$ rosa create cluster --cluster-name=<cluster_name> --debug
Managing objects with the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
, such as adding dedicated-admin
users, managing clusters, and scheduling cluster upgrades.
To access a cluster that is accessible only over an HTTP proxy server, you can set the |
These common commands and arguments are available for the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
.
Enables debug mode for the parent command to help with troubleshooting.
$ rosa create cluster --cluster-name=<cluster_name> --debug
Downloads the latest compatible version of the specified software to the current directory in an archive file. Extract the contents of the archive and add the contents to your path to use the software. To download the latest ROSA CLI, specify rosa
. To download the latest OpenShift CLI, specify oc
.
$ rosa download <software>
Displays general help information for the ROSA CLI (rosa
) and a list of available commands. This option can also be used as an argument to display help information for a parent command, such as version
or create
.
Displays general help for the ROSA CLI.
$ rosa --help
Displays general help for version
.
$ rosa version --help
Enables interactive mode.
$ rosa create cluster --cluster-name=<cluster_name> --interactive
Specifies an AWS profile from your credential file.
$ rosa create cluster --cluster-name=<cluster_name> --profile=myAWSprofile
Displays the rosa
version and checks whether a newer version is available.
$ rosa version [arguments]
Displayed when a newer version of the ROSA CLI is available.
1.2.12
There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
The Red Hat OpenShift Service on AWS (ROSA) CLI, rosa
, uses parent commands with child commands to manage objects. The parent commands are create
, edit
, delete
, list
, and describe
. Not all parent commands can be used with all child commands. For more information, see the specific reference topics that describes the child commands.
Creates an object or resource when paired with a child command.
$ rosa create cluster --cluster-name=mycluster
Edits options for an object, such as making a cluster private.
$ rosa edit cluster --cluster=mycluster --private
Deletes an object or resource when paired with a child command.
$ rosa delete ingress --cluster=mycluster
This section describes the create
commands for clusters and resources.
Create the required account-wide role and policy resources for your cluster.
$ rosa create account-roles [flags]
Option | Definition |
---|---|
--debug |
Enable debug mode. |
-i, --interactive |
Enable interactive mode. |
-m, --mode string |
How to perform the operation. Valid options are:
|
--path string |
The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies. |
--permissions-boundary string |
The ARN of the policy that is used to set the permissions boundary for the account roles. |
--prefix string |
User-defined prefix for all generated AWS resources. The default is |
--profile string |
Use a specific AWS profile from your credential file. |
-y, --yes |
Automatically answer yes to confirm operations. |
Create a cluster administrator with an automatically generated password that can log in to a cluster.
$ rosa create admin --cluster=<cluster_name>|<cluster_id>
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> |
Required. The name or ID (string) of the cluster to add to the identity provider (IDP). |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile string |
Specifies an AWS profile from your credentials file. |
Create a cluster administrator that can log in to a cluster named mycluster
.
$ rosa create admin --cluster=mycluster
Create a break glass credential for a hosted control plane cluster with external authentication enabled.
$ rosa create break-glass-credential --cluster=<cluster_name> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster to which the break glass credential will be added. |
--expiration |
Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours. |
--username |
Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--region |
Specifies an AWS region, overriding the |
--yes |
Automatically answers |
Add a break glass credential to a cluster named mycluster
.
$ rosa create break-glass-credential --cluster=mycluster
Add a break glass credential to a cluster named mycluster
using the interactive mode.
$ rosa create break-glass-credential --cluster=mycluster -i
Create a new cluster.
$ rosa create cluster --cluster-name=<cluster_name> [arguments]
Option | Definition | ||
---|---|---|---|
--additional-compute-security-group-ids <sec_group_id> |
The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
||
--additional-infra-security-group-ids <sec_group_id> |
The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
||
--additional-control-plane-security-group-ids <sec_group_id> |
The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
||
--additional-allowed-principals <arn> |
A comma-separated list of additional allowed principal ARNs to be added to the hosted control plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted. |
||
--cluster-name <cluster_name> |
Required. The name of the cluster. When used with the |
||
--compute-machine-type <instance_type> |
The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, see AWS Instance types in ROSA service definition. |
||
--controlplane-iam-role <arn> |
The ARN of the IAM role to attach to control plane instances. |
||
--create-cluster-admin |
Optional. As part of cluster creation, create a local administrator user ( |
||
--cluster-admin-user |
Optional. Specifies the user name of the cluster administrator user created when used in conjunction with the |
||
--cluster-admin-password |
Optional. Specifies the password of the cluster administrator user created when used in conjunction with the |
||
--disable-scp-checks |
Indicates whether cloud permission checks are disabled when attempting to install a cluster. |
||
--dry-run |
Simulates creating the cluster. |
||
--domain-prefix |
Optional: When used with the |
||
--ec2-metadata-http-tokens string |
Configures the use of IMDSv2 for EC2 instances. Valid values are |
||
--enable-autoscaling |
Enables autoscaling of compute nodes. By default, autoscaling is set to |
||
--etcd-encryption |
Enables encryption of ETCD key-values on Red Hat OpenShift Service on AWS (classical architecture) clusters. |
||
--etcd-encryption-kms-arn |
Enables encryption of ETCD storage using the customer-managed key managed in AWS Key Management Service. |
||
--host-prefix <subnet> |
The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to |
||
--machine-cidr <address_block> |
Block of IP addresses (ipNet) used by ROSA while installing the cluster, for example,
|
||
--max-replicas <number_of_nodes> |
Specifies the maximum number of compute nodes when enabling autoscaling. Default: |
||
--min-replicas <number_of_nodes> |
Specifies the minimum number of compute nodes when enabling autoscaling. Default: |
||
--multi-az |
Deploys to multiple data centers. |
||
--no-cni |
Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation. |
||
--operator-roles-prefix <string> |
Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one. |
||
--pod-cidr <address_block> |
Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example,
|
||
--private |
Restricts primary API endpoint and application routes to direct, private connectivity. |
||
--private-link |
Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The |
||
--region <region_name> |
The name of the AWS region where your worker pool will be located, for example, |
||
--replicas n |
The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default: |
||
--role-arn <arn> |
The ARN of the installer role that OpenShift Cluster Manager uses to create the cluster. This is required if you have not already created account roles. |
||
--service-cidr <address_block> |
Block of IP addresses (ipNet) for services, for example,
|
||
--sts | --non-sts |
Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster. |
||
--subnet-ids <aws_subnet_id> |
The AWS subnet IDs that are used when installing the cluster, for example, When using |
||
--support-role-arn string |
The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support. |
||
--tags |
Tags that are used on resources created by Red Hat OpenShift Service on AWS in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar".
|
||
--version string |
The version of ROSA that will be used to install the cluster or cluster resources. For |
||
--worker-iam-role string |
The ARN of the IAM role that will be attached to compute instances. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Create a cluster named mycluster
.
$ rosa create cluster --cluster-name=mycluster
Create a cluster with a specific AWS region.
$ rosa create cluster --cluster-name=mycluster --region=us-east-2
Create a cluster with autoscaling enabled on the default worker machine pool.
$ rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5
Add an external identity provider instead of the OpenShift OAuth2 server.
You can only use external authentication providers on ROSA with HCP clusters. |
$ rosa create external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--claim-mapping-groups-claim <string> |
Required. Describes rules on how to transform information from an ID token into a cluster identity. |
--claim-validation-rule <strings> |
Rules that are applied to validate token claims to authenticate users. The input will be in a |
--claim-mapping-username-claim <string> |
The name of the claim that should be used to construct user names for the cluster identity. |
--cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster to which the IDP will be added. |
--console-client-id <string> |
The identifier of the OIDC client from the OIDC provider for the OpenShift Cluster Manager web console. |
--console-client-secret <string> |
The secret that is associated with the console application registration. |
--issuer-audiences <strings> |
An array of audiences to check the incoming tokens against. Valid tokens must include at least one of these values in their audience claim. |
--issuer-ca-file <string> |
The path to the PEM-encoded certificate file to use when making requests to the server. |
--issuer-url <string> |
The serving URL of the token issuer. |
--name <string> |
A name that is used to refer to the external authentication provider. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile string from your credentials file. |
Add a Microsoft Entra ID identity provider to a cluster named mycluster
.
$ rosa create external-auth-provider --cluster=mycluster --name <provider_name> --issuer-audiences <audience_id> --issuer-url <issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claim groups
Add an identity provider (IDP) to define how users log in to a cluster.
$ rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster to which the IDP will be added. |
--ca <path_to_file> |
The path to the PEM-encoded certificate file to use when making requests to the server, for example, |
--client-id |
The client ID (string) from the registered application. |
--client-secret |
The client secret (string) from the registered application. |
--mapping-method |
Specifies how new identities (string) are mapped to users when they log in. Default: |
--name |
The name (string) for the identity provider. |
--type |
The type (string) of identity provider. Options: |
Option | Definition |
---|---|
--hostname |
The optional domain (string) that are used with a hosted instance of GitHub Enterprise. |
--organizations |
Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in. |
--teams |
Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is |
Option | Definition |
---|---|
--host-url |
The host URL (string) of a GitLab provider. Default: |
Option | Definition |
---|---|
--hosted-domain |
Restricts users to a Google Apps domain (string). |
Option | Definition |
---|---|
--bind-dn |
The domain name (string) to bind with during the search phase. |
--bind-password |
The password (string) to bind with during the search phase. |
--email-attributes |
The list (string) of attributes whose values should be used as the email address. |
--id-attributes |
The list (string) of attributes whose values should be used as the user ID. Default: |
--insecure |
Does not make TLS connections to the server. |
--name-attributes |
The list (string) of attributes whose values should be used as the display name. Default: |
--url |
An RFC 2255 URL (string) which specifies the LDAP search parameters that are used. |
--username-attributes |
The list (string) of attributes whose values should be used as the preferred username. Default: |
Option | Definition |
---|---|
--email-claims |
The list (string) of claims that are used as the email address. |
--extra-scopes |
The list (string) of scopes to request, in addition to the |
--issuer-url |
The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment. |
--name-claims |
The list (string) of claims that are used as the display name. |
--username-claims |
The list (string) of claims that are used as the preferred username when provisioning a user. |
--groups-claims |
The list (string) of claims that are used as the groups names. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Add a GitHub identity provider to a cluster named mycluster
.
$ rosa create idp --type=github --cluster=mycluster
Add an identity provider following interactive prompts.
$ rosa create idp --cluster=mycluster --interactive
Add an ingress endpoint to enable API access to the cluster.
$ rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> |
Required: The name or ID of the cluster to which the ingress will be added. |
--label-match |
The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers. |
--private |
Restricts application route to direct, private connectivity. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Add an internal ingress to a cluster named mycluster
.
$ rosa create ingress --private --cluster=mycluster
Add a public ingress to a cluster named mycluster
.
$ rosa create ingress --cluster=mycluster
Add an ingress with a route selector label match.
$ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz
Create a custom KubeletConfig
object to allow custom configuration of nodes in a machine pool. For Red Hat OpenShift Service on AWS clusters, these settings are cluster-wide. For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, each machine pool can be configured differently.
$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Option | Definition |
---|---|
--pod-pids-limit <number> |
Required. The maximum number of PIDs for each node in the machine pool associated with the |
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster in which to create the |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-i, --interactive |
Enable interactive mode. |
-h, --help |
Shows help for this command. |
For more information about setting the PID limit for the cluster, see Configuring PID limits.
Add a machine pool to an existing cluster.
$ rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]
Option | Definition |
---|---|
--additional-security-group-ids <sec_group_id> |
The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements for Security groups under Additional resources. |
--cluster <cluster_name>|<cluster_id> |
Required: The name or ID of the cluster to which the machine pool will be added. |
--disk-size |
Set the disk volume size for the machine pool, in Gib or TiB. The default is 300 GiB. For ROSA (classic architecture) clusters version 4.13 or earlier, the minimum disk size is 128 GiB, and the maximum is 1 TiB. For cluster version 4.14 and later, the minimum is 128 GiB, and the maximum is 16 TiB. For ROSA with HCP clusters, the minimum disk size is 75 GiB, and the maximum is 16,384 GiB. |
--enable-autoscaling |
Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the |
--instance-type |
The instance type (string) that should be used. Default: |
--kubelet-configs <kubeletconfig_name> |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any |
--labels |
The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis. |
--max-replicas |
Specifies the maximum number of compute nodes when enabling autoscaling. |
--min-replicas |
Specifies the minimum number of compute nodes when enabling autoscaling. |
--max-surge |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the The default value is |
--max-unavailable |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the The default value is |
--name |
Required: The name (string) for the machine pool. |
--replicas |
Required when autoscaling is not configured. The number (integer) of machines for this machine pool. |
--tags |
Apply user defined tags to all resources created by ROSA in AWS. Tags are comma separated, for example: |
--taints |
Taints for the machine pool. This string value should be formatted as a comma-separated list of |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Interactively add a machine pool to a cluster named mycluster
.
$ rosa create machinepool --cluster=mycluster --interactive
Add a machine pool that is named mp-1
to a cluster with autoscaling enabled.
$ rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1
Add a machine pool that is named mp-1
with 3 replicas of m5.xlarge
to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1
Add a machine pool (mp-1
) to a Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) cluster, configuring 6 replicas and the following upgrade behavior:
Allow up to 2 excess nodes to be provisioned during an upgrade.
Ensure that no more than 3 nodes are unavailable during an upgrade.
$ rosa create machinepool --cluster=mycluster --replicas=6 --name=mp-1 --max-surge=2 --max-unavailable=3
Add a machine pool with labels to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1
Add a machine pool with tags to a cluster.
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1
Create a network that creates any necessary AWS resources through AWS CloudFormation templates. This helper command is intended to help create and configure a VPC for use with ROSA with HCP. This command also supports zero egress clusters.
Running this command creates resources within your AWS account. |
For custom or advanced configuration, it is highly recommended to use the AWS CLI directly using the |
$ rosa create network [flags]
Option | Definition |
---|---|
<template-name> |
Allows you to use a custom template. Templates must be in the template folder, structured as |
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create a ROSA Quickstart default VPC.
This CloudFormation template may not work with rosa CLI versions later than 1.2.47.
Please ensure that you are using the compatible CLI version before deploying this template.
Parameters:
AvailabilityZoneCount:
Type: Number
Description: "Number of Availability Zones to use"
Default: 1
MinValue: 1
MaxValue: 3
Region:
Type: String
Description: "AWS Region"
Default: "us-west-2"
Name:
Type: String
Description: "Name prefix for resources"
VpcCidr:
Type: String
Description: CIDR block for the VPC
Default: '10.0.0.0/16'
Conditions:
HasAZ1: !Equals [!Ref AvailabilityZoneCount, 1]
HasAZ2: !Equals [!Ref AvailabilityZoneCount, 2]
HasAZ3: !Equals [!Ref AvailabilityZoneCount, 3]
One:
Fn::Or:
- Condition: HasAZ1
- Condition: HasAZ2
- Condition: HasAZ3
Two:
Fn::Or:
- Condition: HasAZ3
- Condition: HasAZ2
Resources:
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: !Ref VpcCidr
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
S3VPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.s3"
VpcEndpointType: Gateway
RouteTableIds:
- !Ref PublicRouteTable
- !Ref PrivateRouteTable
SubnetPublic1:
Condition: One
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [0, !GetAZs '']
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub "${Name}-Public-Subnet-1"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/elb'
Value: '1'
SubnetPrivate1:
Condition: One
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [0, !GetAZs '']
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub "${Name}-Private-Subnet-1"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/internal-elb'
Value: '1'
SubnetPublic2:
Condition: Two
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [1, !GetAZs '']
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub "${Name}-Public-Subnet-2"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/elb'
Value: '1'
SubnetPrivate2:
Condition: Two
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [1, !GetAZs '']
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub "${Name}-Private-Subnet-2"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/internal-elb'
Value: '1'
SubnetPublic3:
Condition: HasAZ3
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [2, !GetAZs '']
MapPublicIpOnLaunch: true
Tags:
- Key: Name
Value: !Sub "${Name}-Public-Subnet-3"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/elb'
Value: '1'
SubnetPrivate3:
Condition: HasAZ3
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, 8]]
AvailabilityZone: !Select [2, !GetAZs '']
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: !Sub "${Name}-Private-Subnet-3"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
- Key: 'kubernetes.io/role/internal-elb'
Value: '1'
InternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
AttachGateway:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
VpcId: !Ref VPC
InternetGatewayId: !Ref InternetGateway
ElasticIP1:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
ElasticIP2:
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
ElasticIP3:
Condition: HasAZ3
Type: AWS::EC2::EIP
Properties:
Domain: vpc
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
NATGateway1:
Condition: One
Type: 'AWS::EC2::NatGateway'
Properties:
AllocationId: !GetAtt ElasticIP1.AllocationId
SubnetId: !Ref SubnetPublic1
Tags:
- Key: Name
Value: !Sub "${Name}-NAT-1"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
NATGateway2:
Condition: Two
Type: 'AWS::EC2::NatGateway'
Properties:
AllocationId: !GetAtt ElasticIP2.AllocationId
SubnetId: !Ref SubnetPublic2
Tags:
- Key: Name
Value: !Sub "${Name}-NAT-2"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
NATGateway3:
Condition: HasAZ3
Type: 'AWS::EC2::NatGateway'
Properties:
AllocationId: !GetAtt ElasticIP3.AllocationId
SubnetId: !Ref SubnetPublic3
Tags:
- Key: Name
Value: !Sub "${Name}-NAT-3"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
PublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Ref Name
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
PublicRoute:
Type: AWS::EC2::Route
DependsOn: AttachGateway
Properties:
RouteTableId: !Ref PublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref InternetGateway
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: !Sub "${Name}-Private-Route-Table"
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
- Key: 'service'
Value: 'ROSA'
PrivateRoute:
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref PrivateRouteTable
DestinationCidrBlock: 0.0.0.0/0
NatGatewayId: !If
- One
- !Ref NATGateway1
- !If
- Two
- !Ref NATGateway2
- !If
- HasAZ3
- !Ref NATGateway3
- !Ref "AWS::NoValue"
PublicSubnetRouteTableAssociation1:
Condition: One
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPublic1
RouteTableId: !Ref PublicRouteTable
PublicSubnetRouteTableAssociation2:
Condition: Two
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPublic2
RouteTableId: !Ref PublicRouteTable
PublicSubnetRouteTableAssociation3:
Condition: HasAZ3
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPublic3
RouteTableId: !Ref PublicRouteTable
PrivateSubnetRouteTableAssociation1:
Condition: One
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPrivate1
RouteTableId: !Ref PrivateRouteTable
PrivateSubnetRouteTableAssociation2:
Condition: Two
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPrivate2
RouteTableId: !Ref PrivateRouteTable
PrivateSubnetRouteTableAssociation3:
Condition: HasAZ3
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref SubnetPrivate3
RouteTableId: !Ref PrivateRouteTable
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Authorize inbound VPC traffic"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: -1
FromPort: 0
ToPort: 0
CidrIp: "10.0.0.0/16"
SecurityGroupegress:
- IpProtocol: -1
FromPort: 0
ToPort: 0
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Ref Name
- Key: 'service'
Value: 'ROSA'
- Key: 'rosa_managed_policies'
Value: 'true'
- Key: 'rosa_hcp_policies'
Value: 'true'
EC2VPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.ec2"
PrivateDnsEnabled: true
VpcEndpointType: Interface
SubnetIds:
- !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]
- !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]
- !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]
SecurityGroupIds:
- !Ref SecurityGroup
KMSVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.kms"
PrivateDnsEnabled: true
VpcEndpointType: Interface
SubnetIds:
- !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]
- !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]
- !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]
SecurityGroupIds:
- !Ref SecurityGroup
STSVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.sts"
PrivateDnsEnabled: true
VpcEndpointType: Interface
SubnetIds:
- !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]
- !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]
- !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]
SecurityGroupIds:
- !Ref SecurityGroup
EcrApiVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.ecr.api"
PrivateDnsEnabled: true
VpcEndpointType: Interface
SubnetIds:
- !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]
- !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]
- !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]
SecurityGroupIds:
- !Ref SecurityGroup
EcrDkrVPCEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub "com.amazonaws.${Region}.ecr.dkr"
PrivateDnsEnabled: true
VpcEndpointType: Interface
SubnetIds:
- !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]
- !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]
- !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]
SecurityGroupIds:
- !Ref SecurityGroup
Outputs:
VPCId:
Description: "VPC Id"
Value: !Ref VPC
Export:
Name: !Sub "${Name}-VPCId"
VPCEndpointId:
Description: The ID of the VPC Endpoint
Value: !Ref S3VPCEndpoint
Export:
Name: !Sub "${Name}-VPCEndpointId"
PublicSubnets:
Description: "Public Subnet Ids"
Value: !Join [",", [!If [One, !Ref SubnetPublic1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPublic2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPublic3, !Ref "AWS::NoValue"]]]
Export:
Name: !Sub "${Name}-PublicSubnets"
PrivateSubnets:
Description: "Private Subnet Ids"
Value: !Join [",", [!If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]]]
Export:
Name: !Sub "${Name}-PrivateSubnets"
EIP1AllocationId:
Description: Allocation ID for ElasticIP1
Value: !GetAtt ElasticIP1.AllocationId
Export:
Name: !Sub "${Name}-EIP1-AllocationId"
EIP2AllocationId:
Description: Allocation ID for ElasticIP2
Value: !GetAtt ElasticIP2.AllocationId
Export:
Name: !Sub "${Name}-EIP2-AllocationId"
EIP3AllocationId:
Condition: HasAZ3
Description: Allocation ID for ElasticIP3
Value: !GetAtt ElasticIP3.AllocationId
Export:
Name: !Sub "${Name}-EIP3-AllocationId"
NatGatewayId:
Description: The NAT Gateway IDs
Value: !Join [",", [!If [One, !Ref NATGateway1, !Ref "AWS::NoValue"], !If [Two, !Ref NATGateway2, !Ref "AWS::NoValue"], !If [HasAZ3, !Ref NATGateway3, !Ref "AWS::NoValue"]]]
Export:
Name: !Sub "${Name}-NatGatewayId"
InternetGatewayId:
Description: The ID of the Internet Gateway
Value: !Ref InternetGateway
Export:
Name: !Sub "${Name}-InternetGatewayId"
PublicRouteTableId:
Description: The ID of the public route table
Value: !Ref PublicRouteTable
Export:
Name: !Sub "${Name}-PublicRouteTableId"
PrivateRouteTableId:
Description: The ID of the private route table
Value: !Ref PrivateRouteTable
Export:
Name: !Sub "${Name}-PrivateRouteTableId"
EC2VPCEndpointId:
Description: The ID of the EC2 VPC Endpoint
Value: !Ref EC2VPCEndpoint
Export:
Name: !Sub "${Name}-EC2VPCEndpointId"
KMSVPCEndpointId:
Description: The ID of the KMS VPC Endpoint
Value: !Ref KMSVPCEndpoint
Export:
Name: !Sub "${Name}-KMSVPCEndpointId"
STSVPCEndpointId:
Description: The ID of the STS VPC Endpoint
Value: !Ref STSVPCEndpoint
Export:
Name: !Sub "${Name}-STSVPCEndpointId"
EcrApiVPCEndpointId:
Description: The ID of the ECR API VPC Endpoint
Value: !Ref EcrApiVPCEndpoint
Export:
Name: !Sub "${Name}-EcrApiVPCEndpointId"
EcrDkrVPCEndpointId:
Description: The ID of the ECR DKR VPC Endpoint
Value: !Ref EcrDkrVPCEndpoint
Export:
Name: !Sub "${Name}-EcrDkrVPCEndpointId"
Option | Definition |
---|---|
--template-dir |
Allows you to specify the path to the template directory. Overrides the |
--param Name |
Define the name of your network. A required parameter when using a custom template file. |
--param Region |
Define the region of your network. A required parameter when using a custom template file. |
--param <various> |
Available parameters depend on the template. Use |
--mode=manual |
Provides AWS commands to create the network stack. |
Create a basic network with regular arguments and flags.
$ rosa create network rosa-quickstart-default-vpc --param Tags=key1=value1,key2=value2 --param Name=example-stack --param Region=us-west-2
Create the required ocm-role resources for your cluster.
$ rosa create ocm-role [flags]
Option | Definition |
---|---|
--admin |
Enable admin capabilities for the role. |
--debug |
Enable debug mode. |
-i, --interactive |
Enable interactive mode. |
-m, --mode string |
How to perform the operation. Valid options are:
|
--path string |
The ARN path for the OCM role and policies. |
--permissions-boundary string |
The ARN of the policy that is used to set the permissions boundary for the OCM role. |
--prefix string |
User-defined prefix for all generated AWS resources. The default is |
--profile string |
Use a specific AWS profile from your credential file. |
-y, --yes |
Automatically answer yes to confirm operation. |
For more information about the OCM role created with the rosa create ocm-role
command, see Account-wide IAM role and policy reference.
Create the required user-role resources for your cluster.
$ rosa create user-role [flags]
Option | Definition |
---|---|
--debug |
Enable debug mode. |
-i, --interactive |
Enable interactive mode. |
-m, --mode string |
How to perform the operation. Valid options are:
|
--path string |
The ARN path for the user role and policies. |
--permissions-boundary string |
The ARN of the policy that is used to set the permissions boundary for the user role. |
--prefix string |
User-defined prefix for all generated AWS resources The default is |
--profile string |
Use a specific AWS profile from your credential file. |
-y, --yes |
Automatically answer yes to confirm operation. |
For more information about the user role created with the rosa create user-role
command, see Understanding AWS account association.
See AWS Instance types for a list of supported instance types.
See Account-wide IAM role and policy reference for a list of IAM roles needed for cluster creation.
See Understanding AWS account association for more information about the OCM role and user role.
See Additional custom security groups for information about security group requirements.
This section describes the edit
commands for clusters and resources.
Allows edits to an existing cluster.
$ rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--additional-allowed-principals <arn> |
A comma-separated list of additional allowed principal ARNs to be added to the Hosted Control Plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted. |
--cluster |
Required: The name or ID (string) of the cluster to edit. |
--private |
Restricts a primary API endpoint to direct, private connectivity. |
--enable-delete-protection=true |
Enables the delete protection feature. |
--enable-delete-protection=false |
Disables the delete protection feature. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Edit a cluster named mycluster
to make it private.
$ rosa edit cluster --cluster=mycluster --private
Edit all cluster options interactively on a cluster named mycluster
.
$ rosa edit cluster --cluster=mycluster --interactive
Edits the default application router for a cluster.
For information about editing non-default application routers, see Additional resources. |
$ rosa edit ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to which the ingress will be added. |
--cluster-routes-hostname |
Components route hostname for OAuth, console, and download. |
--cluster-routes-tls-secret-ref |
Components route TLS secret reference for OAuth, console, and download. |
--excluded-namespaces |
Excluded namespaces for ingress. Format is a comma-separated list |
--label-match |
The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers. |
--lb-type |
Type of Load Balancer. Options are |
--namespace-ownership-policy |
Namespace Ownership Policy for ingress. Options are |
--private |
Restricts the application route to direct, private connectivity. |
--route-selector |
Route Selector for ingress. Format is a comma-separated list of key=value. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label. |
--wildcard-policy |
Wildcard Policy for ingress. Options are |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Make an additional ingress with the ID a1b2
as a private connection on a cluster named mycluster
.
$ rosa edit ingress --private --cluster=mycluster a1b2
Update the router selectors for the additional ingress with the ID a1b2
on a cluster named mycluster
.
$ rosa edit ingress --label-match=foo=bar --cluster=mycluster a1b2
Update the default ingress using the sub-domain identifier apps
on a cluster named mycluster
.
$ rosa edit ingress --private=false --cluster=mycluster apps
Update the load balancer type of the apps2
ingress.
$ rosa edit ingress --lb-type=nlb --cluster=mycluster apps2
Edit a custom KubeletConfig
object in a machine pool.
$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which the |
-i, --interactive |
Enable interactive mode. |
--pod-pids-limit <number> |
Required. The maximum number of PIDs for each node in the machine pool associated with the |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-h, --help |
Shows help for this command. |
For more information about setting the PID limit for the cluster, see Configuring PID limits.
Allows edits to the machine pool in a cluster.
$ rosa edit machinepool --cluster=<cluster_name_or_id> <machinepool_name> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to edit on which the additional machine pool will be edited. |
--enable-autoscaling |
Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the |
--labels |
The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis. |
--kubelet-configs <kubeletconfig_name> |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any |
--max-replicas |
Specifies the maximum number of compute nodes when enabling autoscaling. |
--min-replicas |
Specifies the minimum number of compute nodes when enabling autoscaling. |
--max-surge |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the The default value is |
--max-unavailable |
For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the The default value is |
--node-drain-grace-period |
Specifies the node drain grace period when upgrading or replacing the machine pool. (This is for ROSA with HCP clusters only.) |
--replicas |
Required when autoscaling is not configured. The number (integer) of machines for this machine pool. |
--taints |
Taints for the machine pool. This string value should be formatted as a comma-separated list of |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Set 4 replicas on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --replicas=4 mp1
Enable autoscaling on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 mp1
Disable autoscaling on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --cluster=mycluster --enable-autoscaling=false --replicas=3 mp1
Modify the autoscaling range on a machine pool named mp1
on a cluster named mycluster
.
$ rosa edit machinepool --max-replicas=9 --cluster=mycluster mp1
On Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, edit the mp1
machine pool to add the following behavior during upgrades:
Allow up to 2 excess nodes to be provisioned during an upgrade.
Ensure that no more than 3 nodes are unavailable during an upgrade.
$ rosa edit machinepool --cluster=mycluster mp1 --max-surge=2 --max-unavailable=3
Associate a KubeletConfig
object with an existing high-pid-pool
machine pool on a ROSA with HCP cluster.
$ rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids high-pid-pool
See Configuring the Ingress Controller for information regarding editing non-default application routers.
This section describes the delete
commands for clusters and resources.
Deletes a cluster administrator from a specified cluster.
$ rosa delete admin --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to add to the identity provider (IDP). |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Delete a cluster administrator from a cluster named mycluster
.
$ rosa delete admin --cluster=mycluster
Deletes a cluster.
$ rosa delete cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to delete. |
--watch |
Watches the cluster uninstallation logs. |
--best-effort |
Skips steps in the cluster destruction chain that are known to cause the cluster deletion process to fail. You should use this option with care and it is recommended that you manually check your AWS account for any resources that might be left over after using |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Delete a cluster named mycluster
.
$ rosa delete cluster --cluster=mycluster
Deletes an external authentication provider from a cluster.
$ rosa delete external-auth-provider <name_of_external_auth_provider> --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required. The name or ID string of the cluster the external auth provider will be deleted from. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile string from your credentials file. |
--yes |
Automatically answers |
Delete an identity provider named exauth-1
from a cluster named mycluster
.
$ rosa delete external-auth-provider exauth-1 --cluster=mycluster
Deletes a specific identity provider (IDP) from a cluster.
$ rosa delete idp --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster from which the IDP will be deleted. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Delete an identity provider named github
from a cluster named mycluster
.
$ rosa delete idp github --cluster=mycluster
Deletes a non-default application router (ingress) from a cluster.
$ rosa delete ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster from which the ingress will be deleted. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Delete an ingress with the ID a1b2
from a cluster named mycluster
.
$ rosa delete ingress --cluster=mycluster a1b2
Delete a secondary ingress with the subdomain name apps2
from a cluster named mycluster
.
$ rosa delete ingress --cluster=mycluster apps2
Delete a custom KubeletConfig
object from a cluster.
$ rosa delete kubeletconfig --cluster=<cluster_name|cluster_id> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which you want to delete the |
-h, --help |
Shows help for this command. |
--name |
Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one |
-y, --yes |
Automatically answers |
Deletes a machine pool from a cluster.
$ rosa delete machinepool --cluster=<cluster_name> | <cluster_id> <machine_pool_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the machine pool will be deleted from. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--interactive |
Enables interactive mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Delete the machine pool with the ID mp-1
from a cluster named mycluster
.
$ rosa delete machinepool --cluster=mycluster mp-1
This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.
Installs a managed service add-on on a cluster.
$ rosa install addon --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster where the add-on will be installed. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Uses a specific AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Add the dbaas-operator
add-on installation to a cluster named mycluster
.
$ rosa install addon --cluster=mycluster dbaas-operator
Uninstalls a managed service add-on from a cluster.
$ rosa uninstall addon --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the add-on will be uninstalled from. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Uses a specific AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Remove the dbaas-operator
add-on installation from a cluster named mycluster
.
$ rosa uninstall addon --cluster=mycluster dbaas-operator
This section describes the list
and describe
commands for clusters and resources.
List the managed service add-on installations.
$ rosa list addons --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to list the add-ons for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the break glass credentials for a cluster.
$ rosa list break-glass-credential [arguments]
Option | Definition |
---|---|
--cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster to which the break glass credentials have been added. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the break glass credentials for a cluster named mycluster
.
$ rosa list break-glass-credential --cluster=mycluster
List all of your clusters.
$ rosa list clusters [arguments]
Option | Definition |
---|---|
--count |
The number (integer) of clusters to display. Default: |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List any external authentication providers for a cluster.
$ rosa list external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID string of the cluster that the external authentication provider will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile string from your credentials file. |
List any external authentication providers for a cluster named mycluster
.
$ rosa list external-auth-provider --cluster=mycluster
List all of the identity providers (IDPs) for a cluster.
$ rosa list idps --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the IDPs will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all identity providers (IDPs) for a cluster named mycluster
.
$ rosa list idps --cluster=mycluster
List all of the API and ingress endpoints for a cluster.
$ rosa list ingresses --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the IDPs will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all API and ingress endpoints for a cluster named mycluster
.
$ rosa list ingresses --cluster=mycluster
List all of the available instance types for use with ROSA. Availability is based on the account’s AWS quota.
$ rosa list instance-types [arguments]
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--output |
The output format. Allowed formats are |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all instance types.
$ rosa list instance-types
List the KubeletConfig
objects configured on a cluster.
$ rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the machine pools will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
List all of the KubeletConfig
objects on a cluster named mycluster
.
$ rosa list kubeletconfigs --cluster=mycluster
List the machine pools configured on a cluster.
$ rosa list machinepools --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the machine pools will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the machine pools on a cluster named mycluster
.
$ rosa list machinepools --cluster=mycluster
List all of the available regions for the current AWS account.
$ rosa list regions [arguments]
Option | Definition |
---|---|
--multi-az |
Lists regions that provide support for multiple availability zones. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the available regions.
$ rosa list regions
List all available and scheduled cluster version upgrades.
$ rosa list upgrades --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the available upgrades will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the available upgrades for a cluster named mycluster
.
$ rosa list upgrades --cluster=mycluster
List the cluster administrator and dedicated administrator users for a specified cluster.
$ rosa list users --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the cluster administrators will be listed for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the cluster administrators and dedicated administrators for a cluster named mycluster
.
$ rosa list users --cluster=mycluster
List all of the OpenShift versions that are available for creating a cluster.
$ rosa list versions [arguments]
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
List all of the OpenShift Container Platform versions.
$ rosa list versions
Show the details of a specified cluster-admin
user and a command to log in to the cluster.
$ rosa describe admin --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster to which the cluster-admin belongs. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Describe the cluster-admin
user for a cluster named mycluster
.
$ rosa describe admin --cluster=mycluster
Show the details of a managed service add-on.
$ rosa describe addon <addon_id> | <addon_name> [arguments]
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Describe an add-on named dbaas-operator
.
$ rosa describe addon dbaas-operator
Shows the details for a break glass credential for a specific cluster.
$ rosa describe break-glass-credential --id=<break_glass_credential_id> --cluster=<cluster_name>| <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
--id |
Required: The ID (string) of the break glass credential. |
--kubeconfig |
Optional: Retrieves the kubeconfig from the break glass credential. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Shows the details for a cluster.
$ rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--get-role-policy-bindings |
Lists the policies that are attached to the STS roles assigned to the cluster. |
Describe a cluster named mycluster
.
$ rosa describe cluster --cluster=mycluster
Show the details of a custom KubeletConfig
object.
$ rosa describe kubeletconfig --cluster=<cluster_name|cluster_id> [flags]
Option | Definition |
---|---|
-c, --cluster <cluster_name>|<cluster_id> |
Required. The name or ID of the cluster for which you want to view the |
-h, --help |
Shows help for this command. |
--name |
Optional. Specifies the name of the |
-o, --output string |
-o, --output string |
Describes a specific machine pool configured on a cluster.
$ rosa describe machinepool --cluster=[<cluster_name>|<cluster_id>] --machinepool=<machinepool_name> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
--machinepool |
Required: The name or ID (string) of the machinepool. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Describe a machine pool named mymachinepool
on a cluster named mycluster
.
$ rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool
This section describes the revoke
commands for clusters and resources.
Revokes all break glass credentials from a specified hosted control plane cluster with external authentication enabled.
$ rosa revoke break-glass-credential --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster from which the break glass credentials will be deleted. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
--yes |
Automatically answers |
Revoke the break glass credentials from a cluster named mycluster
.
$ rosa revoke break-glass-credential --cluster=mycluster
This section describes the upgrade
command usage for objects.
Schedule a cluster upgrade.
$ rosa upgrade cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the upgrade will be scheduled for. |
--interactive |
Enables interactive mode. |
--version |
The version (string) of OpenShift Container Platform that the cluster will be upgraded to. |
--schedule-date |
The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format: |
--schedule-time |
The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format: |
--node-drain-grace-period [1] |
Sets a grace period (string) for how long the pod disruption budget-protected workloads are respected during upgrades. After this grace period, any workloads protected by pod disruption budgets that have not been successfully drained from a node will be forcibly evicted. Default: |
--control-plane [2] |
Upgrades the cluster’s hosted control plane. |
Classic clusters only
ROSA with HCP clusters only
Option | Definition |
---|---|
--help |
Shows help for this command. |
Interactively schedule an upgrade on a cluster named mycluster
.
$ rosa upgrade cluster --cluster=mycluster --interactive
Schedule a cluster upgrade within the hour on a cluster named mycluster
.
$ rosa upgrade cluster --cluster=mycluster --version 4.5.20
Cancel a scheduled cluster upgrade.
$ rosa delete upgrade --cluster=<cluster_name> | <cluster_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster that the upgrade will be cancelled for. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--yes |
Automatically answers |
Upgrades a specific machine pool configured on a ROSA with HCP cluster.
The |
$ rosa upgrade machinepool --cluster=<cluster_name> <machinepool_name>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
--schedule-date |
The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format: |
--schedule-time |
The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format: |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Upgrade a machine pool on a cluster named mycluster
.
$ rosa upgrade machinepool --cluster=mycluster
Cancel a scheduled machinepool upgrade.
$ rosa delete upgrade --cluster=<cluster_name> <machinepool_name>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Upgrades roles configured on a cluster.
$ rosa upgrade roles --cluster=<cluster_id>
Option | Definition |
---|---|
--cluster |
Required: The name or ID (string) of the cluster. |
Option | Definition |
---|---|
--help |
Shows help for this command. |
--debug |
Enables debug mode. |
--profile |
Specifies an AWS profile (string) from your credentials file. |
Upgrade roles on a cluster named mycluster
.
$ rosa upgrade roles --cluster=mycluster