×

You can install OpenShift Dedicated on Amazon Web Services (AWS) by using your own AWS account through the Customer Cloud Subscription (CCS) model or by using an AWS infrastructure account that is owned by Red Hat.

Prerequisites

Creating a cluster on AWS with CCS

By using the Customer Cloud Subscription (CCS) billing model, you can create an OpenShift Dedicated cluster in an existing Amazon Web Services (AWS) account that you own.

You must meet several prerequisites if you use the CCS model to deploy and manage OpenShift Dedicated into your AWS account.

Prerequisites
  • You have configured your AWS account for use with OpenShift Dedicated.

  • You have not deployed any services in your AWS account.

  • You have configured the AWS account quotas and limits that are required to support the desired cluster size.

  • You have an osdCcsAdmin AWS Identity and Access Management (IAM) user with the AdministratorAccess policy attached.

  • You have set up a service control policy (SCP) in your AWS organization. For more information, see Minimum required service control policy (SCP).

  • Consider having Business Support or higher from AWS.

Procedure
  1. Log in to OpenShift Cluster Manager and click Create cluster.

  2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

  3. Under Billing model, configure the subscription type and infrastructure type:

    1. Select a subscription type. For information about OpenShift Dedicated subscription options, see Managing OpenShift Dedicated cluster subscriptions in the OpenShift Cluster Manager documentation.

      The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.

    2. Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own.

    3. Click Next.

  4. Select Run on Amazon Web Services.

  5. Click Prerequisites to review the prerequisites for installing OpenShift Dedicated on AWS with CCS.

  6. Provide your AWS account details:

    1. Enter your AWS account ID.

    2. Enter your AWS access key ID and AWS secret access key for your AWS IAM user account.

      Revoking these credentials in AWS results in a loss of access to any cluster created with these credentials.

    3. Optional: You can select Bypass AWS service control policy (SCP) checks to disable the SCP checks.

      Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed.

  7. Validate your cloud provider account and then click Next.

  8. On the Cluster details page, provide a name for your cluster and specify the cluster details:

    1. Add a Cluster name.

    2. Select a cluster version from the Version drop-down menu.

    3. Select a cloud provider region from the Region drop-down menu.

    4. Select a Single zone or Multi-zone configuration.

    5. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

    6. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

    7. Optional: Select Encrypt persistent volumes with customer keys if you want to provide your own AWS Key Management Service (KMS) key Amazon Resource Name (ARN). These keys are used for encrypting all control plane, infrastructure, and worker node root volumes.

    8. Click Next.

  9. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

    After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

  10. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.

  11. In the Cluster privacy section, select Public or Private to use either public or private API endpoints and application routes for your cluster.

    If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.

  12. Optional: To install the cluster in an existing AWS Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.

    2. If you opted to use private API endpoints and are installing into an existing VPC, you can select Use a PrivateLink to enable connections to the cluster by Red Hat Site Reliability Engineering (SRE) using only AWS PrivateLink endpoints. This option cannot be changed after a cluster is created.

  13. Click Next.

  14. If you opted to install the cluster in an existing AWS VPC, provide your Virtual Private Cloud (VPC) subnet settings.

    You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.

  15. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

  16. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

      • Select Individual updates if you want to schedule each update individually. This is the default option.

      • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

        You can review the end-of-life dates in the update life cycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

      • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

      • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

        For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.

    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

      In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

  17. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Verification
  • You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.

Creating a cluster on AWS with a Red Hat cloud account

Through OpenShift Cluster Manager, you can create an OpenShift Dedicated cluster on Amazon Web Services (AWS) using a standard cloud provider account owned by Red Hat.

Procedure
  1. Log in to OpenShift Cluster Manager and click Create cluster.

  2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

  3. Under Billing model, configure the subscription type and infrastructure type:

    1. Select the Annual subscription type. Only the Annual subscription type is available when you deploy a cluster using a Red Hat cloud account.

      For information about OpenShift Dedicated subscription options, see Managing OpenShift Dedicated cluster subscriptions in the OpenShift Cluster Manager documentation.

      You must have the required resource quota for the Annual subscription type to be available. For more information, contact your sales representative or Red Hat support.

    2. Select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.

    3. Click Next.

  4. Select Run on Amazon Web Services and click Next.

  5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

    1. Add a Cluster name.

    2. Select a cluster version from the Version drop-down menu.

    3. Select a cloud provider region from the Region drop-down menu.

    4. Select a Single zone or Multi-zone configuration.

    5. Select a Persistent storage capacity for the cluster. For more information, see the Storage section in the OpenShift Dedicated service definition.

    6. Specify the number of Load balancers that you require for your cluster. For more information, see the Load balancers section in the OpenShift Dedicated service definition.

    7. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

    8. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

    9. Click Next.

  6. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

    After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a machine pool. For clusters that use the CCS model, you can add machine pools after installation that use a different instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

  7. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.

  8. In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.

  9. Click Next.

  10. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

    If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider.

  11. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

      • Select Individual updates if you want to schedule each update individually. This is the default option.

      • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

        You can review the end-of-life dates in the update life cycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

      • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

      • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

        For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.

    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

      In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

  12. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Verification
  • You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.

Additional resources