This is a checklist of prerequisites needed to create a Red Hat OpenShift Service on AWS (ROSA) classic cluster with STS.

This is a high level checklist and your implementation can vary.

Before running the installation process, verify that you deploy this from a machine that has access to:

  • The API services for the cloud to which you provision.

  • Access to api.openshift.com, oidc.op1.openshiftapps.com, and sso.redhat.com.

  • The hosts on the network that you provision.

  • The internet to obtain installation media.

Starting with version 1.2.7 of the ROSA CLI, all OIDC provider endpoint URLs on new clusters use Amazon CloudFront and the oidc.op1.openshiftapps.com domain. This change improves access speed, reduces latency, and improves resiliency for new clusters created with the ROSA CLI 1.2.7 or later. There are no supported migration paths for existing OIDC provider configurations.

Accounts and CLIs Prerequisites

Accounts and CLIs you must install to deploy the cluster.

AWS account

AWS CLI (aws)

  • Install from AWS Command Line Interface if you have not already.

  • Configure the CLI:

    1. Enter aws configure in the terminal:

      $ aws configure
    2. Enter the AWS Access Key ID and press enter.

    3. Enter the AWS Secret Access Key and press enter.

    4. Enter the default region you want to deploy into.

    5. Enter the output format you want, “table” or “json”.

    6. Verify the output by running:

       $ aws sts get-caller-identity
    7. Ensure that the service role for ELB already exists by running:

      $ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
      1. If it does not exist, run:

        $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

Red Hat account

ROSA CLI (rosa)

  1. Enable ROSA from your AWS account on the AWS console if you have not already.

  2. Install the CLI from Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa or from the OpenShift console AWS console.

  3. Enter rosa login in a terminal, and this will prompt you to go to the token page through the console:

    $ rosa login
  4. Log in with your Red Hat account credentials.

  5. Click the Load token button.

  6. Copy the token and paste it back into the CLI prompt and press enter.

    • Alternatively, you can copy the full $ rosa login --token=abc…​ command and paste that in the terminal:

      $ rosa login --token=<abc..>
  7. Verify your credentials by running:

    $ rosa whoami
  8. Ensure you have sufficient quota by running:

    $ rosa verify quota

OpenShift CLI (oc)

  1. Install from Getting started with the OpenShift CLI or from the OpenShift console Command-line interface (CLI) tools.

  2. Verify that the OpenShift CLI has been installed correctly by running:

    $ rosa verify openshift-client

Once you have the above prerequisites installed and enabled, proceed to the next steps.

SCP Prerequisites

ROSA clusters are hosted in an AWS account within an AWS organizational unit. A service control policy (SCP) is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access.

  • Ensure that your organization’s SCPs are not more restrictive than the roles and policies required by the cluster.

  • Ensure that your SCP is configured to allow the required aws-marketplace:Subscribe permission when you choose Enable ROSA from the console, and see AWS Organizations service control policy (SCP) is denying required AWS Marketplace permissions for more details.

  • When you create a ROSA classic cluster, an associated AWS OpenID Connect (OIDC) identity provider is created.

    • This OIDC provider configuration relies on a public key that is located in the us-east-1 AWS region.

    • Customers with AWS SCPs must allow the use of the us-east-1 AWS region, even if these clusters are deployed in a different region.

Networking Prerequisites

Prerequisites needed from a networking standpoint.


Additional custom security groups

When you create a cluster using an existing non-managed VPC, you can add additional custom security groups during cluster creation. Complete these prerequisites before you create the cluster:

  • Create the custom security groups in AWS before you create the cluster.

  • Associate the custom security groups with the VPC that you are using to create the cluster. Do not associate the custom security groups with any other VPC.

  • You may need to request additional AWS quota for Security groups per network interface.

For more details see the detailed requirements for Security groups.

Custom DNS

  • If you want to use custom DNS, then the ROSA installer must be able to use VPC DNS with default DHCP options so it can resolve hosts locally.

    • To do so, run aws ec2 describe-dhcp-options and see if the VPC is using VPC Resolver:

      $ aws ec2 describe-dhcp-options
  • Otherwise, the upstream DNS will need to forward the cluster scope to this VPC so the cluster can resolve internal IPs and services.

If you choose to deploy a PrivateLink cluster, then be sure to deploy the cluster in the pre-existing BYO VPC:

  • Create a public and private subnet for each AZ that your cluster uses.

    • Alternatively, implement transit gateway for internet and egress with appropriate routes.

  • The VPC’s CIDR block must contain the Networking.MachineCIDR range, which is the IP address for cluster machines.

    • The subnet CIDR blocks must belong to the machine CIDR that you specify.

  • Set both enableDnsHostnames and enableDnsSupport to true.

    • That way, the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster internal DNS records.

  • Verify route tables by running:

     $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>"
    • Ensure that the cluster can egress either through NAT gateway in public subnet or through transit gateway.

    • Ensure whatever UDR you would like to follow is set up.

  • You can also configure a cluster-wide proxy during or after install. Configuring a cluster-wide proxy for more details.

You can install a non-PrivateLink ROSA cluster in a pre-existing BYO VPC.