Before you can install OpenShift Container Platform, you must configure a Google Cloud Platform (GCP) project to host it.

Creating a GCP project

To install OpenShift Container Platform, you must create a project in your Google Cloud Platform (GCP) account to host the cluster.

Procedure

Enabling API services in GCP

Your Google Cloud Platform (GCP) project requires access to several API services to complete OpenShift Container Platform installation.

Prerequisites
  • You created a project to host your cluster.

Procedure
  • Enable the following required API services in the project that hosts your cluster. See Enabling services in the GCP documentation.

    Table 1. Required API services
    API service Console service name

    Compute Engine API

    compute.googleapis.com

    Google Cloud APIs

    cloudapis.googleapis.com

    Cloud Resource Manager API

    cloudresourcemanager.googleapis.com

    Google DNS API

    dns.googleapis.com

    IAM Service Account Credentials API

    iamcredentials.googleapis.com

    Identity and Access Management (IAM) API

    iam.googleapis.com

    Service Management API

    servicemanagement.googleapis.com

    Service Usage API

    serviceusage.googleapis.com

    Google Cloud Storage JSON API

    storage-api.googleapis.com

    Cloud Storage

    storage-component.googleapis.com

Configuring DNS for GCP

To install OpenShift Container Platform, the Google Cloud Platform (GCP) account you use must have a dedicated public hosted zone in the same project that you host the OpenShift Container Platform cluster. This zone must be authoritative for the domain. The DNS service provides cluster DNS resolution and name lookup for external connections to the cluster.

Procedure
  1. Identify your domain, or subdomain, and registrar. You can transfer an existing domain and registrar or obtain a new one through GCP or another source.

    If you purchase a new domain, it can take time for the relevant DNS changes to propagate. For more information about purchasing domains through Google, see Google Domains.

  2. Create a public hosted zone for your domain or subdomain in your GCP project. See Creating public zones in the GCP documentation.

    Use an appropriate root domain, such as openshiftcorp.com, or subdomain, such as clusters.openshiftcorp.com.

  3. Extract the new authoritative name servers from the hosted zone records. See Look up your Cloud DNS name servers in the GCP documentation.

    You typically have four name servers.

  4. Update the registrar records for the name servers that your domain uses. For example, if you registered your domain to Google Domains, see the following topic in the Google Domains Help: How to switch to custom name servers.

  5. If you use a subdomain, follow your company’s procedures to add its delegation records to the parent domain.

GCP account limits

The OpenShift Container Platform cluster uses a number of Google Cloud Platform (GCP) components, but the default Quotas do not affect your ability to install a default OpenShift Container Platform cluster.

A default cluster, which contains three compute and three control plane machines, uses the following resources. Note that some resources are required only during the bootstrap process and are removed after the cluster deploys.

Table 2. GCP resources used in a default cluster
Service Component Location Total resources required Resources removed after bootstrap

Service account

IAM

Global

5

0

Firewall Rules

Compute

Global

35

1

Forwarding Rules

Compute

Global

3

0

In-use global IP addresses

Compute

Global

4

1

Health checks

Compute

Global

3

0

Images

Compute

Global

1

0

Networks

Compute

Global

1

0

Static IP addresses

Compute

Region

4

1

Routers

Compute

Global

1

0

Routes

Compute

Global

3

0

Subnetworks

Compute

Global

2

0

Target Pools

Compute

Global

3

0

CPUs

Compute

Region

28

4

Persistent Disk SSD (GB)

Compute

Region

896

128

Creating a service account in GCP

OpenShift Container Platform requires a Google Cloud Platform (GCP) service account.

Prerequisites
  • You created a project to host your cluster.

Procedure
  1. Create a new service account in the project that you use to host your OpenShift Container Platform cluster. See Creating a service account in the GCP documentation.

  2. Grant the service account the appropriate permissions. You can either grant the individual permissions that follow or assign the Owner role to it. See Granting roles to a service account for specific resources.

  3. Create the service account key. See Creating service account keys in the GCP documentation.

    The service account key is required to create a cluster.

Required GCP permissions

When you attach the Owner role to the service account that you create, you grant that service account all permissions, including those that are required to install OpenShift Container Platform. To deploy an OpenShift Container Platform cluster, the service account requires the following permissions:

Required roles for the installation program
  • Compute Admin

  • DNS Administrator

  • Security Admin

  • Service Account Admin

  • Service Account User

  • Storage Admin

Optional roles

For the cluster to create new limited credentials for its Operators, add the following role:

  • Service Account Key Admin

The roles are applied to the service accounts that the control plane and compute machines use:

Table 3. GCP service account permissions
Account Roles

Control Plane

roles/compute.instanceAdmin

roles/compute.networkAdmin

roles/compute.securityAdmin

roles/storage.admin

roles/iam.serviceAccountUser

Compute

roles/compute.viewer

roles/storage.admin

Supported GCP regions

You can deploy an OpenShift Container Platform cluster to the following Google Cloud Platform (GCP) regions:

  • asia-east1 (Changhua County, Taiwan)

  • asia-east2 (Hong Kong)

  • asia-northeast1 (Tokyo, Japan)

  • asia-northeast2 (Osaka, Japan)

  • asia-south1 (Mumbai, India)

  • asia-southeast1 (Jurong West, Singapore)

  • australia-southeast1 (Sydney, Australia)

  • europe-north1 (Hamina, Finland)

  • europe-west1 (St. Ghislain, Belgium)

  • europe-west2 (London, England, UK)

  • europe-west3 (Frankfurt, Germany)

  • europe-west4 (Eemshaven, Netherlands)

  • europe-west6 (Zürich, Switzerland)

  • northamerica-northeast1 (Montréal, Québec, Canada)

  • southamerica-east1 (São Paulo, Brazil)

  • us-central1 (Council Bluffs, Iowa, USA)

  • us-east1 (Moncks Corner, South Carolina, USA)

  • us-east4 (Ashburn, Northern Virginia, USA)

  • us-west1 (The Dalles, Oregon, USA)

  • us-west2 (Los Angeles, California, USA)

Next steps