×

This is a high level checklist of prerequisites needed to create a Red Hat OpenShift Service on AWS (ROSA) (classic architecture) cluster with STS.

The machine that you run the installation process from must have access to the following:

  • Amazon Web Services API and authentication service endpoints

  • Red Hat OpenShift API and authentication service endpoints (api.openshift.com and sso.redhat.com)

  • Internet connectivity to obtain installation artifacts

Starting with version 1.2.7 of the ROSA CLI, all OIDC provider endpoint URLs on new clusters use Amazon CloudFront and the oidc.op1.openshiftapps.com domain. This change improves access speed, reduces latency, and improves resiliency for new clusters created with the ROSA CLI 1.2.7 or later. There are no supported migration paths for existing OIDC provider configurations.

Accounts and permissions

Ensure that you have the following accounts, credentials, and permissions.

AWS account

Red Hat account

  • Create a Red Hat account for the Red Hat Hybrid Cloud Console if you do not already have one.

  • Gather the credentials required to log in to your Red Hat account.

CLI requirements

You need to download and install several CLI (command line interface) tools to be able to deploy a cluster.

AWS CLI (aws)

  1. Install the AWS Command Line Interface.

  2. Log in to your AWS account using the AWS CLI: Sign in through the AWS CLI

  3. Verify your account identity:

     $ aws sts get-caller-identity
  4. Check whether the service role for ELB (Elastic Load Balancing) exists:

    $ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"

    If the role does not exist, create it by running the following command:

    $ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

ROSA CLI (rosa)

  1. Install the ROSA CLI from the web console. See Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa for detailed instructions.

  2. Log in to your Red Hat account by running rosa login and following the instructions in the command output:

    $ rosa login
    To login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa
    ? Copy the token and paste it here:

    Alternatively, you can copy the full $ rosa login --token=abc…​ command and paste that in the terminal:

    $ rosa login --token=<abc..>
  3. Confirm you are logged in using the correct account and credentials:

    $ rosa whoami

OpenShift CLI (oc)

The OpenShift CLI (oc) is not required to deploy a Red Hat OpenShift Service on AWS cluster, but is a useful tool for interacting with your cluster after it is deployed.

  1. Download and install`oc` from the OpenShift Cluster Manager Command-line interface (CLI) tools page, or follow the instructions in Getting started with the OpenShift CLI.

  2. Verify that the OpenShift CLI has been installed correctly by running the following command:

    $ rosa verify openshift-client

AWS infrastructure prerequisites

  • Optionally, ensure that your AWS account has sufficient quota available to deploy a cluster.

    $ rosa verify quota

    This command only checks the total quota allocated to your account; it does not reflect the amount of quota already consumed from that quota. Running this command is optional because your quota is verified during cluster deployment. However, Red Hat recommends running this command to confirm your quota ahead of time so that deployment is not interrupted by issues with quota availability.

  • For more information about resources provisioned during ROSA cluster deployment, see Provisioned AWS Infrastructure.

  • For more information about the required AWS service quotas, see Required AWS service quotas.

Service Control Policy (SCP) prerequisites

ROSA clusters are hosted in an AWS account within an AWS organizational unit. A service control policy (SCP) is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access.

  • Ensure that your organization’s SCPs are not more restrictive than the roles and policies required by the cluster. For more information, see the Minimum set of effective permissions for SCPs.

  • When you create a ROSA cluster, an associated AWS OpenID Connect (OIDC) identity provider is created.

Networking prerequisites

Prerequisites needed from a networking standpoint.

Minimum bandwidth

During cluster deployment, Red Hat OpenShift Service on AWS requires a minimum bandwidth of 120 Mbps between cluster resources and public internet resources. When network connectivity is slower than 120 Mbps (for example, when connecting through a proxy) the cluster installation process times out and deployment fails.

After deployment, network requirements are determined by your workload. However, a minimum bandwidth of 120 Mbps helps to ensure timely cluster and operator upgrades.

Firewall

If you choose to deploy a PrivateLink cluster, then be sure to deploy the cluster in the pre-existing BYO VPC:

  • Create a public and private subnet for each AZ that your cluster uses.

    • Alternatively, implement transit gateway for internet and egress with appropriate routes.

  • The VPC’s CIDR block must contain the Networking.MachineCIDR range, which is the IP address for cluster machines.

    • The subnet CIDR blocks must belong to the machine CIDR that you specify.

  • Set both enableDnsHostnames and enableDnsSupport to true.

    • That way, the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster internal DNS records.

  • Verify route tables by running:

     ----
     $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>"
     ----
    • Ensure that the cluster can egress either through NAT gateway in public subnet or through transit gateway.

    • Ensure whatever UDR you would like to follow is set up.

  • You can also configure a cluster-wide proxy during or after install. Configuring a cluster-wide proxy for more details.

You can install a non-PrivateLink ROSA cluster in a pre-existing BYO VPC.

Additional custom security groups

During cluster creation, you can add additional custom security groups to a cluster that has an existing non-managed VPC. To do so, complete these prerequisites before you create the cluster:

  • Create the custom security groups in AWS before you create the cluster.

  • Associate the custom security groups with the VPC that you are using to create the cluster. Do not associate the custom security groups with any other VPC.

  • You may need to request additional AWS quota for Security groups per network interface.

For more details see the detailed requirements for Security groups.

Custom DNS and domains

You can configure a custom domain name server and custom domain name for your cluster. To do so, complete the following prerequisites before you create the cluster:

  • By default, ROSA clusters require you to set the domain name servers option to AmazonProvidedDNS to ensure successful cluster creation and operation.

  • To use a custom DNS server and domain name for your cluster, the ROSA installer must be able to use VPC DNS with default DHCP options so that it can resolve internal IPs and services. This means that you must create a custom DHCP option set to forward DNS lookups to your DNS server, and associate this option set with your VPC before you create the cluster. For more information, see Deploying ROSA with a custom DNS resolver.

  • Confirm that your VPC is using VPC Resolver by running the following command:

    $ aws ec2 describe-dhcp-options