OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history
×

Installing a cluster on vSphere in a restricted network

Prerequisites

About installations in restricted networks

In OpenShift Container Platform 4.3, you can perform an installation that does not require an active connection to the internet to obtain software components. You complete an installation in a restricted network on only infrastructure that you provision, not infrastructure that the installation program provisions, so your platform selection is limited.

If you choose to perform a restricted network installation on a cloud platform, you still require access to its cloud APIs. Some cloud functions, like Amazon Web Service’s IAM service, require internet access, so you might still require internet access. Depending on your network, you might require less internet access for an installation on bare metal hardware or on VMware vSphere.

To complete a restricted network installation, you must create a registry that mirrors the contents of the OpenShift Container Platform registry and contains the installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.

Restricted network installations always use user-provisioned infrastructure. Because of the complexity of the configuration for user-provisioned installations, consider completing a standard user-provisioned infrastructure installation before you attempt a restricted network installation. Completing this test installation might make it easier to isolate and troubleshoot any issues that might arise during your installation in a restricted network.

Additional limits

Clusters in restricted networks have the following additional limitations and restrictions:

  • The ClusterVersion status includes an Unable to retrieve available updates error.

  • By default, you cannot use the contents of the Developer Catalog because you cannot access the required ImageStreamTags.

Internet and Telemetry access for OpenShift Container Platform

In OpenShift Container Platform 4.3, you require access to the internet to obtain the images that are necessary to install your cluster. The Telemetry service, which runs by default to provide metrics about cluster health and the success of updates, also requires internet access. If your cluster is connected to the internet, Telemetry runs automatically, and your cluster is registered to the Red Hat OpenShift Cluster Manager (OCM).

Once you confirm that your Red Hat OpenShift Cluster Manager inventory is correct, either maintained automatically by Telemetry or manually using OCM, use subscription watch to track your OpenShift Container Platform subscriptions at the account or multi-cluster level.

You must have internet access to:

  • Access the Red Hat OpenShift Cluster Manager page to download the installation program and perform subscription management. If the cluster has internet access and you do not disable Telemetry, that service automatically entitles your cluster.

  • Access Quay.io to obtain the packages that are required to install your cluster.

  • Obtain the packages that are required to perform cluster updates.

If your cluster cannot have direct internet access, you can perform a restricted network installation on some types of infrastructure that you provision. During that process, you download the content that is required and use it to populate a mirror registry with the packages that you need to install a cluster and generate the installation program. With some installation types, the environment that you install your cluster in will not require internet access. Before you update the cluster, you update the content of the mirror registry.

VMware vSphere infrastructure requirements

You must install the OpenShift Container Platform cluster on a VMware vSphere version 6 instance that meets the requirements for the components that you use.

Table 1. Minimum supported vSphere version for VMware components
Component Minimum supported versions Description

Hypervisor

vSphere 6.5 with HW version 13

This version is the minimum version that Red Hat Enterprise Linux CoreOS (RHCOS) supports. See the Red Hat Enterprise Linux 8 supported hypervisors list.

Networking (NSX-T)

n/a

vSphere 6.5U3 or vSphere 6.7U2+ are required for OpenShift Container Platform. Because previous versions of vSphere with NSX-T are not currently compatible with OpenShift Container Platform, NSX-T is not supported. NSX-T certification is in process and will be supported in a future release.

Storage with in-tree drivers

vSphere 6.5 or vSphere 6.7

This plug-in creates vSphere storage by using the in-tree storage drivers for vSphere included in OpenShift Container Platform and can be used when vSphere CSI drivers are not available.

Storage with vSphere CSI driver

vSphere 6.7U3 and later

This plug-in creates vSphere storage by using the standard Container Storage Interface. The vSphere CSI driver is provided and supported by VMware.

If you use a vSphere version 6.5 instance, consider upgrading to 6.7U2 before you install OpenShift Container Platform.

You must ensure that the time on your ESXi hosts is synchronized before you install OpenShift Container Platform. See Edit Time Configuration for a Host in the VMware documentation.

 
A limitation of using VPC is that the Storage Distributed Resource Scheduler (SDRS) is not supported. See link:https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/faqs.html[vSphere Storage for Kubernetes FAQs] in the VMware documentation.

Required vCenter account privileges

To install an OpenShift Container Platform cluster in vCenter, the cluster requires access to an account with privileges to read and create the required resources. Using an account that has administrative privileges is the simplest way to access all of the necessary permissions.

A user requires the following privileges to install an OpenShift Container Platform cluster:

  • Datastore

    • Allocate space

  • Folder

    • Create folder

    • Delete folder

  • vSphere Tagging

    • All privileges

  • Network

    • Assign network

  • Resource

    • Assign virtual machine to resource pool

  • Profile-driven storage

    • All privileges

  • vApp

    • All privileges

  • Virtual machine

    • All privileges

For more information about creating an account with only the required privileges, see vSphere Permissions and User Management Tasks in the vSphere documentation.

Machine requirements for a cluster with user-provisioned infrastructure

For a cluster that contains user-provisioned infrastructure, you must deploy all of the required machines.

Required machines

The smallest OpenShift Container Platform clusters require the following hosts:

  • One temporary bootstrap machine

  • Three control plane, or master, machines

  • At least two compute machines, which are also known as worker machines

The cluster requires the bootstrap machine to deploy the OpenShift Container Platform cluster on the three control plane machines. You can remove the bootstrap machine after you install the cluster.

To maintain high availability of your cluster, use separate physical hosts for these cluster machines.

The bootstrap, control plane, and compute machines must use the Red Hat Enterprise Linux CoreOS (RHCOS) as the operating system.

Note that RHCOS is based on Red Hat Enterprise Linux 8 and inherits all of its hardware certifications and requirements. See Red Hat Enterprise Linux technology capabilities and limits.

Network connectivity requirements

All the Red Hat Enterprise Linux CoreOS (RHCOS) machines require network in initramfs during boot to fetch Ignition config files from the Machine Config Server. During the initial boot, the machines require either a DHCP server or that static IP addresses be set in order to establish a network connection to download their Ignition config files.

Minimum resource requirements

Each cluster machine must meet the following minimum requirements:

Machine Operating System vCPU Virtual RAM Storage

Bootstrap

RHCOS

4

16 GB

120 GB

Control plane

RHCOS

4

16 GB

120 GB

Compute

RHCOS or RHEL 7.6

2

8 GB

120 GB

Certificate signing requests management

Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager only approves the kubelet client CSRs. The machine-approver cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.

Creating the user-provisioned infrastructure

Before you deploy an OpenShift Container Platform cluster that uses user-provisioned infrastructure, you must create the underlying infrastructure.

Prerequistes
Procedure

  1. Configure DHCP or set static IP addresses on each node.

  2. Provision the required load balancers.

  3. Configure the ports for your machines.

  4. Configure DNS.

  5. Ensure network connectivity.

Networking requirements for user-provisioned infrastructure

All the Red Hat Enterprise Linux CoreOS (RHCOS) machines require network in initramfs during boot to fetch Ignition config from the Machine Config Server.

During the initial boot, the machines require either a DHCP server or that static IP addresses be set on each host in the cluster in order to establish a network connection, which allows them to download their Ignition config files.

It is recommended to use the DHCP server to manage the machines for the cluster long-term. Ensure that the DHCP server is configured to provide persistent IP addresses and host names to the cluster machines.

The Kubernetes API server, which runs on each master node after a successful cluster installation, must be able to resolve the node names of the cluster machines. If the API servers and worker nodes are in different zones, you can configure a default DNS search zone to allow the API server to resolve the node names. Another supported approach is to always refer to hosts by their fully-qualified domain names in both the node objects and all DNS requests.

You must configure the network connectivity between machines to allow cluster components to communicate. Each machine must be able to resolve the host names of all other machines in the cluster.

Table 2. All machines to all machines
Protocol Port Description

ICMP

N/A

Network reachability tests

TCP

9000-9999

Host level services, including the node exporter on ports 9100-9101 and the Cluster Version Operator on port 9099.

10250-10259

The default ports that Kubernetes reserves

10256

openshift-sdn

UDP

4789

VXLAN and Geneve

6081

VXLAN and Geneve

9000-9999

Host level services, including the node exporter on ports 9100-9101.

TCP/UDP

30000-32767

Kubernetes NodePort
Table 3. All machines to control plane
Protocol Port Description

TCP

2379-2380

etcd server, peer, and metrics ports

6443

Kubernetes API

Network topology requirements

The infrastructure that you provision for your cluster must meet the following network topology requirements.

OpenShift Container Platform requires all nodes to have internet access to pull images for platform containers and provide telemetry data to Red Hat.
Load balancers

Before you install OpenShift Container Platform, you must provision two load balancers that meet the following requirements:

  1. API load balancer: Provides a common endpoint for users, both human and machine, to interact with and configure the platform. Configure the following conditions:

    • Layer 4 load balancing only. This can be referred to as Raw TCP, SSL Passthrough, or SSL Bridge mode. If you use SSL Bridge mode, you must enable Server Name Indication (SNI) for the API routes.

    • A stateless load balancing algorithm. The options vary based on the load balancer implementation.

    Session persistence is not required for the API load balancer to function properly.

    Configure the following ports on both the front and back of the load balancers:

    Table 4. API load balancer
    Port Back-end machines (pool members) Internal External Description

    6443

    Bootstrap and control plane. You remove the bootstrap machine from the load balancer after the bootstrap machine initializes the cluster control plane. You must configure the /readyz endpoint for the API server health check probe.

    X

    X

    Kubernetes API server

    22623

    Bootstrap and control plane. You remove the bootstrap machine from the load balancer after the bootstrap machine initializes the cluster control plane.

    X

    Machine Config server

    The load balancer must be configured to take a maximum of 30 seconds from the time the API server turns off the /readyz endpoint to the removal of the API server instance from the pool. Within the time frame after /readyz returns an error or becomes healthy, the endpoint must have been removed or added. Probing every 5 or 10 seconds, with two successful requests to become healthy and three to become unhealthy, are well-tested values.

  2. Application Ingress load balancer: Provides an Ingress point for application traffic flowing in from outside the cluster. Configure the following conditions:

    • Layer 4 load balancing only. This can be referred to as Raw TCP, SSL Passthrough, or SSL Bridge mode. If you use SSL Bridge mode, you must enable Server Name Indication (SNI) for the Ingress routes.

    • A connection-based or session-based persistence is recommended, based on the options available and types of applications that will be hosted on the platform.

    Configure the following ports on both the front and back of the load balancers:

    Table 5. Application Ingress load balancer
    Port Back-end machines (pool members) Internal External Description

    443

    The machines that run the Ingress router pods, compute, or worker, by default.

    X

    X

    HTTPS traffic

    80

    The machines that run the Ingress router pods, compute, or worker by default.

    X

    X

    HTTP traffic

If the true IP address of the client can be seen by the load balancer, enabling source IP-based session persistence can improve performance for applications that use end-to-end TLS encryption.

A working configuration for the Ingress router is required for an OpenShift Container Platform cluster. You must configure the Ingress router after the control plane initializes.

Ethernet adaptor hardware address requirements

When provisioning VMs for the cluster, the ethernet interfaces configured for each VM must use a MAC address from the VMware Organizationally Unique Identifier (OUI) allocation ranges:

  • 00:05:69:00:00:00 to 00:05:69:FF:FF:FF

  • 00:0c:29:00:00:00 to 00:0c:29:FF:FF:FF

  • 00:1c:14:00:00:00 to 00:1c:14:FF:FF:FF

  • 00:50:56:00:00:00 to 00:50:56:FF:FF:FF

If a MAC address outside the VMware OUI is used, the cluster installation will not succeed.

User-provisioned DNS requirements

The following DNS records are required for an OpenShift Container Platform cluster that uses user-provisioned infrastructure. In each record, <cluster_name> is the cluster name and <base_domain> is the cluster base domain that you specify in the install-config.yaml file. A complete DNS record takes the form: <component>.<cluster_name>.<base_domain>..

Table 6. Required DNS records
Component Record Description

Kubernetes API

api.<cluster_name>.<base_domain>.

This DNS A/AAAA or CNAME record must point to the load balancer for the control plane machines. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.

api-int.<cluster_name>.<base_domain>.

This DNS A/AAAA or CNAME record must point to the load balancer for the control plane machines. This record must be resolvable from all the nodes within the cluster.

The API server must be able to resolve the worker nodes by the host names that are recorded in Kubernetes. If it cannot resolve the node names, proxied API calls can fail, and you cannot retrieve logs from Pods.

Routes

*.apps.<cluster_name>.<base_domain>.

A wildcard DNS A/AAAA or CNAME record that points to the load balancer that targets the machines that run the Ingress router pods, which are the worker nodes by default. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.

etcd

etcd-<index>.<cluster_name>.<base_domain>.

OpenShift Container Platform requires DNS A/AAAA records for each etcd instance to point to the control plane machines that host the instances. The etcd instances are differentiated by <index> values, which start with 0 and end with n-1, where n is the number of control plane machines in the cluster. The DNS record must resolve to an unicast IPv4 address for the control plane machine, and the records must be resolvable from all the nodes in the cluster.

_etcd-server-ssl._tcp.<cluster_name>.<base_domain>.

For each control plane machine, OpenShift Container Platform also requires a SRV DNS record for etcd server on that machine with priority 0, weight 10 and port 2380. A cluster that uses three control plane machines requires the following records:

# _service._proto.name.                            TTL    class SRV priority weight port target.
_etcd-server-ssl._tcp.<cluster_name>.<base_domain>.  86400 IN    SRV 0        10     2380 etcd-0.<cluster_name>.<base_domain>
_etcd-server-ssl._tcp.<cluster_name>.<base_domain>.  86400 IN    SRV 0        10     2380 etcd-1.<cluster_name>.<base_domain>
_etcd-server-ssl._tcp.<cluster_name>.<base_domain>.  86400 IN    SRV 0        10     2380 etcd-2.<cluster_name>.<base_domain>

Generating an SSH private key and adding it to the agent

If you want to perform installation debugging or disaster recovery on your cluster, you must provide an SSH key to both your ssh-agent and to the installation program.

In a production environment, you require disaster recovery and debugging.

You can use this key to SSH into the master nodes as the user core. When you deploy the cluster, the key is added to the core user’s ~/.ssh/authorized_keys list.

You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs.
Procedure

  1. If you do not have an SSH key that is configured for password-less authentication on your computer, create one. For example, on a computer that uses a Linux operating system, run the following command:

    $ ssh-keygen -t rsa -b 4096 -N '' \
    -f <path>/<file_name> (1)
    1 Specify the path and file name, such as ~/.ssh/id_rsa, of the SSH key. Do not specify an existing SSH key, as it will be overwritten.

    Running this command generates an SSH key that does not require a password in the location that you specified.

  2. Start the ssh-agent process as a background task:

    $ eval "$(ssh-agent -s)"

Agent pid 31874

  3. Add your SSH private key to the ssh-agent:

    $ ssh-add <path>/<file_name> (1)

Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
    1 Specify the path and file name for your SSH private key, such as ~/.ssh/id_rsa
Next steps

  • When you install OpenShift Container Platform, provide the SSH public key to the installation program. If you install a cluster on infrastructure that you provision, you must provide this key to your cluster’s machines.

Manually creating the installation configuration file

For installations of OpenShift Container Platform that use user-provisioned infrastructure, you must manually generate your installation configuration file.

Prerequisites

  • Obtain the OpenShift Container Platform installation program and the access token for your cluster.

  • Obtain the imageContentSources section from the output of the command to mirror the repository.

  • Obtain the contents of the certificate for your mirror registry.

Procedure

  1. Create an installation directory to store your required installation assets in:

    $ mkdir <installation_directory>

    You must create a directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.

  2. Customize the following install-config.yaml file template and save it in the <installation_directory>.

    You must name this configuration file install-config.yaml.

    • Unless you use a registry that RHCOS trusts by default, such as docker.io, you must provide the contents of the certificate for your mirror repository in the additionalTrustBundle section. In most cases, you must provide the certificate for your mirror.

    • You must include the imageContentSources section from the output of the command to mirror the repository.

  3. Back up the install-config.yaml file so that you can use it to install multiple clusters.

    The install-config.yaml file is consumed during the next step of the installation process. You must back it up now.

Sample install-config.yaml file for VMware vSphere

You can customize the install-config.yaml file to specify more details about your OpenShift Container Platform cluster’s platform or modify the values of the required parameters.

apiVersion: v1
baseDomain: example.com (1)
compute:
- hyperthreading: Enabled  (2) (3)
  name: worker
  replicas: 0 (4)
controlPlane:
  hyperthreading: Enabled  (2) (3)
  name: master
  replicas: 3 (5)
metadata:
  name: test (6)
platform:
  vsphere:
    vcenter: your.vcenter.server (7)
    username: username (8)
    password: password (9)
    datacenter: datacenter (10)
    defaultDatastore: datastore (11)
fips: false (12)
pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}' (13)
sshKey: 'ssh-ed25519 AAAA...' (14)
additionalTrustBundle: | (15)
  -----BEGIN CERTIFICATE-----
  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
  -----END CERTIFICATE-----
imageContentSources: (16)
- mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-release
- mirrors:
  - <local_registry>/<local_repository_name>/release
  source: registry.svc.ci.openshift.org/ocp/release
1 The base domain of the cluster. All DNS records must be sub-domains of this base and include the cluster name.
2 The controlPlane section is a single mapping, but the compute section is a sequence of mappings. To meet the requirements of the different data structures, the first line of the compute section must begin with a hyphen, -, and the first line of the controlPlane section must not. Although both sections currently define a single machine pool, it is possible that future versions of OpenShift Container Platform will support defining multiple compute pools during installation. Only one control plane pool is used.
3 Whether to enable or disable simultaneous multithreading, or hyperthreading. By default, simultaneous multithreading is enabled to increase the performance of your machines' cores. You can disable it by setting the parameter value to Disabled. If you disable simultaneous multithreading in some cluster machines, you must disable it in all cluster machines.

If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance. Your machines must use at least 8 CPUs and 32 GB of RAM if you disable simultaneous multithreading.
4 You must set the value of the replicas parameter to 0. This parameter controls the number of workers that the cluster creates and manages for you, which are functions that the cluster does not perform when you use user-provisioned infrastructure. You must manually deploy worker machines for the cluster to use before you finish installing OpenShift Container Platform.
5 The number of control plane machines that you add to the cluster. Because the cluster uses this values as the number of etcd endpoints in the cluster, the value must match the number of control plane machines that you deploy.
6 The cluster name that you specified in your DNS records.
7 The fully-qualified host name or IP address of the vCenter server.
8 The name of the user for accessing the server. This user must have at least the roles and privileges that are required for static or dynamic persistent volume provisioning in vSphere.
9 The password associated with the vSphere user.
10 The vSphere datacenter.
11 The default vSphere datastore to use.
12 Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the Red Hat Enterprise Linux CoreOS (RHCOS) machines that OpenShift Container Platform runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with RHCOS instead.
13 For <local_registry>, specify the registry domain name, and optionally the port, that your mirror registry uses to serve content. For example registry.example.com or registry.example.com:5000. For <credentials>, specify the base64-encoded user name and password for your mirror registry.
14 The public portion of the default SSH key for the core user in Red Hat Enterprise Linux CoreOS (RHCOS).

For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery on, specify an SSH key that your ssh-agent process uses.
15 Provide the contents of the certificate file that you used for your mirror registry.
16 Provide the imageContentSources section from the output of the command to mirror the repository.

Configuring the cluster-wide proxy during installation

Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.

Prerequisites

  • An existing install-config.yaml file.

  • Review the sites that your cluster requires access to and determine whether any need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. Add sites to the Proxy object’s spec.noProxy field to bypass the proxy if necessary.

    The Proxy object’s status.noProxy field is populated by default with the instance metadata endpoint (169.254.169.254) and with the values of the networking.machineCIDR, networking.clusterNetwork.cidr, and networking.serviceNetwork[] fields from your installation configuration.
Procedure

  1. Edit your install-config.yaml file and add the proxy settings. For example:

    apiVersion: v1
baseDomain: my.domain.com
proxy:
  httpProxy: http://<username>:<pswd>@<ip>:<port> (1)
  httpsProxy: http://<username>:<pswd>@<ip>:<port> (2)
  noProxy: example.com (3)
additionalTrustBundle: | (4)
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
...
    1 A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an httpProxy value.
    2 A proxy URL to use for creating HTTPS connections outside the cluster. If this field is not specified, then httpProxy is used for both HTTP and HTTPS connections. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an httpsProxy value.
    3 A comma-separated list of destination domain names, domains, IP addresses, or other network CIDRs to exclude proxying. Preface a domain with . to include all subdomains of that domain. Use * to bypass proxy for all destinations.
    4 If provided, the installation program generates a ConfigMap that is named user-ca-bundle in the openshift-config namespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates a trusted-ca-bundle ConfigMap that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this ConfigMap is referenced in the Proxy object’s trustedCA field. The additionalTrustBundle field is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.

    The installation program does not support the proxy readinessEndpoints field.

  2. Save the file and reference it when installing OpenShift Container Platform.

The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.

Only the Proxy object named cluster is supported, and no additional proxies can be created.

Creating the Kubernetes manifest and Ignition config files

Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to make its machines.

The Ignition config files that the installation program generates contain certificates that expire after 24 hours. You must complete your cluster installation and keep the cluster running for 24 hours in a non-degraded state to ensure that the first certificate rotation has finished.
Prerequisites

  • Obtain the OpenShift Container Platform installation program. For a restricted network installation, these files are on your mirror host.

  • Create the install-config.yaml installation configuration file.

Procedure

  1. Generate the Kubernetes manifests for the cluster:

    $ ./openshift-install create manifests --dir=<installation_directory> (1)

INFO Consuming Install Config from target directory
WARNING Making control-plane schedulable by setting MastersSchedulable to true for Scheduler cluster settings
    1 For <installation_directory>, specify the installation directory that contains the install-config.yaml file you created.

    Because you create your own compute machines later in the installation process, you can safely ignore this warning.

  2. Modify the <installation_directory>/manifests/cluster-scheduler-02-config.yml Kubernetes manifest file to prevent Pods from being scheduled on the control plane machines:

    1. Open the <installation_directory>/manifests/cluster-scheduler-02-config.yml file.

    2. Locate the mastersSchedulable parameter and set its value to False.

    3. Save and exit the file.

    Currently, due to a Kubernetes limitation, router Pods running on control plane machines will not be reachable by the ingress load balancer. This step might not be required in a future minor version of OpenShift Container Platform.

  3. Obtain the Ignition config files:

    $ ./openshift-install create ignition-configs --dir=<installation_directory> (1)
    1 For <installation_directory>, specify the same installation directory.

    The following files are generated in the directory:

    .
├── auth
│   ├── kubeadmin-password
│   └── kubeconfig
├── bootstrap.ign
├── master.ign
├── metadata.json
└── worker.ign

Creating Red Hat Enterprise Linux CoreOS (RHCOS) machines in vSphere

Before you install a cluster that contains user-provisioned infrastructure on VMware vSphere, you must create RHCOS machines on vSphere hosts for it to use.

Prerequisites

  • Obtain the Ignition config files for your cluster.

  • Have access to an HTTP server that you can access from your computer and that the machines that you create can access.

  • Create a vSphere cluster.

Procedure

  1. Upload the bootstrap Ignition config file, which is named <installation_directory>/bootstrap.ign, that the installation program created to your HTTP server. Note the URL of this file.

    You must host the bootstrap Ignition config file because it is too large to fit in a vApp property.

  2. Save the following secondary Ignition config file for your bootstrap node to your computer as <installation_directory>/append-bootstrap.ign.

    {
  "ignition": {
    "config": {
      "append": [
        {
          "source": "<bootstrap_ignition_config_url>", (1)
          "verification": {}
        }
      ]
    },
    "timeouts": {},
    "version": "2.1.0"
  },
  "networkd": {},
  "passwd": {},
  "storage": {},
  "systemd": {}
}
    1 Specify the URL of the bootstrap Ignition config file that you hosted.

    When you create the Virtual Machine (VM) for the bootstrap machine, you use this Ignition config file.

  3. Convert the master, worker, and secondary bootstrap Ignition config files to Base64 encoding.

    For example, if you use a Linux operating system, you can use the base64 command to encode the files.

    $ base64 -w0 <installation_directory>/master.ign > <installation_directory>/master.64
$ base64 -w0 <installation_directory>/worker.ign > <installation_directory>/worker.64
$ base64 -w0 <installation_directory>/append-bootstrap.ign > <installation_directory>/append-bootstrap.64

    If you plan to add more compute machines to your cluster after you finish installation, do not delete these files.

  4. Obtain the RHCOS OVA image from the Product Downloads page on the Red Hat customer portal or the RHCOS image mirror page.

    The RHCOS images might not change with every release of OpenShift Container Platform. You must download an image with the highest version that is less than or equal to the OpenShift Container Platform version that you install. Use the image version that matches your OpenShift Container Platform version if it is available. Only use ISO images for this procedure. RHCOS qcow2 images are not supported for bare metal installs.

    The file name contains the OpenShift Container Platform version number in the format rhcos-<version>-vmware.<architecture>.ova.

  5. In the vSphere Client, create a folder in your datacenter to store your VMs.

    1. Click the VMs and Templates view.

    2. Right-click the name of your datacenter.

    3. Click New FolderNew VM and Template Folder.

    4. In the window that is displayed, enter the folder name. The folder name must match the cluster name that you specified in the install-config.yaml file.

  6. In the vSphere Client, create a template for the OVA image.

    In the following steps, you use the same template for all of your cluster machines and provide the location for the Ignition config file for that machine type when you provision the VMs.

    1. From the Hosts and Clusters tab, right-click your cluster’s name and click Deploy OVF Template.

    2. On the Select an OVF tab, specify the name of the RHCOS OVA file that you downloaded.

    3. On the Select a name and folder tab, set a Virtual machine name, such as RHCOS, click the name of your vSphere cluster, and select the folder you created in the previous step.

    4. On the Select a compute resource tab, click the name of your vSphere cluster.

    5. On the Select storage tab, configure the storage options for your VM.

      • Select Thin Provision or Thick Provision, based on your storage preferences.

      • Select the datastore that you specified in your install-config.yaml file.

    6. On the Select network tab, specify the network that you configured for the cluster, if available.

    7. If you plan to use the same template for all cluster machine types, do not specify values on the Customize template tab.

      If you plan to add more compute machines to your cluster after you finish installation, do not delete this template.

  7. After the template deploys, deploy a VM for a machine in the cluster.

    1. Right-click the template’s name and click CloneClone to Virtual Machine.

    2. On the Select a name and folder tab, specify a name for the VM. You might include the machine type in the name, such as control-plane-0 or compute-1.

    3. On the Select a name and folder tab, select the name of the folder that you created for the cluster.

    4. On the Select a compute resource tab, select the name of a host in your datacenter.

    5. Optional: On the Select storage tab, customize the storage options.

    6. On the Select clone options, select Customize this virtual machine’s hardware.

    7. On the Customize hardware tab, click VM OptionsAdvanced.

      • Optional: In the event of cluster performance issues, from the Latency Sensitivity list, select High.

      • Click Edit Configuration, and on the Configuration Parameters window, click Add Configuration Params. Define the following parameter names and values:

        • guestinfo.ignition.config.data: Paste the contents of the base64-encoded Ignition config file for this machine type.

        • guestinfo.ignition.config.data.encoding: Specify base64.

        • disk.EnableUUID: Specify TRUE.

      • Alternatively, prior to powering on the virtual machine add via vApp properties:

        • Navigate to a virtual machine from the vCenter Server inventory.

        • On the Configure tab, expand Settings and select vApp options.

        • Scroll down and under Properties apply the configurations from above.

    8. In the Virtual Hardware panel of the Customize hardware tab, modify the specified values as required. Ensure that the amount of RAM, CPU, and disk storage meets the minimum requirements for the machine type.

    9. Complete the configuration and power on the VM.

  8. Create the rest of the machines for your cluster by following the preceding steps for each machine.

    You must create the bootstrap and control plane machines at this time. Because some pods are deployed on compute machines by default, also create at least two compute machine before you install the cluster.

Creating the cluster

To create the OpenShift Container Platform cluster, you wait for the bootstrap process to complete on the machines that you provisioned by using the Ignition config files that you generated with the installation program.

Prerequisites

  • Create the required infrastructure for the cluster.

  • You obtained the installation program and generated the Ignition config files for your cluster.

  • You used the Ignition config files to create RHCOS machines for your cluster.

Procedure

  1. Monitor the bootstrap process:

    $ ./openshift-install --dir=<installation_directory> wait-for bootstrap-complete \ (1)
    --log-level=info (2)
INFO Waiting up to 30m0s for the Kubernetes API at https://api.test.example.com...
INFO API v1.16.2 up
INFO Waiting up to 30m0s for bootstrapping to complete...
INFO It is now safe to remove the bootstrap resources
    1 For <installation_directory>, specify the path to the directory that you stored the installation files in.
    2 To view different installation details, specify warn, debug, or error instead of info.

    The command succeeds when the Kubernetes API server signals that it has been bootstrapped on the control plane machines.

  2. After bootstrap process is complete, remove the bootstrap machine from the load balancer.

    You must remove the bootstrap machine from the load balancer at this point. You can also remove or reformat the machine itself.

Logging in to the cluster

You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OpenShift Container Platform installation.

Prerequisites

  • Deploy an OpenShift Container Platform cluster.

  • Install the oc CLI.

Procedure

  1. Export the kubeadmin credentials:

    $ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)
    1 For <installation_directory>, specify the path to the directory that you stored the installation files in.

  2. Verify you can run oc commands successfully using the exported configuration:

    $ oc whoami
system:admin

Approving the CSRs for your machines

When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself.

Prerequisites

  • You added machines to your cluster.

Procedure

  1. Confirm that the cluster recognizes the machines:

    $ oc get nodes

NAME      STATUS    ROLES   AGE  VERSION
master-0  Ready     master  63m  v1.16.2
master-1  Ready     master  63m  v1.16.2
master-2  Ready     master  64m  v1.16.2
worker-0  NotReady  worker  76s  v1.16.2
worker-1  NotReady  worker  70s  v1.16.2

    The output lists all of the machines that you created.

  2. Review the pending CSRs and ensure that you see a client and server request with the Pending or Approved status for each machine that you added to the cluster:

    $ oc get csr

NAME        AGE     REQUESTOR                                                                   CONDITION
csr-8b2br   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending (1)
csr-8vnps   15m     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending
csr-bfd72   5m26s   system:node:ip-10-0-50-126.us-east-2.compute.internal                       Pending (2)
csr-c57lv   5m26s   system:node:ip-10-0-95-157.us-east-2.compute.internal                       Pending
...
    1 A client request CSR.
    2 A server request CSR.

    In this example, two machines are joining the cluster. You might see more approved CSRs in the list.

  3. If the CSRs were not approved, after all of the pending CSRs for the machines you added are in Pending status, approve the CSRs for your cluster machines:

    Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After you approve the initial CSRs, the subsequent node client CSRs are automatically approved by the cluster kube-controller-manager. You must implement a method of automatically approving the kubelet serving certificate requests.

    • To approve them individually, run the following command for each valid CSR:

      $ oc adm certificate approve <csr_name> (1)
      1 <csr_name> is the name of a CSR from the list of current CSRs.

    • To approve all pending CSRs, run the following command:

      $ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve
Additional information

Initial Operator configuration

After the control plane initializes, you must immediately configure some Operators so that they all become available.

Prerequisites

  • Your control plane has initialized.

Procedure

  1. Watch the cluster components come online:

    $ watch -n5 oc get clusteroperators

NAME                                 VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
authentication                       4.3.0     True        False         False      69s
cloud-credential                     4.3.0     True        False         False      12m
cluster-autoscaler                   4.3.0     True        False         False      11m
console                              4.3.0     True        False         False      46s
dns                                  4.3.0     True        False         False      11m
image-registry                       4.3.0     True        False         False      5m26s
ingress                              4.3.0     True        False         False      5m36s
kube-apiserver                       4.3.0     True        False         False      8m53s
kube-controller-manager              4.3.0     True        False         False      7m24s
kube-scheduler                       4.3.0     True        False         False      12m
machine-api                          4.3.0     True        False         False      12m
machine-config                       4.3.0     True        False         False      7m36s
marketplace                          4.3.0     True        False         False      7m54m
monitoring                           4.3.0     True        False         False      7h54s
network                              4.3.0     True        False         False      5m9s
node-tuning                          4.3.0     True        False         False      11m
openshift-apiserver                  4.3.0     True        False         False      11m
openshift-controller-manager         4.3.0     True        False         False      5m943s
openshift-samples                    4.3.0     True        False         False      3m55s
operator-lifecycle-manager           4.3.0     True        False         False      11m
operator-lifecycle-manager-catalog   4.3.0     True        False         False      11m
service-ca                           4.3.0     True        False         False      11m
service-catalog-apiserver            4.3.0     True        False         False      5m26s
service-catalog-controller-manager   4.3.0     True        False         False      5m25s
storage                              4.3.0     True        False         False      5m30s

  2. Configure the Operators that are not available.

Image registry storage configuration

The image-registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so the Registry Operator is made available.

Instructions for both configuring a PersistentVolume, which is required for production clusters, and for configuring an empty directory as the storage location, which is available for only non-production clusters, are shown.

Configuring registry storage for VMware vSphere

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

  • Cluster administrator permissions.

  • A cluster on VMware vSphere.

  • Provision persistent storage for your cluster. To deploy a private image registry, your storage must provide ReadWriteMany access mode.

    vSphere volumes do not support the ReadWriteMany access mode. You must use a different storage backend, such as NFS, to configure the registry storage.

  • Must have "100Gi" capacity.

Testing shows issues with using the NFS server on RHEL as storage backend for core services. This includes the OpenShift Container Registry and Quay, Prometheus for monitoring storage, and Elasticsearch for logging storage. Therefore, using RHEL NFS to back PVs used by core services is not recommended.

Other NFS implementations on the marketplace might not have these issues. Contact the individual NFS implementation vendor for more information on any testing that was possibly completed against these OpenShift Container Platform core components.
Procedure

  1. To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

    When using shared storage such as NFS, it is strongly recommended to use the supplementalGroups strategy, which dictates the allowable supplemental groups for the Security Context, rather than the fsGroup ID. Refer to the NFS Group IDs documentation for details.

  2. Verify you do not have a registry Pod:

    $ oc get pod -n openshift-image-registry

    • If the storage type is emptyDIR, the replica number cannot be greater than 1.

    • If the storage type is NFS, you must enable the no_wdelay and root_squash mount options. For example:

      # cat /etc/exports
/mnt/data *(rw,sync,no_wdelay,root_squash,insecure,fsid=0)
sh-4.3# exportfs -rv
exporting *:/mnt/data

  3. Check the registry configuration:

    $ oc edit configs.imageregistry.operator.openshift.io

storage:
  pvc:
    claim:

    Leave the claim field blank to allow the automatic creation of an image-registry-storage PVC.

  4. Optional: Add a new storage class to a PV:

    1. Create the PV:

      $ oc create -f -
      apiVersion: v1
kind: PersistentVolume
metadata:
  name: image-registry-pv
spec:
  accessModes:
    - ReadWriteMany
  capacity:
      storage: 100Gi
  nfs:
    path: /registry
    server: 172.16.231.181
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs01
      $ oc get pv

    2. Create the PVC:

      $ oc create -n openshift-image-registry -f -
      apiVersion: "v1"
kind: "PersistentVolumeClaim"
metadata:
  name: "image-registry-pvc"
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 100Gi
  storageClassName: nfs01
  volumeMode: Filesystem
      $ oc get pvc -n openshift-image-registry

      Finally, add the name of your PVC:

      $ oc edit configs.imageregistry.operator.openshift.io -o yaml
      storage:
  pvc:
    claim: image-registry-pvc (1)
      1 Creating a custom PVC allows you to leave the claim field blank for default automatic creation of an image-registry-storage PVC.

  5. Check the clusteroperator status:

    $ oc get clusteroperator image-registry

Configuring storage for the image registry in non-production clusters

You must configure storage for the image registry Operator. For non-production clusters, you can set the image registry to an empty directory. If you do so, all images are lost if you restart the registry.

Procedure

  • To set the image registry storage to an empty directory:

    $ oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'

    Configure this option for only non-production clusters.

    If you run this command before the Image Registry Operator initializes its components, the oc patch command fails with the following error:

    Error from server (NotFound): configs.imageregistry.operator.openshift.io "cluster" not found

    Wait a few minutes and run the command again.

Completing installation on user-provisioned infrastructure

After you complete the Operator configuration, you can finish installing the cluster on infrastructure that you provide.

Prerequisites

  • Your control plane has initialized.

  • You have completed the initial Operator configuration.

Procedure

  1. Confirm that all the cluster components are online:

    $ watch -n5 oc get clusteroperators

NAME                                 VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE
authentication                       4.3.0     True        False         False      10m
cloud-credential                     4.3.0     True        False         False      22m
cluster-autoscaler                   4.3.0     True        False         False      21m
console                              4.3.0     True        False         False      10m
dns                                  4.3.0     True        False         False      21m
image-registry                       4.3.0     True        False         False      16m
ingress                              4.3.0     True        False         False      16m
kube-apiserver                       4.3.0     True        False         False      19m
kube-controller-manager              4.3.0     True        False         False      18m
kube-scheduler                       4.3.0     True        False         False      22m
machine-api                          4.3.0     True        False         False      22m
machine-config                       4.3.0     True        False         False      18m
marketplace                          4.3.0     True        False         False      18m
monitoring                           4.3.0     True        False         False      18m
network                              4.3.0     True        False         False      16m
node-tuning                          4.3.0     True        False         False      21m
openshift-apiserver                  4.3.0     True        False         False      21m
openshift-controller-manager         4.3.0     True        False         False      17m
openshift-samples                    4.3.0     True        False         False      14m
operator-lifecycle-manager           4.3.0     True        False         False      21m
operator-lifecycle-manager-catalog   4.3.0     True        False         False      21m
service-ca                           4.3.0     True        False         False      21m
service-catalog-apiserver            4.3.0     True        False         False      16m
service-catalog-controller-manager   4.3.0     True        False         False      16m
storage                              4.3.0     True        False         False      16m

    When all of the cluster Operators are AVAILABLE, you can complete the installation.

  2. Monitor for cluster completion:

    $ ./openshift-install --dir=<installation_directory> wait-for install-complete (1)
INFO Waiting up to 30m0s for the cluster to initialize...
    1 For <installation_directory>, specify the path to the directory that you stored the installation files in.

    The command succeeds when the Cluster Version Operator finishes deploying the OpenShift Container Platform cluster from Kubernetes API server.

    The Ignition config files that the installation program generates contain certificates that expire after 24 hours. You must keep the cluster running for 24 hours in a non-degraded state to ensure that the first certificate rotation has finished.

  3. Confirm that the Kubernetes API server is communicating with the Pods.

    1. To view a list of all Pods, use the following command:

      $ oc get pods --all-namespaces

NAMESPACE                         NAME                                            READY   STATUS      RESTARTS   AGE
openshift-apiserver-operator      openshift-apiserver-operator-85cb746d55-zqhs8   1/1     Running     1          9m
openshift-apiserver               apiserver-67b9g                                 1/1     Running     0          3m
openshift-apiserver               apiserver-ljcmx                                 1/1     Running     0          1m
openshift-apiserver               apiserver-z25h4                                 1/1     Running     0          2m
openshift-authentication-operator authentication-operator-69d5d8bf84-vh2n8        1/1     Running     0          5m
...

    2. View the logs for a Pod that is listed in the output of the previous command by using the following command:

      $ oc logs <pod_name> -n <namespace> (1)
      1 Specify the Pod name and namespace, as shown in the output of the previous command.

      If the Pod logs display, the Kubernetes API server can communicate with the cluster machines.

  4. Register your cluster on the Cluster registration page.

Next steps