEL, see Switching RHEL to FIPS mode.

When running Red Hat Enterprise Linux (RHEL) or Red Hat Enterprise Linux CoreOS (RHCOS) booted in FIPS mode, OpenShift Container Platform core components use the RHEL cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the x86_64, ppc64le, and s390x architectures.

If you are using Azure File storage, you cannot enable FIPS mode.

false or true

imageContentSources:

Sources and repositories for the release-image content.

Array of objects. Includes a source and, optionally, mirrors, as described in the following rows of this table.

imageContentSources:
  source:

Required if you use imageContentSources. Specify the repository that users refer to, for example, in image pull specifications.

String

imageContentSources:
  mirrors:

Specify one or more repositories that may also contain the same images.

Array of strings

platform:
  aws:
    lbType:

Required to set the NLB load balancer type in AWS. Valid values are Classic or NLB. If no value is specified, the installation program defaults to Classic. The installation program sets the value provided here in the ingress cluster configuration object. If you do not specify a load balancer type for other Ingress Controllers, they use the type set in this parameter.

Classic or NLB. The default value is Classic.

publish:

How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes.

Internal or External. To deploy a private cluster, which cannot be accessed from the internet, set publish to Internal. The default value is External.

sshKey:

The SSH key to authenticate access to your cluster machines.

For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agent process uses.

For example, sshKey: ssh-ed25519 AAAA...

+

If your AWS account has service control policies (SCP) enabled, you must configure the credentialsMode parameter to Mint, Passthrough, or Manual.

+

Setting this parameter to Manual enables alternatives to storing administrator-level secrets in the kube-system project, which require additional configuration steps. For more information, see "Alternatives to storing administrator-level secrets in the kube-system project".

Optional AWS configuration parameters

Optional AWS configuration parameters are described in the following table:

Table 4. Optional AWS parameters
Parameter Description Values
compute:
  platform:
    aws:
      amiID:

The AWS AMI used to boot compute machines for the cluster. This is required for regions that require a custom RHCOS AMI.

Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs.

compute:
  platform:
    aws:
      iamRole:

A pre-existing AWS IAM role applied to the compute machine pool instance profiles. You can use these fields to match naming schemes and include predefined permissions boundaries for your IAM roles. If undefined, the installation program creates a new IAM role.

The name of a valid AWS IAM role.

compute:
  platform:
    aws:
      rootVolume:
        iops:

The Input/Output Operations Per Second (IOPS) that is reserved for the root volume.

Integer, for example 4000.

compute:
  platform:
    aws:
      rootVolume:
        size:

The size in GiB of the root volume.

Integer, for example 500.

compute:
  platform:
    aws:
      rootVolume:
        type:

The type of the root volume.

Valid AWS EBS volume type, such as io1.

compute:
  platform:
    aws:
      rootVolume:
        kmsKeyARN:

The Amazon Resource Name (key ARN) of a KMS key. This is required to encrypt operating system volumes of worker nodes with a specific KMS key.

compute:
  platform:
    aws:
      type:

The EC2 instance type for the compute machines.

Valid AWS instance type, such as m4.2xlarge. See the Supported AWS machine types table that follows.

compute:
  platform:
    aws:
      zones:

The availability zones where the installation program creates machines for the compute machine pool. If you provide your own VPC, you must provide a subnet in that availability zone.

A list of valid AWS availability zones, such as us-east-1c, in a YAML sequence.

compute:
  aws:
    region:

The AWS region that the installation program creates compute resources in.

Any valid AWS region, such as us-east-1. You can use the AWS CLI to access the regions available based on your selected instance type. For example:

aws ec2 describe-instance-type-offerings --filters Name=instance-type,Values=c7g.xlarge

When running on ARM based AWS instances, ensure that you enter a region where AWS Graviton processors are available. See Global availability map in the AWS documentation. Currently, AWS Graviton3 processors are only available in some regions.

controlPlane:
  platform:
    aws:
      amiID:

The AWS AMI used to boot control plane machines for the cluster. This is required for regions that require a custom RHCOS AMI.

Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs.

controlPlane:
  platform:
    aws:
      iamRole:

A pre-existing AWS IAM role applied to the control plane machine pool instance profiles. You can use these fields to match naming schemes and include predefined permissions boundaries for your IAM roles. If undefined, the installation program creates a new IAM role.

The name of a valid AWS IAM role.

controlPlane:
  platform:
    aws:
      rootVolume:
        iops:

The Input/Output Operations Per Second (IOPS) that is reserved for the root volume on control plane machines.

Integer, for example 4000.

controlPlane:
  platform:
    aws:
      rootVolume:
        size:

The size in GiB of the root volume for control plane machines.

Integer, for example 500.

controlPlane:
  platform:
    aws:
      rootVolume:
        type:

The type of the root volume for control plane machines.

Valid AWS EBS volume type, such as io1.

controlPlane:
  platform:
    aws:
      rootVolume:
        kmsKeyARN:

The Amazon Resource Name (key ARN) of a KMS key. This is required to encrypt operating system volumes of control plane nodes with a specific KMS key.

controlPlane:
  platform:
    aws:
      type:

The EC2 instance type for the control plane machines.

Valid AWS instance type, such as m6i.xlarge. See the Supported AWS machine types table that follows.

controlPlane:
  platform:
    aws:
      zones:

The availability zones where the installation program creates machines for the control plane machine pool.

A list of valid AWS availability zones, such as us-east-1c, in a YAML sequence.

controlPlane:
  aws:
    region:

The AWS region that the installation program creates control plane resources in.

Valid AWS region, such as us-east-1.

platform:
  aws:
    amiID:

The AWS AMI used to boot all machines for the cluster. If set, the AMI must belong to the same region as the cluster. This is required for regions that require a custom RHCOS AMI.

Any published or custom RHCOS AMI that belongs to the set AWS region. See RHCOS AMIs for AWS infrastructure for available AMI IDs.

platform:
  aws:
    hostedZone:

An existing Route 53 private hosted zone for the cluster. You can only use a pre-existing hosted zone when also supplying your own VPC. The hosted zone must already be associated with the user-provided VPC before installation. Also, the domain of the hosted zone must be the cluster domain or a parent of the cluster domain. If undefined, the installation program creates a new hosted zone.

String, for example Z3URY6TWQ91KVV.

platform:
  aws:
    hostedZoneRole:

An Amazon Resource Name (ARN) for an existing IAM role in the account containing the specified hosted zone. The installation program and cluster operators will assume this role when performing operations on the hosted zone. This parameter should only be used if you are installing a cluster into a shared VPC.

String, for example arn:aws:iam::1234567890:role/shared-vpc-role.

platform:
  aws:
    serviceEndpoints:
      - name:
        url:

The AWS service endpoint name and URL. Custom endpoints are only required for cases where alternative AWS endpoints, like FIPS, must be used. Custom API endpoints can be specified for EC2, S3, IAM, Elastic Load Balancing, Tagging, Route 53, and STS AWS services.

Valid AWS service endpoint name and valid AWS service endpoint URL.

platform:
  aws:
    userTags:

A map of keys and values that the installation program adds as tags to all resources that it creates.

Any valid YAML map, such as key value pairs in the <key>: <value> format. For more information about AWS tags, see Tagging Your Amazon EC2 Resources in the AWS documentation.

You can add up to 25 user defined tags during installation. The remaining 25 tags are reserved for OpenShift Container Platform.

platform:
  aws:
    propagateUserTags:

A flag that directs in-cluster Operators to include the specified user tags in the tags of the AWS resources that the Operators create.

Boolean values, for example true or false.

platform:
  aws:
    subnets:

If you provide the VPC instead of allowing the installation program to create the VPC for you, specify the subnet for the cluster to use. The subnet must be part of the same machineNetwork[].cidr ranges that you specify.

For a standard cluster, specify a public and a private subnet for each availability zone.

For a private cluster, specify a private subnet for each availability zone.

For clusters that use AWS Local Zones, you must add AWS Local Zone subnets to this list to ensure edge machine pool creation.

Valid subnet IDs.

platform:
  aws:
    publicIpv4Pool:

The public IPv4 pool ID that is used to allocate Elastic IPs (EIPs) when publish is set to External. You must provision and advertise the pool in the same AWS account and region of the cluster. You must ensure that you have 2n + 1 IPv4 available in the pool where n is the total number of AWS zones used to deploy the Network Load Balancer (NLB) for API, NAT gateways, and bootstrap node. For more information about bring your own IP addresses (BYOIP) in AWS, see Onboard your BYOIP.

BYOIP can be enabled only for customized installations that have no network restrictions.

platform:
  aws:
    preserveBootstrapIgnition:

Prevents the S3 bucket from being deleted after completion of bootstrapping.

true or false. The default value is false, which results in the S3 bucket being deleted.