×

Red Hat OpenShift Service on AWS (ROSA) provides a model that allows Red Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.

AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on Red Hat OpenShift Service on AWS (ROSA) because it provides enhanced security.

Ensure that the following AWS prerequisites are met before installing ROSA with STS.

Deployment Prerequisites

To deploy Red Hat OpenShift Service on AWS (ROSA) into your existing Amazon Web Services (AWS) account, Red Hat requires that several prerequisites are met.

Red Hat recommends the use of AWS Organizations to manage multiple AWS accounts. The AWS Organizations, managed by the customer, host multiple AWS accounts. There is a root account in the organization that all accounts will refer to in the account hierarchy.

It is a best practice for the ROSA cluster to be hosted in an AWS account within an AWS Organizational Unit. A service control policy (SCP) is created and applied to the AWS Organizational Unit that manages what services the AWS sub-accounts are permitted to access. The SCP applies only to available permissions within a single AWS account for all AWS sub-accounts within the Organizational Unit. It is also possible to apply a SCP to a single AWS account. All other accounts in the customer’s AWS Organizations are managed in whatever manner the customer requires. Red Hat Site Reliability Engineers (SRE) will not have any control over SCPs within AWS Organizations.

When you create a ROSA cluster using AWS STS, an associated AWS OpenID Connect (OIDC) identity provider is created as well. This OIDC provider configuration relies on a public key that is located in the us-east-1 AWS region. Customers with AWS SCPs must allow the use of the us-east-1 AWS region, even if these clusters are deployed in a different region.

Customer requirements when using STS for deployment

The following prerequisites must be complete before you deploy a Red Hat OpenShift Service on AWS (ROSA) cluster that uses the AWS Security Token Service (STS).

Account

  • You must ensure that the AWS limits are sufficient to support Red Hat OpenShift Service on AWS provisioned within your AWS account. Running rosa verify quota in the CLI validates that you have the required quota to run a cluster.

    Quota verification checks your AWS quota, but it does not compare your consumption to your AWS quota. See the "Limits and scalability" link in Additional resources for more information.

  • If SCP policies are applied and enforced, these policies must not be more restrictive than the roles and policies required by the cluster.

  • Your AWS account should not be transferable to Red Hat.

  • You should not impose additional AWS usage restrictions beyond the defined roles and policies on Red Hat activities. Imposing restrictions will severely hinder Red Hat’s ability to respond to incidents.

  • You may deploy native AWS services within the same AWS account.

  • Your account must have a service-linked role set up as it is required for elastic load balancers (ELBs) to be configured. See the "Creating the service role for the elastic load balancer (ELB)" link in the Additional resources for information about creating a service-linked role for your ELB if you have not created a load balancer in your AWS account previously.

    You are encouraged, but not required, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting Red Hat OpenShift Service on AWS and other Red Hat supported services.

AWS account association

Red Hat OpenShift Service on AWS (ROSA) cluster-provisioning tasks require linking ocm-role and user-role OpenShift Cluster Manager IAM resources to your AWS account using your Amazon Resource Name (ARN).

The ocm-role ARN is stored as a label in your Red Hat organization while the user-role ARN is stored as a label inside your Red Hat user account. Red Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform the necessary tasks in the AWS account.

Linking your AWS account

You link your AWS account using the rosa CLI.

Prerequisites
  • You have an AWS account.

  • You are using OpenShift Cluster Manager to create clusters.

  • You have the permissions required to install AWS account-wide roles.

  • You have installed and configured the latest AWS (aws) and ROSA (rosa) CLIs on your installation host.

  • You have created your ocm-role and user-role IAM roles.

Procedure
  1. From the CLI, link your ocm-role resource to your Red Hat organization by using your Amazon Resource Name (ARN):

    You must have Red Hat Organization Administrator privileges to run the rosa link command. After you link the ocm-role resource with your AWS account, it is visible for all users in the organization.

    $ rosa link ocm-role --role-arn <arn>
    Example output
    I: Linking OCM role
    ? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
    I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'
  2. From the CLI, link your user-role resource to your Red Hat user account by using your Amazon Resource Name (ARN):

    $ rosa link user-role --role-arn <arn>
    Example output
    I: Linking User role
    ? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' role with organization '<AWS ID>'? Yes
    I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' with organization account '<AWS ID>'

Associating multiple AWS accounts with your Red Hat organization

You can associate multiple AWS accounts with your Red Hat organization. Associating multiple accounts lets you create Red Hat OpenShift Service on AWS (ROSA) clusters on any of the associated AWS accounts from your Red Hat organization.

With this feature, you can create clusters in different AWS regions by using multiple AWS profiles as region-bound environments.

Prerequisites
  • You have an AWS account.

  • You are using OpenShift Cluster Manager to create clusters.

  • You have the permissions required to install AWS account-wide roles.

  • You have installed and configured the latest AWS (aws) and ROSA (rosa) CLIs on your installation host.

  • You have created your ocm-role and user-role IAM roles.

Procedure

To associate an additional AWS account, first create a profile in your local AWS configuration. Then, associate the account with your Red Hat organization by creating the ocm-role, user, and account roles in the additional AWS account.

To create the roles in an additional region, specify the --profile <aws-profile> parameter when running the rosa create commands and replace <aws_profile> with the additional account profile name:

  • To specify an AWS account profile when creating an OpenShift Cluster Manager role:

    $ rosa create --profile <aws_profile> ocm-role
  • To specify an AWS account profile when creating a user role:

    $ rosa create --profile <aws_profile> user-role
  • To specify an AWS account profile when creating the account roles:

    $ rosa create --profile <aws_profile> account-roles

If you do not specify a profile, the default AWS profile is used.

Access requirements

  • Red Hat must have AWS console access to the customer-provided AWS account. Red Hat protects and manages this access.

  • You must not use the AWS account to elevate your permissions within the Red Hat OpenShift Service on AWS cluster.

  • Actions available in the rosa CLI utility or OpenShift Cluster Manager console must not be directly performed in your AWS account.

  • You do not need to have a preconfigured domain to deploy ROSA clusters. If you wish to use a custom domain, see the Additional resources for information.

Support requirements

  • Red Hat recommends that the customer have at least Business Support from AWS.

  • Red Hat may have permission from the customer to request AWS support on their behalf.

  • Red Hat may have permission from the customer to request AWS resource limit increases on the customer’s account.

  • Red Hat manages the restrictions, limitations, expectations, and defaults for all Red Hat OpenShift Service on AWS clusters in the same manner, unless otherwise specified in this requirements section.

Security requirements

  • Volume snapshots will remain within the customer’s AWS account and customer-specified region.

  • Red Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.

  • Red Hat must have egress allowed to the documented domains. See the "AWS firewall prerequisites" section for the designated domains.

Additional resources

Requirements for deploying a cluster in an opt-in region

An AWS opt-in region is a region that is not enabled by default. If you want to deploy a Red Hat OpenShift Service on AWS (ROSA) cluster that uses the AWS Security Token Service (STS) in an opt-in region, you must meet the following requirements:

  • The region must be enabled in your AWS account. For more information about enabling opt-in regions, see Managing AWS Regions in the AWS documentation.

  • The security token version in your AWS account must be set to version 2. You cannot use version 1 security tokens for opt-in regions.

    Updating to security token version 2 can impact the systems that store the tokens, due to the increased token length. For more information, see the AWS documentation on setting STS preferences.

Setting the AWS security token version

If you want to create a Red Hat OpenShift Service on AWS (ROSA) cluster with the AWS Security Token Service (STS) in an AWS opt-in region, you must set the security token version to version 2 in your AWS account.

Prerequisites
  • You have installed and configured the latest AWS CLI on your installation host.

Procedure
  1. List the ID of the AWS account that is defined in your AWS CLI configuration:

    $ aws sts get-caller-identity --query Account --output json

    Ensure that the output matches the ID of the relevant AWS account.

  2. List the security token version that is set in your AWS account:

    $ aws iam get-account-summary --query SummaryMap.GlobalEndpointTokenVersion --output json
    Example output
    1
  3. To update the security token version to version 2 for all regions in your AWS account, run the following command:

    $ aws iam set-security-token-service-preferences --global-endpoint-token-version v2Token

    Updating to security token version 2 can impact the systems that store the tokens, due to the increased token length. For more information, see the AWS documentation on setting STS preferences.

Red Hat managed IAM references for AWS

With the STS deployment model, Red Hat is no longer responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles.

Provisioned AWS Infrastructure

This is an overview of the provisioned Amazon Web Services (AWS) components on a deployed Red Hat OpenShift Service on AWS (ROSA) cluster. For a more detailed listing of all provisioned AWS components, see the OpenShift Container Platform documentation.

EC2 instances

AWS EC2 instances are required for deploying the control plane and data plane functions of ROSA in the AWS public cloud.

Instance types can vary for control plane and infrastructure nodes, depending on the worker node count. At a minimum, the following EC2 instances will be deployed:

  • Three m5.2xlarge control plane nodes

  • Two r5.xlarge infrastructure nodes

  • Two m5.xlarge customizable worker nodes

For further guidance on worker node counts, see the link to "Initial Planning Considerations" in the "Additional resources" section of this page.

AWS Elastic Block Store (EBS) storage

Amazon EBS block storage is used for both local node storage and persistent volume storage.

Volume requirements for each EC2 instance:

  • Control Plane Volume

    • Size: 350GB

    • Type: io1

    • Input/Output Operations Per Second: 1000

  • Infrastructure Volume

    • Size: 300GB

    • Type: gp2

    • Input/Output Operations Per Second: 900

  • Worker Volume

    • Size: 300GB

    • Type: gp2

    • Input/Output Operations Per Second: 900

Elastic load balancers

Up to two Network Elastic Load Balancers (ELBs) for API and up to two Classic ELBs for application router. For more information, see the ELB documentation for AWS.

S3 storage

The image registry and Elastic Block Store (EBS) volume snapshots are backed by AWS S3 storage. Pruning of resources is performed regularly to optimize S3 usage and cluster performance.

Two buckets are required with a typical size of 2TB each.

VPC

Customers should expect to see one VPC per cluster. Additionally, the VPC will need the following configurations:

  • Subnets: Two subnets for a cluster with a single availability zone, or six subnets for a cluster with multiple availability zones.

  • Router tables: One router table per private subnet, and one additional table per cluster.

  • Internet gateways: One Internet Gateway per cluster.

  • NAT gateways: One NAT Gateway per public subnet.

Sample VPC Architecture

VPC Reference Architecture

Security groups

AWS security groups provide security at the protocol and port access level; they are associated with EC2 instances and Elastic Load Balancers. Each security group contains a set of rules that filter traffic coming in and out of an EC2 instance. You must ensure the ports required for the OpenShift installation are open on your network and configured to allow access between hosts.

Group Type IP Protocol Port range

MasterSecurityGroup

AWS::EC2::SecurityGroup

icmp

0

tcp

22

tcp

6443

tcp

22623

WorkerSecurityGroup

AWS::EC2::SecurityGroup

icmp

0

tcp

22

BootstrapSecurityGroup

AWS::EC2::SecurityGroup

tcp

22

tcp

19531

Only ROSA clusters deployed with PrivateLink can use a firewall to control egress traffic.

This section provides the necessary details that enable you to control egress traffic from your Red Hat OpenShift Service on AWS cluster. If you are using a firewall to control egress traffic, you must configure your firewall to grant access to the domain and port combinations below. Red Hat OpenShift Service on AWS requires this access to provide a fully managed OpenShift service.

Procedure
  1. Allowlist the following URLs that are used to install and download packages and tools:

    Domain Port Function

    registry.redhat.io

    443

    Provides core container images.

    quay.io

    443

    Provides core container images.

    *.quay.io

    443

    Provides core container images.

    sso.redhat.com

    443, 80

    Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.

    quay-registry.s3.amazonaws.com

    443

    Provides core container images.

    cm-quay-production-s3.s3.amazonaws.com

    443

    Provides core container images.

    cart-rhcos-ci.s3.amazonaws.com

    443

    Provides Red Hat Enterprise Linux CoreOS (RHCOS) images.

    openshift.org

    443

    Provides Red Hat Enterprise Linux CoreOS (RHCOS) images.

    registry.access.redhat.com

    443

    Provides access to the odo CLI tool that helps developers build on OpenShift and Kubernetes.

    console.redhat.com

    443, 80

    Required. Allows interactions between the cluster and OpenShift Console Manager to enable functionality, such as scheduling upgrades.

    sso.redhat.com

    443

    The https://console.redhat.com/openshift site uses authentication from sso.redhat.com.

    pull.q1w2.quay.rhcloud.com

    443

    Provides core container images as a fallback when quay.io is not available.

    .q1w2.quay.rhcloud.com

    443

    Provides core container images as a fallback when quay.io is not available.

    When you add a site such as quay.io to your allowlist, do not add a wildcard entry such as *.quay.io to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as cdn01.quay.io.

    CDN host names, such as cdn01.quay.io, are covered when you add a wildcard entry, such as .quay.io, in your allowlist.

  2. Allowlist the following telemetry URLs:

    Domain Port Function

    cert-api.access.redhat.com

    443

    Required for telemetry.

    api.access.redhat.com

    443

    Required for telemetry.

    infogw.api.openshift.com

    443

    Required for telemetry.

    console.redhat.com

    443

    Required for telemetry and Red Hat Insights.

    observatorium.api.openshift.comm

    443

    Required for managed OpenShift-specific telemetry.

    Managed clusters require enabling telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. See About remote health monitoring for more information about how remote health monitoring data is used by Red Hat.

  3. Allowlist the following Amazon Web Services (AWS) API URls:

    Domain Port Function

    .amazonaws.com

    443

    Required to access AWS services and resources.

    Alternatively, if you choose to not use a wildcard for Amazon Web Services (AWS) APIs, you must allowlist the following URLs:

    Domain Port Function

    ec2.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    events.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    iam.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    route53.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    sts.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    tagging.us-east-1.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment. This endpoint is always us-east-1, regardless of the region the cluster is deployed in.

    ec2.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    elasticloadbalancing.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    servicequotas.<aws region>.amazonaws.com

    443, 80

    Required. Used to confirm quotas for deploying the service.

    tagging.<region>.amazonaws.com

    443, 80

    Allows the assignment of metadata about AWS resources in the form of tags.

  4. Allowlist the following OpenShift URLs:

    Domain Port Function

    mirror.openshift.com

    443

    Used to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator (CVO) needs only a single functioning source.

    storage.googleapis.com/openshift-release (Recommended)

    443

    Alternative site to mirror.openshift.com/. Used to download platform release signatures that are used by the cluster to know what images to pull from quay.io.

    api.openshift.com

    443

    Used to check if updates are available for the cluster.

  5. Allowlist the following site reliability engineering (SRE) and management URLs:

    Domain Port Function

    api.pagerduty.com

    443

    This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

    events.pagerduty.com

    443

    This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

    api.deadmanssnitch.com

    443

    Alerting service used by Red Hat OpenShift Service on AWS to send periodic pings that indicate whether the cluster is available and running.

    nosnch.in

    443

    Alerting service used by Red Hat OpenShift Service on AWS to send periodic pings that indicate whether the cluster is available and running.

    *.osdsecuritylogs.splunkcloud.com OR inputs1.osdsecuritylogs.splunkcloud.com inputs2.osdsecuritylogs.splunkcloud.com inputs4.osdsecuritylogs.splunkcloud.com inputs5.osdsecuritylogs.splunkcloud.com inputs6.osdsecuritylogs.splunkcloud.com inputs7.osdsecuritylogs.splunkcloud.com inputs8.osdsecuritylogs.splunkcloud.com inputs9.osdsecuritylogs.splunkcloud.com inputs10.osdsecuritylogs.splunkcloud.com inputs11.osdsecuritylogs.splunkcloud.com inputs12.osdsecuritylogs.splunkcloud.com inputs13.osdsecuritylogs.splunkcloud.com inputs14.osdsecuritylogs.splunkcloud.com inputs15.osdsecuritylogs.splunkcloud.com

    9997

    Used by the splunk-forwarder-operator as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.

    http-inputs-osdsecuritylogs.splunkcloud.com

    443

    Required. Used by the splunk-forwarder-operator as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.

    sftp.access.redhat.com (Recommended)

    22

    The SFTP server used by must-gather-operator to upload diagnostic logs to help troubleshoot issues with the cluster.

  6. If you did not allow a wildcard for Amazon Web Services (AWS) APIs, you must also allow the S3 bucket used for the internal OpenShift registry. To retrieve that endpoint, run the following command after the cluster is successfully provisioned:

    $ oc -n openshift-image-registry get pod -l docker-registry=default -o json | jq '.items[].spec.containers[].env[] | select(.name=="REGISTRY_STORAGE_S3_BUCKET")'

    The S3 endpoint should be in the following format: '<cluster-name>-<random-string>-image-registry-<cluster-region>-<random-string>.s3.dualstack.<cluster-region>.amazonaws.com'.

  7. Allowlist any site that provides resources for a language or framework that your builds require.

  8. Allowlist any outbound URLs that depend on the languages and frameworks used in OpenShift. See OpenShift Outbound URLs to Allow for a list of recommended URLs to be allowed on the firewall or proxy.