The following topic addresses creating an OpenShift Dedicated on Google Cloud Platform (GCP) cluster using a service account key, which creates credentials required for cluster access. Service account keys produce long-lived credentials. To install and interact with an OpenShift Dedicated on Google Cloud Platform (GCP) cluster using Workload Identity Federation (WIF), which is the recommended authentication type because it provides enhanced security, see the topic Creating a cluster on GCP with Workload Identity Federation. |
You can install OpenShift Dedicated on Google Cloud Platform (GCP) by using your own GCP account through the Customer Cloud Subscription (CCS) model or by using a GCP infrastructure account that is owned by Red Hat.
You reviewed the introduction to OpenShift Dedicated and the documentation on architecture concepts.
You reviewed the OpenShift Dedicated cloud deployment options.
By using the Customer Cloud Subscription (CCS) billing model, you can create an OpenShift Dedicated cluster in an existing Google Cloud Platform (GCP) account that you own.
You must meet several prerequisites if you use the CCS model to deploy and manage OpenShift Dedicated into your GCP account.
You have configured your GCP account for use with OpenShift Dedicated.
You have configured the GCP account quotas and limits that are required to support the desired cluster size.
You have created a GCP project.
You have enabled the Google Cloud Resource Manager API in your GCP project. For more information about enabling APIs for your project, see the Google Cloud documentation.
You have an IAM service account in GCP called osd-ccs-admin
with the following roles attached:
Compute Admin
DNS Administrator
Security Admin
Service Account Admin
Service Account Key Admin
Service Account User
Organization Policy Viewer
Service Management Administrator
Service Usage Admin
Storage Admin
Compute Load Balancer Admin
Role Viewer
Role Administrator
You have created a key for your osd-ccs-admin
GCP service account and exported it to a file named osServiceAccount.json
.
For more information about creating a key for your GCP service account and exporting it to a JSON file, see Creating service account keys in the Google Cloud documentation. |
Consider having Enhanced Support or higher from GCP.
To prevent potential conflicts, consider having no other resources provisioned in the project prior to installing OpenShift Dedicated.
If you are configuring a cluster-wide proxy, you have verified that the proxy is accessible from the VPC that the cluster is being installed into.
Log in to OpenShift Cluster Manager and click Create cluster.
On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Dedicated row.
Under Billing model, configure the subscription type and infrastructure type:
Select a subscription type. For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.
The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. Red Hat recommends deploying your cluster with the On-Demand subscription type purchased through the Google Cloud Platform (GCP) Marketplace. This option provides flexible, consumption-based billing, consuming additional capacity is frictionless, and no Red Hat intervention is required. For more information, contact your sales representative or Red Hat support. |
Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own.
Click Next.
Select Run on Google Cloud Platform.
Select Service Account as the Authentication type.
Red Hat recommends using Workload Identity Federation as the Authentication type. For more information, see Creating a cluster on GCP with Workload Identity Federation. |
Review and complete the listed Prerequisites.
Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
Provide your GCP service account private key in JSON format. You can either click Browse to locate and attach a JSON file or add the details in the Service account JSON field.
Click Next to validate your cloud provider account and go to the Cluster details page.
On the Cluster details page, provide a name for your cluster and specify the cluster details:
Add a Cluster name.
Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on openshiftapps.com
. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
To customize the subdomain, select the Create customize domain prefix checkbox, and enter your domain prefix name in the Domain prefix field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.
Select a cluster version from the Version drop-down menu.
Clusters configured with Private Service Connect (PSC) are only supported on OpenShift Dedicated version 4.17 and later. For more information regarding PSC, see Private Service Overview in the Additional resources section. |
Select a cloud provider region from the Region drop-down menu.
Select a Single zone or Multi-zone configuration.
Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.
To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint |
Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
Optional: Expand Advanced Encryption to make changes to encryption settings.
Select Use custom KMS keys to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting Use default KMS Keys.
To use custom KMS keys, the IAM service account |
With Use Custom KMS keys selected:
Select a key ring location from the Key ring location drop-down menu.
Select a key ring from the Key ring drop-down menu.
Select a key name from the Key name drop-down menu.
Provide the KMS Service Account.
Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
If Enable FIPS cryptography is selected, Enable additional etcd encryption is enabled by default and cannot be disabled. You can select Enable additional etcd encryption without selecting Enable FIPS cryptography. |
Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but the keys are not. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.
By enabling additional etcd encryption, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case. |
Click Next.
On the Default machine pool page, select a Compute node instance type from the drop-down menu.
Optional: Select the Enable autoscaling checkbox to enable autoscaling.
Click Edit cluster autoscaling settings to make changes to the autoscaling settings.
Once you have made your desired changes, click Close.
Select a minimum and maximum node count. Node counts can be selected by engaging the available plus and minus signs or inputting the desired node count into the number input field.
Select a Compute node count from the drop-down menu.
If you are using multiple availability zones, the compute node count is per zone. After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription. |
Optional: Expand Add node labels to add labels to your nodes. Click Add additional label to add an additional node label and select Next.
This step refers to labels within Kubernetes, not Google Cloud. For more information regarding Kubernetes labels, see Labels and Selectors. |
On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster. If you select Private and selected OpenShift Dedicated version 4.17 or later as your cluster version, Use Private Service Connect is selected by default. Private Service Connect (PSC) is Google Cloud’s security-enhanced networking feature. You can disable PSC by clicking the Use Private Service Connect checkbox.
Red Hat recommends using Private Service Connect when deploying a private OpenShift Dedicated cluster on Google Cloud. Private Service Connect ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE) and private OpenShift Dedicated clusters. |
If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account. |
Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):
Select Install into an existing VPC.
Private Service Connect is supported only with Install into an existing VPC. |
If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
In order to configure a cluster-wide proxy for your cluster, you must first create the Cloud network address translation (NAT) and a Cloud router. See the Additional resources section for more information. |
Accept the default application ingress settings, or to create your own custom settings, select Custom Settings.
Optional: Provide route selector.
Optional: Provide excluded namespaces.
Select a namespace ownership policy.
Select a wildcard policy.
For more information about custom application ingress settings, click on the information icon provided for each setting.
Click Next.
Optional: To install the cluster into a GCP Shared VPC:
To install a cluster into a Shared VPC, you must use OpenShift Dedicated version 4.13.15 or later. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see Enable a host project. |
Select Install into GCP Shared VPC.
Specify the Host project ID. If the specified host project ID is incorrect, cluster creation fails.
Once you complete the steps within the cluster configuration wizard and click Create Cluster, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: Compute Network Administrator, Compute Security Administrator, Project IAM Admin, and DNS Administrator. The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. For information about Shared VPC permissions, see Provision Shared VPC. |
If you opted to install the cluster in an existing GCP VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.
If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project. |
If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:
Enter a value in at least one of the following fields:
Specify a valid HTTP proxy URL.
Specify a valid HTTPS proxy URL.
In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required if you use a TLS-inspecting proxy unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle. This requirement applies regardless of whether the proxy is transparent or requires explicit configuration using the http-proxy
and https-proxy
arguments.
Click Next.
For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.
In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
If you are installing into a VPC, the Machine CIDR range must match the VPC subnets. |
CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding. |
On the Cluster update strategy page, configure your update preferences:
Choose a cluster update method:
Select Individual updates if you want to schedule each update individually. This is the default option.
Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.
You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle. |
Provide administrator approval based on your cluster update method:
Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.
Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.
If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.
Click Next.
In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings. |
Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.
Optional: On the Overview tab, you can enable the delete protection feature by selecting Enable, which is located directly under Delete Protection: Disabled. This will prevent your cluster from being deleted. To disable delete protection, select Disable. By default, clusters are created with the delete protection feature disabled.
If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation. |
You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.
Through OpenShift Cluster Manager, you can create an OpenShift Dedicated cluster on Google Cloud Platform (GCP) using a standard cloud provider account owned by Red Hat.
Log in to OpenShift Cluster Manager and click Create cluster.
In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.
Under Billing model, configure the subscription type and infrastructure type:
Select the Annual subscription type. Only the Annual subscription type is available when you deploy a cluster using a Red Hat cloud account.
For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.
You must have the required resource quota for the Annual subscription type to be available. For more information, contact your sales representative or Red Hat support. |
Select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
Click Next.
Select Run on Google Cloud Platform and click Next.
On the Cluster details page, provide a name for your cluster and specify the cluster details:
Add a Cluster name.
Optional: Cluster creation generates a domain prefix as a subdomain for your provisioned cluster on openshiftapps.com
. If the cluster name is less than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated as a 15-character string.
To customize the subdomain, select the Create custom domain prefix checkbox, and enter your domain prefix name in the Domain prefix field. The domain prefix cannot be longer than 15 characters, must be unique within your organization, and cannot be changed after cluster creation.
Select a cluster version from the Version drop-down menu.
Select a cloud provider region from the Region drop-down menu.
Select a Single zone or Multi-zone configuration.
Select a Persistent storage capacity for the cluster. For more information, see the Storage section in the OpenShift Dedicated service definition.
Specify the number of Load balancers that you require for your cluster. For more information, see the Load balancers section in the OpenShift Dedicated service definition.
Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.
To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint |
Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.
Optional: Expand Advanced Encryption to make changes to encryption settings.
Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
If Enable FIPS cryptography is selected, Enable additional etcd encryption is enabled by default and cannot be disabled. You can select Enable additional etcd encryption without selecting Enable FIPS cryptography. |
Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.
By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case. |
Click Next.
On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.
After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a machine pool. For clusters that use the CCS model, you can add machine pools after installation that use a different instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription. |
Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.
Click Next.
In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.
CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding. If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider. |
On the Cluster update strategy page, configure your update preferences:
Choose a cluster update method:
Select Individual updates if you want to schedule each update individually. This is the default option.
Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.
You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle. |
Provide administrator approval based on your cluster update method:
Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.
Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.
If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.
Click Next.
In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings. |
Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.
Optional: On the Overview tab, you can enable the delete protection feature by selecting Enable, which is located directly under Delete Protection: Disabled. This will prevent your cluster from being deleted. To disable delete protection, select Disable. By default, clusters are created with the delete protection feature disabled.
You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.
For information about Workload Identity Federation, see Creating a cluster on GCP with Workload Identity Federation.
For information about Private Service Connect (PSC), see Private Service Connect overview.
For information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.
For information about persistent storage for OpenShift Dedicated, see the Storage section in the OpenShift Dedicated service definition.
For information about load balancers for OpenShift Dedicated, see the Load balancers section in the OpenShift Dedicated service definition.
For more information about etcd encryption, see the etcd encryption service definition.
For information about the end-of-life dates for OpenShift Dedicated versions, see the OpenShift Dedicated update life cycle.
For general information about Cloud network address translation(NAT) that is required for cluster-wide proxy, see Cloud NAT overview in the Google documentation.
For general information about Cloud routers that are required for the cluster-wide proxy, see Cloud Router overview in the Google documentation.
For information about creating VPCs within your Google Cloud Provider account, see Create and manage VPC networks in the Google documentation.
For information about configuring identity providers, see Configuring identity providers.
For information about revoking cluster privileges, see Revoking privileges and access to an OpenShift Dedicated cluster.