vCPU
In OKD, you can install a cluster on Microsoft Azure by using infrastructure that you provide.
Several Azure Resource Manager (ARM) templates are provided to assist in completing these steps or to help model your own.
The steps for performing a user-provisioned infrastructure installation are provided as an example only. Installing a cluster with infrastructure you provide requires knowledge of the cloud provider and the installation process of OKD. Several ARM templates are provided to assist in completing these steps or to help model your own. You are also free to create the required resources through other methods. |
You reviewed details about the OKD installation and update processes.
You read the documentation on selecting a cluster installation method and preparing it for users.
You configured an Azure account to host the cluster and determined the tested and validated region to deploy the cluster to.
You mirrored the images for a disconnected installation to your registry and obtained the imageContentSources
data for your version of OKD.
Because the installation media is on the mirror host, you must use that computer to complete all installation steps. |
If you use a firewall, you configured it to allow the sites that your cluster requires access to.
If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system
namespace, you have manually created long-term credentials.
If you use customer-managed encryption keys, you prepared your Azure environment for encryption.
In OKD 4, you can perform an installation that does not require an active connection to the internet to obtain software components. Restricted network installations can be completed using installer-provisioned infrastructure or user-provisioned infrastructure, depending on the cloud platform to which you are installing the cluster.
If you choose to perform a restricted network installation on a cloud platform, you still require access to its cloud APIs. Some cloud functions, like Amazon Web Service’s Route 53 DNS and IAM services, require internet access. Depending on your network, you might require less internet access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
To complete a restricted network installation, you must create a registry that mirrors the contents of the OpenShift image registry and contains the installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.
Because of the complexity of the configuration for user-provisioned installations, consider completing a standard user-provisioned infrastructure installation before you attempt a restricted network installation using user-provisioned infrastructure. Completing this test installation might make it easier to isolate and troubleshoot any issues that might arise during your installation in a restricted network. |
Clusters in restricted networks have the following additional limitations and restrictions:
The ClusterVersion
status includes an Unable to retrieve available updates
error.
By default, you cannot use the contents of the Developer Catalog because you cannot access the required image stream tags.
Before you can install OKD, you must configure an Azure project to host it.
All Azure resources that are available through public endpoints are subject to resource name restrictions, and you cannot create resources that use certain terms. For a list of terms that Azure restricts, see Resolve reserved resource name errors in the Azure documentation. |
The OKD cluster uses a number of Microsoft Azure components, and the default Azure subscription and service limits, quotas, and constraints affect your ability to install OKD clusters.
Default limits vary by offer category types, such as Free Trial and Pay-As-You-Go, and by series, such as Dv2, F, and G. For example, the default for Enterprise Agreement subscriptions is 350 cores. Check the limits for your subscription type and if necessary, increase quota limits for your account before you install a default cluster on Azure. |
The following table summarizes the Azure components whose limits can impact your ability to install and run OKD clusters.
Component | Number of components required by default | Default Azure limit | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
vCPU |
44 |
20 per region |
A default cluster requires 44 vCPUs, so you must increase the account limit. By default, each cluster creates the following instances:
Because the bootstrap and control plane machines use To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, you must further increase the vCPU limit for your account to ensure that your cluster can deploy the machines that you require. |
||||||
OS Disk |
7 |
Each cluster machine must have a minimum of 100 GB of storage and 300 IOPS. While these are the minimum supported values, faster storage is recommended for production clusters and clusters with intensive workloads. For more information about optimizing storage for performance, see the page titled "Optimizing storage" in the "Scalability and performance" section. |
|||||||
VNet |
1 |
1000 per region |
Each default cluster requires one Virtual Network (VNet), which contains two subnets. |
||||||
Network interfaces |
7 |
65,536 per region |
Each default cluster requires seven network interfaces. If you create more machines or your deployed workloads create load balancers, your cluster uses more network interfaces. |
||||||
Network security groups |
2 |
5000 |
Each cluster creates network security groups for each subnet in the VNet. The default cluster creates network security groups for the control plane and for the compute node subnets:
|
||||||
Network load balancers |
3 |
1000 per region |
Each cluster creates the following load balancers:
If your applications create more Kubernetes |
||||||
Public IP addresses |
3 |
Each of the two public load balancers uses a public IP address. The bootstrap machine also uses a public IP address so that you can SSH into the machine to troubleshoot issues during installation. The IP address for the bootstrap node is used only during installation. |
|||||||
Private IP addresses |
7 |
The internal load balancer, each of the three control plane machines, and each of the three worker machines each use a private IP address. |
|||||||
Spot VM vCPUs (optional) |
0 If you configure spot VMs, your cluster must have two spot VM vCPUs for every compute node. |
20 per region |
This is an optional component. To use spot VMs, you must increase the Azure default limit to at least twice the number of compute nodes in your cluster.
|
To install OKD, the Microsoft Azure account you use must have a dedicated public hosted DNS zone in your account. This zone must be authoritative for the domain. This service provides cluster DNS resolution and name lookup for external connections to the cluster.
Identify your domain, or subdomain, and registrar. You can transfer an existing domain and registrar or obtain a new one through Azure or another source.
For more information about purchasing domains through Azure, see Buy a custom domain name for Azure App Service in the Azure documentation. |
If you are using an existing domain and registrar, migrate its DNS to Azure. See Migrate an active DNS name to Azure App Service in the Azure documentation.
Configure DNS for your domain. Follow the steps in the Tutorial: Host your domain in Azure DNS in the Azure documentation to create a public hosted zone for your domain or subdomain, extract the new authoritative name servers, and update the registrar records for the name servers that your domain uses.
Use an appropriate root domain, such as openshiftcorp.com
, or subdomain,
such as clusters.openshiftcorp.com
.
If you use a subdomain, follow your company’s procedures to add its delegation records to the parent domain.
You can view Azure’s DNS solution by visiting this example for creating DNS zones.
To increase an account limit, file a support request on the Azure portal.
You can increase only one type of quota per support request. |
From the Azure portal, click Help + support in the lower left corner.
Click New support request and then select the required values:
From the Issue type list, select Service and subscription limits (quotas).
From the Subscription list, select the subscription to modify.
From the quota type list, select the quota to increase. For example, select Compute-VM (cores-vCPUs) subscription limit increases to increase the number of vCPUs, which is required to install a cluster.
Click Next: Solutions.
On the Problem Details page, provide the required information for your quota increase:
Click Provide details and provide the required details in the quota details window.
In the SUPPORT METHOD and CONTACT INFO sections, provide the issue severity and your contact details.
Click Next: Review + create and then click Create.
Because your cluster has limited access to automatic machine management when you use infrastructure that you provision, you must provide a mechanism for approving cluster certificate signing requests (CSRs) after installation. The kube-controller-manager
only approves the kubelet client CSRs. The machine-approver
cannot guarantee the validity of a serving certificate that is requested by using kubelet credentials because it cannot confirm that the correct machine issued the request. You must determine and implement a method of verifying the validity of the kubelet serving certificate requests and approving them.
An OKD cluster requires an Azure identity to create and manage Azure resources. Before you create the identity, verify that your environment meets the following requirements:
The Azure account that you use to create the identity is assigned the User Access Administrator
and Contributor
roles. These roles are required when:
Creating a service principal or user-assigned managed identity.
Enabling a system-assigned managed identity on a virtual machine.
If you are going to use a service principal to complete the installation, verify that the Azure account that you use to create the identity is assigned the microsoft.directory/servicePrincipals/createAsOwner
permission in Microsoft Entra ID.
To set roles on the Azure portal, see the Manage access to Azure resources using RBAC and the Azure portal in the Azure documentation.
The installation program requires access to an Azure service principal or managed identity with the necessary permissions to deploy the cluster and to maintain its daily operation. These permissions must be granted to the Azure subscription that is associated with the identity.
The following options are available to you:
You can assign the identity the Contributor
and User Access Administrator
roles. Assigning these roles is the quickest way to grant all of the required permissions.
For more information about assigning roles, see the Azure documentation for managing access to Azure resources using the Azure portal.
If your organization’s security policies require a more restrictive set of permissions, you can create a custom role with the necessary permissions.
The following permissions are required for creating an OKD cluster on Microsoft Azure.
Microsoft.Authorization/policies/audit/action
Microsoft.Authorization/policies/auditIfNotExists/action
Microsoft.Authorization/roleAssignments/read
Microsoft.Authorization/roleAssignments/write
Microsoft.Compute/images/read
Microsoft.Compute/images/write
Microsoft.Compute/images/delete
Microsoft.Compute/availabilitySets/read
Microsoft.Compute/disks/beginGetAccess/action
Microsoft.Compute/disks/delete
Microsoft.Compute/disks/read
Microsoft.Compute/disks/write
Microsoft.Compute/galleries/images/read
Microsoft.Compute/galleries/images/versions/read
Microsoft.Compute/galleries/images/versions/write
Microsoft.Compute/galleries/images/write
Microsoft.Compute/galleries/read
Microsoft.Compute/galleries/write
Microsoft.Compute/snapshots/read
Microsoft.Compute/snapshots/write
Microsoft.Compute/snapshots/delete
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/virtualMachines/powerOff/action
Microsoft.Compute/virtualMachines/read
Microsoft.Compute/virtualMachines/write
Microsoft.Compute/virtualMachines/deallocate/action
Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Microsoft.ManagedIdentity/userAssignedIdentities/read
Microsoft.ManagedIdentity/userAssignedIdentities/write
Microsoft.Network/dnsZones/A/write
Microsoft.Network/dnsZones/CNAME/write
Microsoft.Network/dnszones/CNAME/read
Microsoft.Network/dnszones/read
Microsoft.Network/loadBalancers/backendAddressPools/join/action
Microsoft.Network/loadBalancers/backendAddressPools/read
Microsoft.Network/loadBalancers/backendAddressPools/write
Microsoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/write
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkInterfaces/join/action
Microsoft.Network/networkInterfaces/read
Microsoft.Network/networkInterfaces/write
Microsoft.Network/networkSecurityGroups/join/action
Microsoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/securityRules/delete
Microsoft.Network/networkSecurityGroups/securityRules/read
Microsoft.Network/networkSecurityGroups/securityRules/write
Microsoft.Network/networkSecurityGroups/write
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/A/write
Microsoft.Network/privateDnsZones/A/delete
Microsoft.Network/privateDnsZones/SOA/read
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/read
Microsoft.Network/privateDnsZones/virtualNetworkLinks/write
Microsoft.Network/privateDnsZones/write
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/write
Microsoft.Network/virtualNetworks/join/action
Microsoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/join/action
Microsoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/write
Microsoft.Network/virtualNetworks/write
Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/InProgress/action
Microsoft.Resourcehealth/healthevent/Pending/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action
Microsoft.Resources/subscriptions/resourceGroups/read
Microsoft.Resources/subscriptions/resourcegroups/write
Microsoft.Resources/tags/write
Microsoft.Storage/storageAccounts/blobServices/read
Microsoft.Storage/storageAccounts/blobServices/containers/write
Microsoft.Storage/storageAccounts/fileServices/read
Microsoft.Storage/storageAccounts/fileServices/shares/read
Microsoft.Storage/storageAccounts/fileServices/shares/write
Microsoft.Storage/storageAccounts/fileServices/shares/delete
Microsoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/write
Microsoft.Resources/deployments/read
Microsoft.Resources/deployments/write
Microsoft.Resources/deployments/validate/action
Microsoft.Resources/deployments/operationstatuses/read
Microsoft.Compute/availabilitySets/delete
Microsoft.Compute/availabilitySets/write
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read
Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write
Microsoft.Compute/diskEncryptionSets/read
Microsoft.Compute/diskEncryptionSets/write
Microsoft.Compute/diskEncryptionSets/delete
Microsoft.KeyVault/vaults/read
Microsoft.KeyVault/vaults/write
Microsoft.KeyVault/vaults/delete
Microsoft.KeyVault/vaults/deploy/action
Microsoft.KeyVault/vaults/keys/read
Microsoft.KeyVault/vaults/keys/write
Microsoft.Features/providers/features/register/action
The following permissions are required for deleting an OKD cluster on Microsoft Azure.
Microsoft.Authorization/roleAssignments/delete
Microsoft.Compute/disks/delete
Microsoft.Compute/galleries/delete
Microsoft.Compute/galleries/images/delete
Microsoft.Compute/galleries/images/versions/delete
Microsoft.Compute/virtualMachines/delete
Microsoft.Compute/images/delete
Microsoft.ManagedIdentity/userAssignedIdentities/delete
Microsoft.Network/dnszones/read
Microsoft.Network/dnsZones/A/read
Microsoft.Network/dnsZones/A/delete
Microsoft.Network/dnsZones/CNAME/read
Microsoft.Network/dnsZones/CNAME/delete
Microsoft.Network/loadBalancers/delete
Microsoft.Network/networkInterfaces/delete
Microsoft.Network/networkSecurityGroups/delete
Microsoft.Network/privateDnsZones/read
Microsoft.Network/privateDnsZones/A/read
Microsoft.Network/privateDnsZones/delete
Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete
Microsoft.Network/publicIPAddresses/delete
Microsoft.Network/virtualNetworks/delete
Microsoft.Resourcehealth/healthevent/Activated/action
Microsoft.Resourcehealth/healthevent/Resolved/action
Microsoft.Resourcehealth/healthevent/Updated/action
Microsoft.Resources/subscriptions/resourcegroups/delete
Microsoft.Storage/storageAccounts/delete
Microsoft.Storage/storageAccounts/listKeys/action
To install OKD on Azure, you must scope the permissions related to resource group creation to your subscription. After the resource group is created, you can scope the rest of the permissions to the created resource group. If the public DNS zone is present in a different resource group, then the network DNS zone related permissions must always be applied to your subscription. You can scope all the permissions to your subscription when deleting an OKD cluster. |
Because OKD and its installation program create Microsoft Azure resources by using the Azure Resource Manager, you must create a service principal to represent it.
Install or update the Azure CLI.
Your Azure account has the required roles for the subscription that you use.
If you want to use a custom role, you have created a custom role with the required permissions listed in the Required Azure permissions for user-provisioned infrastructure section.
Log in to the Azure CLI:
$ az login
If your Azure account uses subscriptions, ensure that you are using the right subscription:
View the list of available accounts and record the tenantId
value for the
subscription you want to use for your cluster:
$ az account list --refresh
[
{
"cloudName": "AzureCloud",
"id": "9bab1460-96d5-40b3-a78e-17b15e978a80",
"isDefault": true,
"name": "Subscription Name",
"state": "Enabled",
"tenantId": "6057c7e9-b3ae-489d-a54e-de3f6bf6a8ee",
"user": {
"name": "you@example.com",
"type": "user"
}
}
]
View your active account details and confirm that the tenantId
value matches
the subscription you want to use:
$ az account show
{
"environmentName": "AzureCloud",
"id": "9bab1460-96d5-40b3-a78e-17b15e978a80",
"isDefault": true,
"name": "Subscription Name",
"state": "Enabled",
"tenantId": "6057c7e9-b3ae-489d-a54e-de3f6bf6a8ee", (1)
"user": {
"name": "you@example.com",
"type": "user"
}
}
1 | Ensure that the value of the tenantId parameter is the correct subscription ID. |
If you are not using the right subscription, change the active subscription:
$ az account set -s <subscription_id> (1)
1 | Specify the subscription ID. |
Verify the subscription ID update:
$ az account show
{
"environmentName": "AzureCloud",
"id": "33212d16-bdf6-45cb-b038-f6565b61edda",
"isDefault": true,
"name": "Subscription Name",
"state": "Enabled",
"tenantId": "8049c7e9-c3de-762d-a54e-dc3f6be6a7ee",
"user": {
"name": "you@example.com",
"type": "user"
}
}
Record the tenantId
and id
parameter values from the output. You need these values during the OKD installation.
Create the service principal for your account:
$ az ad sp create-for-rbac --role <role_name> \(1)
--name <service_principal> \(2)
--scopes /subscriptions/<subscription_id> (3)
1 | Defines the role name. You can use the Contributor role, or you can specify a custom role which contains the necessary permissions. |
2 | Defines the service principal name. |
3 | Specifies the subscription ID. |
Creating 'Contributor' role assignment under scope '/subscriptions/<subscription_id>'
The output includes credentials that you must protect. Be sure that you do not
include these credentials in your code or check the credentials into your source
control. For more information, see https://aka.ms/azadsp-cli
{
"appId": "ac461d78-bf4b-4387-ad16-7e32e328aec6",
"displayName": <service_principal>",
"password": "00000000-0000-0000-0000-000000000000",
"tenantId": "8049c7e9-c3de-762d-a54e-dc3f6be6a7ee"
}
Record the values of the appId
and password
parameters from the previous
output. You need these values during OKD installation.
If you applied the Contributor
role to your service principal, assign the User Administrator Access
role by running the following command:
$ az role assignment create --role "User Access Administrator" \
--assignee-object-id $(az ad sp show --id <appId> --query id -o tsv) (1)
1 | Specify the appId parameter value for your service principal. |
For more information about CCO modes, see About the Cloud Credential Operator.
The installation program dynamically generates the list of available Microsoft Azure regions based on your subscription.
australiacentral
(Australia Central)
australiaeast
(Australia East)
australiasoutheast
(Australia South East)
brazilsouth
(Brazil South)
canadacentral
(Canada Central)
canadaeast
(Canada East)
centralindia
(Central India)
centralus
(Central US)
eastasia
(East Asia)
eastus
(East US)
eastus2
(East US 2)
francecentral
(France Central)
germanywestcentral
(Germany West Central)
israelcentral
(Israel Central)
italynorth
(Italy North)
japaneast
(Japan East)
japanwest
(Japan West)
koreacentral
(Korea Central)
koreasouth
(Korea South)
mexicocentral
(Mexico Central)
northcentralus
(North Central US)
northeurope
(North Europe)
norwayeast
(Norway East)
polandcentral
(Poland Central)
qatarcentral
(Qatar Central)
southafricanorth
(South Africa North)
southcentralus
(South Central US)
southeastasia
(Southeast Asia)
southindia
(South India)
spaincentral
(Spain Central)
swedencentral
(Sweden Central)
switzerlandnorth
(Switzerland North)
uaenorth
(UAE North)
uksouth
(UK South)
ukwest
(UK West)
westcentralus
(West Central US)
westeurope
(West Europe)
westindia
(West India)
westus
(West US)
westus2
(West US 2)
westus3
(West US 3)
Support for the following Microsoft Azure Government (MAG) regions was added in OKD version 4.6:
usgovtexas
(US Gov Texas)
usgovvirginia
(US Gov Virginia)
You can reference all available MAG regions in the Azure documentation. Other provided MAG regions are expected to work with OKD, but have not been tested.
For a cluster that contains user-provisioned infrastructure, you must deploy all of the required machines.
This section describes the requirements for deploying OKD on user-provisioned infrastructure.
The smallest OKD clusters require the following hosts:
Hosts | Description |
---|---|
One temporary bootstrap machine |
The cluster requires the bootstrap machine to deploy the OKD cluster on the three control plane machines. You can remove the bootstrap machine after you install the cluster. |
Three control plane machines |
The control plane machines run the Kubernetes and OKD services that form the control plane. |
At least two compute machines, which are also known as worker machines. |
The workloads requested by OKD users run on the compute machines. |
To maintain high availability of your cluster, use separate physical hosts for these cluster machines. |
The bootstrap and control plane machines must use Fedora CoreOS (FCOS) as the operating system. However, the compute machines can choose between Fedora CoreOS (FCOS), Fedora 8.6 and later.
Each cluster machine must meet the following minimum requirements:
Machine | Operating System | vCPU [1] | Virtual RAM | Storage | Input/Output Per Second (IOPS)[2] |
---|---|---|---|---|---|
Bootstrap |
FCOS |
4 |
16 GB |
100 GB |
300 |
Control plane |
FCOS |
4 |
16 GB |
100 GB |
300 |
Compute |
FCOS |
2 |
8 GB |
100 GB |
300 |
One vCPU is equivalent to one physical core when simultaneous multithreading (SMT), or Hyper-Threading, is not enabled. When enabled, use the following formula to calculate the corresponding ratio: (threads per core × cores) × sockets = vCPUs.
OKD and Kubernetes are sensitive to disk performance, and faster storage is recommended, particularly for etcd on the control plane nodes which require a 10 ms p99 fsync duration. Note that on many cloud platforms, storage size and IOPS scale together, so you might need to over-allocate storage volume to obtain sufficient performance.
As with all user-provisioned installations, if you choose to use Fedora compute machines in your cluster, you take responsibility for all operating system life cycle management and maintenance, including performing system updates, applying patches, and completing all other required tasks. Use of Fedora 7 compute machines is deprecated and has been removed in OKD 4.10 and later.
As of OKD version 4.13, RHCOS is based on RHEL version 9.2, which updates the micro-architecture requirements. The following list contains the minimum instruction set architectures (ISA) that each architecture requires:
For more information, see RHEL Architectures. |
You are required to use Azure virtual machines that have the |
If an instance type for your platform meets the minimum requirements for cluster machines, it is supported to use in OKD.
The following Microsoft Azure instance types have been tested with OKD.
standardBasv2Family
standardBSFamily
standardBsv2Family
standardDADSv5Family
standardDASv4Family
standardDASv5Family
standardDCACCV5Family
standardDCADCCV5Family
standardDCADSv5Family
standardDCASv5Family
standardDCSv3Family
standardDCSv2Family
standardDDCSv3Family
standardDDSv4Family
standardDDSv5Family
standardDLDSv5Family
standardDLSv5Family
standardDSFamily
standardDSv2Family
standardDSv2PromoFamily
standardDSv3Family
standardDSv4Family
standardDSv5Family
standardEADSv5Family
standardEASv4Family
standardEASv5Family
standardEBDSv5Family
standardEBSv5Family
standardECACCV5Family
standardECADCCV5Family
standardECADSv5Family
standardECASv5Family
standardEDSv4Family
standardEDSv5Family
standardEIADSv5Family
standardEIASv4Family
standardEIASv5Family
standardEIBDSv5Family
standardEIBSv5Family
standardEIDSv5Family
standardEISv3Family
standardEISv5Family
standardESv3Family
standardESv4Family
standardESv5Family
standardFXMDVSFamily
standardFSFamily
standardFSv2Family
standardGSFamily
standardHBrsv2Family
standardHBSFamily
standardHBv4Family
standardHCSFamily
standardHXFamily
standardLASv3Family
standardLSFamily
standardLSv2Family
standardLSv3Family
standardMDSHighMemoryv3Family
standardMDSMediumMemoryv2Family
standardMDSMediumMemoryv3Family
standardMIDSHighMemoryv3Family
standardMIDSMediumMemoryv2Family
standardMISHighMemoryv3Family
standardMISMediumMemoryv2Family
standardMSFamily
standardMSHighMemoryv3Family
standardMSMediumMemoryv2Family
standardMSMediumMemoryv3Family
StandardNCADSA100v4Family
Standard NCASv3_T4 Family
standardNCSv3Family
standardNDSv2Family
StandardNGADSV620v1Family
standardNPSFamily
StandardNVADSA10v5Family
standardNVSv3Family
standardXEISv4Family
The following Microsoft Azure ARM64 instance types have been tested with OKD.
standardBpsv2Family
standardDPSv5Family
standardDPDSv5Family
standardDPLDSv5Family
standardDPLSv5Family
standardEPSv5Family
standardEPDSv5Family
Using the Azure Marketplace offering lets you deploy an OKD cluster, which is billed on pay-per-use basis (hourly, per core) through Azure, while still being supported directly by Red Hat.
To deploy an OKD cluster using the Azure Marketplace offering, you must first obtain the Azure Marketplace image. The installation program uses this image to deploy worker or control plane nodes. When obtaining your image, consider the following:
While the images are the same, the Azure Marketplace publisher is different depending on your region. If you are located in North America, specify redhat
as the publisher. If you are located in EMEA, specify redhat-limited
as the publisher.
The offer includes a rh-ocp-worker
SKU and a rh-ocp-worker-gen1
SKU. The rh-ocp-worker
SKU represents a Hyper-V generation version 2 VM image. The default instance types used in OKD are version 2 compatible. If you plan to use an instance type that is only version 1 compatible, use the image associated with the rh-ocp-worker-gen1
SKU. The rh-ocp-worker-gen1
SKU represents a Hyper-V version 1 VM image.
Installing images with the Azure marketplace is not supported on clusters with 64-bit ARM instances. |
You have installed the Azure CLI client (az)
.
Your Azure account is entitled for the offer and you have logged into this account with the Azure CLI client.
Display all of the available OKD images by running one of the following commands:
North America:
$ az vm image list --all --offer rh-ocp-worker --publisher redhat -o table
Offer Publisher Sku Urn Version
------------- -------------- ------------------ -------------------------------------------------------------- -----------------
rh-ocp-worker RedHat rh-ocp-worker RedHat:rh-ocp-worker:rh-ocp-worker:4.15.2024072409 4.15.2024072409
rh-ocp-worker RedHat rh-ocp-worker-gen1 RedHat:rh-ocp-worker:rh-ocp-worker-gen1:4.15.2024072409 4.15.2024072409
EMEA:
$ az vm image list --all --offer rh-ocp-worker --publisher redhat-limited -o table
Offer Publisher Sku Urn Version
------------- -------------- ------------------ -------------------------------------------------------------- -----------------
rh-ocp-worker redhat-limited rh-ocp-worker redhat-limited:rh-ocp-worker:rh-ocp-worker:4.15.2024072409 4.15.2024072409
rh-ocp-worker redhat-limited rh-ocp-worker-gen1 redhat-limited:rh-ocp-worker:rh-ocp-worker-gen1:4.15.2024072409 4.15.2024072409
Use the latest image that is available for compute and control plane nodes. If required, your VMs are automatically upgraded as part of the installation process. |
Inspect the image for your offer by running one of the following commands:
North America:
$ az vm image show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>
EMEA:
$ az vm image show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>
Review the terms of the offer by running one of the following commands:
North America:
$ az vm image terms show --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>
EMEA:
$ az vm image terms show --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>
Accept the terms of the offering by running one of the following commands:
North America:
$ az vm image terms accept --urn redhat:rh-ocp-worker:rh-ocp-worker:<version>
EMEA:
$ az vm image terms accept --urn redhat-limited:rh-ocp-worker:rh-ocp-worker:<version>
Record the image details of your offer. If you use the Azure Resource Manager (ARM) template to deploy your compute nodes:
Update storageProfile.imageReference
by deleting the id
parameter and adding the offer
, publisher
, sku
, and version
parameters by using the values from your offer.
Specify a plan
for the virtual machines (VMs).
06_workers.json
ARM template with an updated storageProfile.imageReference
object and a specified plan
...
"plan" : {
"name": "rh-ocp-worker",
"product": "rh-ocp-worker",
"publisher": "redhat"
},
"dependsOn" : [
"[concat('Microsoft.Network/networkInterfaces/', concat(variables('vmNames')[copyIndex()], '-nic'))]"
],
"properties" : {
...
"storageProfile": {
"imageReference": {
"offer": "rh-ocp-worker",
"publisher": "redhat",
"sku": "rh-ocp-worker",
"version": "413.92.2023101700"
}
...
}
...
}
Before you install OKD, download the installation file on the host you are using for installation.
You have a computer that runs Linux or macOS, with at least 1.2 GB of local disk space.
Download the installation program from https://github.com/openshift/okd/releases.
|
Extract the installation program. For example, on a computer that uses a Linux operating system, run the following command:
$ tar -xvf openshift-install-linux.tar.gz
Download your installation pull secret from Red Hat OpenShift Cluster Manager. This pull secret allows you to authenticate with the services that are provided by the included authorities, including Quay.io, which serves the container images for OKD components.
Using a pull secret from Red Hat OpenShift Cluster Manager is not required. You can use a pull secret for another private registry. Or, if you do not need the cluster to pull images from a private registry, you can use {"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}}
as the pull secret when prompted during the installation.
If you do not use the pull secret from Red Hat OpenShift Cluster Manager:
Red Hat Operators are not available.
The Telemetry and Insights operators do not send data to Red Hat.
Content from the Red Hat Ecosystem Catalog Container images registry, such as image streams and Operators, are not available.
During an OKD installation, you can provide an SSH public key to the installation program. The key is passed to the Fedora CoreOS (FCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys
list for the core
user on each node, which enables password-less authentication.
After the key is passed to the nodes, you can use the key pair to SSH in to the FCOS nodes as the user core
. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.
If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather
command also requires the SSH public key to be in place on the cluster nodes.
Do not skip this procedure in production environments, where disaster recovery and debugging is required. |
You must use a local key, not one that you configured with platform-specific approaches such as AWS key pairs. |
On clusters running Fedora CoreOS (FCOS), the SSH keys specified in the Ignition config files are written to the |
If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command:
$ ssh-keygen -t ed25519 -N '' -f <path>/<file_name> (1)
1 | Specify the path and file name, such as ~/.ssh/id_ed25519 , of the new SSH key. If you have an existing key pair, ensure your public key is in the your ~/.ssh directory. |
If you plan to install an OKD cluster that uses the Fedora cryptographic libraries that have been submitted to NIST for FIPS 140-2/140-3 Validation on only the |
View the public SSH key:
$ cat <path>/<file_name>.pub
For example, run the following to view the ~/.ssh/id_ed25519.pub
public key:
$ cat ~/.ssh/id_ed25519.pub
Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the ./openshift-install gather
command.
On some distributions, default SSH private key identities such as |
If the ssh-agent
process is not already running for your local user, start it as a background task:
$ eval "$(ssh-agent -s)"
Agent pid 31874
If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA. |
Add your SSH private key to the ssh-agent
:
$ ssh-add <path>/<file_name> (1)
1 | Specify the path and file name for your SSH private key, such as ~/.ssh/id_ed25519 |
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
When you install OKD, provide the SSH public key to the installation program. If you install a cluster on infrastructure that you provision, you must provide the key to the installation program.
To install OKD on Microsoft Azure using user-provisioned infrastructure, you must generate the files that the installation program needs to deploy your cluster and modify them so that the cluster creates only the machines that it will use. You generate and customize the install-config.yaml
file, Kubernetes manifests, and Ignition config files. You also have the option to first set up a separate var
partition during the preparation phases of installation.
/var
partitionIt is recommended that disk partitioning for OKD be left to the installer. However, there are cases where you might want to create separate partitions in a part of the filesystem that you expect to grow.
OKD supports the addition of a single partition to attach storage to either the /var
partition or a subdirectory of /var
. For example:
/var/lib/containers
: Holds container-related content that can grow as more images and containers are added to a system.
/var/lib/etcd
: Holds data that you might want to keep separate for purposes such as performance optimization of etcd storage.
/var
: Holds data that you might want to keep separate for purposes such as auditing.
Storing the contents of a /var
directory separately makes it easier to grow storage for those areas as needed and reinstall OKD at a later date and keep that data intact. With this method, you will not have to pull all your containers again, nor will you have to copy massive log files when you update systems.
Because /var
must be in place before a fresh installation of Fedora CoreOS (FCOS), the following procedure sets up the separate /var
partition by creating a machine config manifest that is inserted during the openshift-install
preparation phases of an OKD installation.
If you follow the steps to create a separate |
Create a directory to hold the OKD installation files:
$ mkdir $HOME/clusterconfig
Run openshift-install
to create a set of files in the manifest
and openshift
subdirectories. Answer the system questions as you are prompted:
$ openshift-install create manifests --dir $HOME/clusterconfig
? SSH Public Key ...
INFO Credentials loaded from the "myprofile" profile in file "/home/myuser/.aws/credentials"
INFO Consuming Install Config from target directory
INFO Manifests created in: $HOME/clusterconfig/manifests and $HOME/clusterconfig/openshift
Optional: Confirm that the installation program created manifests in the clusterconfig/openshift
directory:
$ ls $HOME/clusterconfig/openshift/
99_kubeadmin-password-secret.yaml
99_openshift-cluster-api_master-machines-0.yaml
99_openshift-cluster-api_master-machines-1.yaml
99_openshift-cluster-api_master-machines-2.yaml
...
Create a Butane config that configures the additional partition. For example, name the file $HOME/clusterconfig/98-var-partition.bu
, change the disk device name to the name of the storage device on the worker
systems, and set the storage size as appropriate. This example places the /var
directory on a separate partition:
variant: openshift
version: 4.0
metadata:
labels:
machineconfiguration.openshift.io/role: worker
name: 98-var-partition
storage:
disks:
- device: /dev/disk/by-id/<device_name> (1)
partitions:
- label: var
start_mib: <partition_start_offset> (2)
size_mib: <partition_size> (3)
number: 5
filesystems:
- device: /dev/disk/by-partlabel/var
path: /var
format: xfs
mount_options: [defaults, prjquota] (4)
with_mount_unit: true
1 | The storage device name of the disk that you want to partition. |
2 | When adding a data partition to the boot disk, a minimum value of 25000 MiB (Mebibytes) is recommended. The root file system is automatically resized to fill all available space up to the specified offset. If no value is specified, or if the specified value is smaller than the recommended minimum, the resulting root file system will be too small, and future reinstalls of FCOS might overwrite the beginning of the data partition. |
3 | The size of the data partition in mebibytes. |
4 | The prjquota mount option must be enabled for filesystems used for container storage. |
When creating a separate |
Create a manifest from the Butane config and save it to the clusterconfig/openshift
directory. For example, run the following command:
$ butane $HOME/clusterconfig/98-var-partition.bu -o $HOME/clusterconfig/openshift/98-var-partition.yaml
Run openshift-install
again to create Ignition configs from a set of files in the manifest
and openshift
subdirectories:
$ openshift-install create ignition-configs --dir $HOME/clusterconfig
$ ls $HOME/clusterconfig/
auth bootstrap.ign master.ign metadata.json worker.ign
Now you can use the Ignition config files as input to the installation procedures to install Fedora CoreOS (FCOS) systems.
You can customize the OKD cluster you install on Microsoft Azure.
You have the OKD installation program and the pull secret for your cluster. For a restricted network installation, these files are on your mirror host.
You have the imageContentSources
values that were generated during mirror registry creation.
You have obtained the contents of the certificate for your mirror registry.
You have retrieved a Fedora CoreOS (FCOS) image and uploaded it to an accessible location.
You have an Azure subscription ID and tenant ID.
If you are installing the cluster using a service principal, you have its application ID and password.
If you are installing the cluster using a system-assigned managed identity, you have enabled it on the virtual machine that you will run the installation program from.
If you are installing the cluster using a user-assigned managed identity, you have met these prerequisites:
You have its client ID.
You have assigned it to the virtual machine that you will run the installation program from.
Optional: If you have run the installation program on this computer before, and want to use an alternative service principal or managed identity, go to the ~/.azure/
directory and delete the osServicePrincipal.json
configuration file.
Deleting this file prevents the installation program from automatically reusing subscription and authentication values from a previous installation.
Create the install-config.yaml
file.
Change to the directory that contains the installation program and run the following command:
$ ./openshift-install create install-config --dir <installation_directory> (1)
1 | For <installation_directory> , specify the directory name to store the
files that the installation program creates. |
When specifying the directory:
Verify that the directory has the execute
permission. This permission is required to run Terraform binaries under the installation directory.
Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OKD version.
At the prompts, provide the configuration details for your cloud:
Optional: Select an SSH key to use to access your cluster machines.
For production OKD clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your |
Select azure as the platform to target.
If the installation program cannot locate the osServicePrincipal.json
configuration file from a previous installation, you are prompted for Azure subscription and authentication values.
Enter the following Azure parameter values for your subscription:
azure subscription id: Enter the subscription ID to use for the cluster.
azure tenant id: Enter the tenant ID.
Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the azure service principal client id:
If you are using a service principal, enter its application ID.
If you are using a system-assigned managed identity, leave this value blank.
If you are using a user-assigned managed identity, specify its client ID.
Depending on the Azure identity you are using to deploy the cluster, do one of the following when prompted for the azure service principal client secret:
If you are using a service principal, enter its password.
If you are using a system-assigned managed identity, leave this value blank.
If you are using a user-assigned managed identity, leave this value blank.
Select the region to deploy the cluster to.
Select the base domain to deploy the cluster to. The base domain corresponds to the Azure DNS Zone that you created for your cluster.
Enter a descriptive name for your cluster.
All Azure resources that are available through public endpoints are subject to resource name restrictions, and you cannot create resources that use certain terms. For a list of terms that Azure restricts, see Resolve reserved resource name errors in the Azure documentation. |
Paste the pull secret from Red Hat OpenShift Cluster Manager.
Edit the install-config.yaml
file to give the additional information that is required for an installation in a restricted network.
Update the pullSecret
value to contain the authentication information for
your registry:
pullSecret: '{"auths":{"<mirror_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}'
For <mirror_host_name>
, specify the registry domain name
that you specified in the certificate for your mirror registry, and for
<credentials>
, specify the base64-encoded user name and password for
your mirror registry.
Add the additionalTrustBundle
parameter and value.
additionalTrustBundle: |
-----BEGIN CERTIFICATE-----
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
-----END CERTIFICATE-----
The value must be the contents of the certificate file that you used for your mirror registry. The certificate file can be an existing, trusted certificate authority, or the self-signed certificate that you generated for the mirror registry.
Define the network and subnets for the VNet to install the cluster under the platform.azure
field:
networkResourceGroupName: <vnet_resource_group> (1)
virtualNetwork: <vnet> (2)
controlPlaneSubnet: <control_plane_subnet> (3)
computeSubnet: <compute_subnet> (4)
1 | Replace <vnet_resource_group> with the resource group name that contains the existing virtual network (VNet). |
2 | Replace <vnet> with the existing virtual network name. |
3 | Replace <control_plane_subnet> with the existing subnet name to deploy the control plane machines. |
4 | Replace <compute_subnet> with the existing subnet name to deploy compute machines. |
Add the image content resources, which resemble the following YAML excerpt:
imageContentSources:
- mirrors:
- <mirror_host_name>:5000/<repo_name>/release
source: quay.io/openshift-release-dev/ocp-release
- mirrors:
- <mirror_host_name>:5000/<repo_name>/release
source: registry.redhat.io/ocp/release
For these values, use the imageContentSources
that you recorded during mirror registry creation.
Optional: Set the publishing strategy to Internal
:
publish: Internal
By setting this option, you create an internal Ingress Controller and a private load balancer.
Azure Firewall does not work seamlessly with Azure Public Load balancers. Thus, when using Azure Firewall for restricting internet access, the |
Make any other modifications to the install-config.yaml
file that you require.
For more information about the parameters, see "Installation configuration parameters".
Back up the install-config.yaml
file so that you can use
it to install multiple clusters.
The |
If previously not detected, the installation program creates an osServicePrincipal.json
configuration file and stores this file in the ~/.azure/
directory on your computer. This ensures that the installation program can load the profile when it is creating an OKD cluster on the target platform.
Production environments can deny direct access to the internet and instead have
an HTTP or HTTPS proxy available. You can configure a new OKD
cluster to use a proxy by configuring the proxy settings in the
install-config.yaml
file.
You have an existing install-config.yaml
file.
You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the Proxy
object’s spec.noProxy
field to bypass the proxy if necessary.
The For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and OpenStack, the |
Edit your install-config.yaml
file and add the proxy settings. For example:
apiVersion: v1
baseDomain: my.domain.com
proxy:
httpProxy: http://<username>:<pswd>@<ip>:<port> (1)
httpsProxy: https://<username>:<pswd>@<ip>:<port> (2)
noProxy: example.com (3)
additionalTrustBundle: | (4)
-----BEGIN CERTIFICATE-----
<MY_TRUSTED_CA_CERT>
-----END CERTIFICATE-----
additionalTrustBundlePolicy: <policy_to_add_additionalTrustBundle> (5)
1 | A proxy URL to use for creating HTTP connections outside the cluster. The
URL scheme must be http . |
2 | A proxy URL to use for creating HTTPS connections outside the cluster. |
3 | A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with . to match subdomains only. For example, .y.com matches x.y.com , but not y.com . Use * to bypass the proxy for all destinations. |
4 | If provided, the installation program generates a config map that is named user-ca-bundle in
the openshift-config namespace to hold the additional CA
certificates. If you provide additionalTrustBundle and at least one proxy setting, the Proxy object is configured to reference the user-ca-bundle config map in the trustedCA field. The Cluster Network
Operator then creates a trusted-ca-bundle config map that merges the contents specified for the trustedCA parameter
with the FCOS trust bundle. The additionalTrustBundle field is required unless
the proxy’s identity certificate is signed by an authority from the FCOS trust
bundle. |
5 | Optional: The policy to determine the configuration of the Proxy object to reference the user-ca-bundle config map in the trustedCA field. The allowed values are Proxyonly and Always . Use Proxyonly to reference the user-ca-bundle config map only when http/https proxy is configured. Use Always to always reference the user-ca-bundle config map. The default value is Proxyonly . |
The installation program does not support the proxy |
If the installer times out, restart and then complete the deployment by using the
|
Save the file and reference it when installing OKD.
The installation program creates a cluster-wide proxy that is named cluster
that uses the proxy
settings in the provided install-config.yaml
file. If no proxy settings are
provided, a cluster
Proxy
object is still created, but it will have a nil
spec
.
Only the |
You must export a common set of variables that are used with the provided Azure Resource Manager (ARM) templates used to assist in completing a user-provided infrastructure install on Microsoft Azure.
Specific ARM templates can also require additional exported variables, which are detailed in their related procedures. |
Obtain the OKD installation program and the pull secret for your cluster.
Export common variables found in the install-config.yaml
to be used by the
provided ARM templates:
$ export CLUSTER_NAME=<cluster_name>(1)
$ export AZURE_REGION=<azure_region>(2)
$ export SSH_KEY=<ssh_key>(3)
$ export BASE_DOMAIN=<base_domain>(4)
$ export BASE_DOMAIN_RESOURCE_GROUP=<base_domain_resource_group>(5)
1 | The value of the .metadata.name attribute from the install-config.yaml file. |
2 | The region to deploy the cluster into, for example centralus . This is the value of the .platform.azure.region attribute from the install-config.yaml file. |
3 | The SSH RSA public key file as a string. You must enclose the SSH key in quotes since it contains spaces. This is the value of the .sshKey attribute from the install-config.yaml file. |
4 | The base domain to deploy the cluster to. The base domain corresponds to the public DNS zone that you created for your cluster. This is the value of the .baseDomain attribute from the install-config.yaml file. |
5 | The resource group where the public DNS zone exists. This is the value of the .platform.azure.baseDomainResourceGroupName attribute from the install-config.yaml file. |
For example:
$ export CLUSTER_NAME=test-cluster
$ export AZURE_REGION=centralus
$ export SSH_KEY="ssh-rsa xxx/xxx/xxx= user@email.com"
$ export BASE_DOMAIN=example.com
$ export BASE_DOMAIN_RESOURCE_GROUP=ocp-cluster
Export the kubeadmin credentials:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)
1 | For <installation_directory> , specify the path to the directory that you stored the installation files in. |
Because you must modify some cluster definition files and manually start the cluster machines, you must generate the Kubernetes manifest and Ignition config files that the cluster needs to configure the machines.
The installation configuration file transforms into the Kubernetes manifests. The manifests wrap into the Ignition configuration files, which are later used to configure the cluster machines.
|
You obtained the OKD installation program.
You created the install-config.yaml
installation configuration file.
Change to the directory that contains the OKD installation program and generate the Kubernetes manifests for the cluster:
$ ./openshift-install create manifests --dir <installation_directory> (1)
1 | For <installation_directory> , specify the installation directory that
contains the install-config.yaml file you created. |
Remove the Kubernetes manifest files that define the control plane machines:
$ rm -f <installation_directory>/openshift/99_openshift-cluster-api_master-machines-*.yaml
By removing these files, you prevent the cluster from automatically generating control plane machines.
Remove the Kubernetes manifest files that define the control plane machine set:
$ rm -f <installation_directory>/openshift/99_openshift-machine-api_master-control-plane-machine-set.yaml
Remove the Kubernetes manifest files that define the worker machines:
$ rm -f <installation_directory>/openshift/99_openshift-cluster-api_worker-machineset-*.yaml
If you disabled the |
Because you create and manage the worker machines yourself, you do not need to initialize these machines.
Check that the mastersSchedulable
parameter in the <installation_directory>/manifests/cluster-scheduler-02-config.yml
Kubernetes manifest file is set to false
. This setting prevents pods from being scheduled on the control plane machines:
Open the <installation_directory>/manifests/cluster-scheduler-02-config.yml
file.
Locate the mastersSchedulable
parameter and ensure that it is set to false
.
Save and exit the file.
Optional: If you do not want
the Ingress Operator
to create DNS records on your behalf, remove the privateZone
and publicZone
sections from the <installation_directory>/manifests/cluster-dns-02-config.yml
DNS configuration file:
apiVersion: config.openshift.io/v1
kind: DNS
metadata:
creationTimestamp: null
name: cluster
spec:
baseDomain: example.openshift.com
privateZone: (1)
id: mycluster-100419-private-zone
publicZone: (1)
id: example.openshift.com
status: {}
1 | Remove this section completely. |
If you do so, you must add ingress DNS records manually in a later step.
When configuring Azure on user-provisioned infrastructure, you must export some common variables defined in the manifest files to use later in the Azure Resource Manager (ARM) templates:
Export the infrastructure ID by using the following command:
$ export INFRA_ID=<infra_id> (1)
1 | The OKD cluster has been assigned an identifier (INFRA_ID ) in the form of <cluster_name>-<random_string> . This will be used as the base name for most resources created using the provided ARM templates. This is the value of the .status.infrastructureName attribute from the manifests/cluster-infrastructure-02-config.yml file. |
Export the resource group by using the following command:
$ export RESOURCE_GROUP=<resource_group> (1)
1 | All resources created in this Azure deployment exists as part of a resource group. The resource group name is also based on the INFRA_ID , in the form of <cluster_name>-<random_string>-rg . This is the value of the .status.platformStatus.azure.resourceGroupName attribute from the manifests/cluster-infrastructure-02-config.yml file. |
To create the Ignition configuration files, run the following command from the directory that contains the installation program:
$ ./openshift-install create ignition-configs --dir <installation_directory> (1)
1 | For <installation_directory> , specify the same installation directory. |
Ignition config files are created for the bootstrap, control plane, and compute nodes in the installation directory. The kubeadmin-password
and kubeconfig
files are created in the ./<installation_directory>/auth
directory:
. ├── auth │ ├── kubeadmin-password │ └── kubeconfig ├── bootstrap.ign ├── master.ign ├── metadata.json └── worker.ign
You must create a Microsoft Azure resource group and an identity for that resource group. These are both used during the installation of your OKD cluster on Azure.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create the resource group in a supported Azure region:
$ az group create --name ${RESOURCE_GROUP} --location ${AZURE_REGION}
Create an Azure identity for the resource group:
$ az identity create -g ${RESOURCE_GROUP} -n ${INFRA_ID}-identity
This is used to grant the required access to Operators in your cluster. For example, this allows the Ingress Operator to create a public IP and its load balancer. You must assign the Azure identity to a role.
Grant the Contributor role to the Azure identity:
Export the following variables required by the Azure role assignment:
$ export PRINCIPAL_ID=`az identity show -g ${RESOURCE_GROUP} -n ${INFRA_ID}-identity --query principalId --out tsv`
$ export RESOURCE_GROUP_ID=`az group show -g ${RESOURCE_GROUP} --query id --out tsv`
Assign the Contributor role to the identity:
$ az role assignment create --assignee "${PRINCIPAL_ID}" --role 'Contributor' --scope "${RESOURCE_GROUP_ID}"
If you want to assign a custom role with all the required permissions to the identity, run the following command:
|
The Azure client does not support deployments based on files existing locally. You must copy and store the FCOS virtual hard disk (VHD) cluster image and bootstrap Ignition config file in a storage container so they are accessible during deployment.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create an Azure storage account to store the VHD cluster image:
$ az storage account create -g ${RESOURCE_GROUP} --location ${AZURE_REGION} --name ${CLUSTER_NAME}sa --kind Storage --sku Standard_LRS
The Azure storage account name must be between 3 and 24 characters in length and
use numbers and lower-case letters only. If your |
Export the storage account key as an environment variable:
$ export ACCOUNT_KEY=`az storage account keys list -g ${RESOURCE_GROUP} --account-name ${CLUSTER_NAME}sa --query "[0].value" -o tsv`
Export the URL of the FCOS VHD to an environment variable:
$ export VHD_URL=`openshift-install coreos print-stream-json | jq -r '.architectures.<architecture>."rhel-coreos-extensions"."azure-disk".url'`
where:
<architecture>
Specifies the architecture, valid values include x86_64
or aarch64
.
The FCOS images might not change with every release of OKD. You must specify an image with the highest version that is less than or equal to the OKD version that you install. Use the image version that matches your OKD version if it is available. |
Create the storage container for the VHD:
$ az storage container create --name vhd --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}
Copy the local VHD to a blob:
$ az storage blob copy start --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} --destination-blob "rhcos.vhd" --destination-container vhd --source-uri "${VHD_URL}"
Create a blob storage container and upload the generated bootstrap.ign
file:
$ az storage container create --name files --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY}
$ az storage blob upload --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c "files" -f "<installation_directory>/bootstrap.ign" -n "bootstrap.ign"
DNS records are required for clusters that use user-provisioned infrastructure. You should choose the DNS strategy that fits your scenario.
For this example, Azure’s DNS solution is used, so you will create a new public DNS zone for external (internet) visibility and a private DNS zone for internal cluster resolution.
The public DNS zone is not required to exist in the same resource group as the cluster deployment and might already exist in your organization for the desired base domain. If that is the case, you can skip creating the public DNS zone; be sure the installation config you generated earlier reflects that scenario. |
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create the new public DNS zone in the resource group exported in the
BASE_DOMAIN_RESOURCE_GROUP
environment variable:
$ az network dns zone create -g ${BASE_DOMAIN_RESOURCE_GROUP} -n ${CLUSTER_NAME}.${BASE_DOMAIN}
You can skip this step if you are using a public DNS zone that already exists.
Create the private DNS zone in the same resource group as the rest of this deployment:
$ az network private-dns zone create -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME}.${BASE_DOMAIN}
You can learn more about configuring a public DNS zone in Azure by visiting that section.
You must create a virtual network (VNet) in Microsoft Azure for your OKD cluster to use. You can customize the VNet to meet your requirements. One way to create the VNet is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your Azure infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs. |
Configure an Azure account.
Generate the Ignition config files for your cluster.
Copy the template from the ARM template for the VNet section of this topic
and save it as 01_vnet.json
in your cluster’s installation directory. This template describes the
VNet that your cluster requires.
Create the deployment by using the az
CLI:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/01_vnet.json" \
--parameters baseName="${INFRA_ID}"(1)
1 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
Link the VNet template to the private DNS zone:
$ az network private-dns link vnet create -g ${RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n ${INFRA_ID}-network-link -v "${INFRA_ID}-vnet" -e false
You can use the following Azure Resource Manager (ARM) template to deploy the VNet that you need for your OKD cluster:
01_vnet.json
ARM template{
"$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"baseName" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Base name to be used in resource names (usually the cluster's Infra ID)"
}
}
},
"variables" : {
"location" : "[resourceGroup().location]",
"virtualNetworkName" : "[concat(parameters('baseName'), '-vnet')]",
"addressPrefix" : "10.0.0.0/16",
"masterSubnetName" : "[concat(parameters('baseName'), '-master-subnet')]",
"masterSubnetPrefix" : "10.0.0.0/24",
"nodeSubnetName" : "[concat(parameters('baseName'), '-worker-subnet')]",
"nodeSubnetPrefix" : "10.0.1.0/24",
"clusterNsgName" : "[concat(parameters('baseName'), '-nsg')]"
},
"resources" : [
{
"apiVersion" : "2018-12-01",
"type" : "Microsoft.Network/virtualNetworks",
"name" : "[variables('virtualNetworkName')]",
"location" : "[variables('location')]",
"dependsOn" : [
"[concat('Microsoft.Network/networkSecurityGroups/', variables('clusterNsgName'))]"
],
"properties" : {
"addressSpace" : {
"addressPrefixes" : [
"[variables('addressPrefix')]"
]
},
"subnets" : [
{
"name" : "[variables('masterSubnetName')]",
"properties" : {
"addressPrefix" : "[variables('masterSubnetPrefix')]",
"serviceEndpoints": [],
"networkSecurityGroup" : {
"id" : "[resourceId('Microsoft.Network/networkSecurityGroups', variables('clusterNsgName'))]"
}
}
},
{
"name" : "[variables('nodeSubnetName')]",
"properties" : {
"addressPrefix" : "[variables('nodeSubnetPrefix')]",
"serviceEndpoints": [],
"networkSecurityGroup" : {
"id" : "[resourceId('Microsoft.Network/networkSecurityGroups', variables('clusterNsgName'))]"
}
}
}
]
}
},
{
"type" : "Microsoft.Network/networkSecurityGroups",
"name" : "[variables('clusterNsgName')]",
"apiVersion" : "2018-10-01",
"location" : "[variables('location')]",
"properties" : {
"securityRules" : [
{
"name" : "apiserver_in",
"properties" : {
"protocol" : "Tcp",
"sourcePortRange" : "*",
"destinationPortRange" : "6443",
"sourceAddressPrefix" : "*",
"destinationAddressPrefix" : "*",
"access" : "Allow",
"priority" : 101,
"direction" : "Inbound"
}
}
]
}
}
]
}
You must use a valid Fedora CoreOS (FCOS) image for Microsoft Azure for your OKD nodes.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Store the FCOS virtual hard disk (VHD) cluster image in an Azure storage container.
Store the bootstrap Ignition config file in an Azure storage container.
Copy the template from the ARM template for image storage section of
this topic and save it as 02_storage.json
in your cluster’s installation directory. This template
describes the image storage that your cluster requires.
Export the FCOS VHD blob URL as a variable:
$ export VHD_BLOB_URL=`az storage blob url --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -c vhd -n "rhcos.vhd" -o tsv`
Deploy the cluster image:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/02_storage.json" \
--parameters vhdBlobURL="${VHD_BLOB_URL}" \ (1)
--parameters baseName="${INFRA_ID}" \ (2)
--parameters storageAccount="${CLUSTER_NAME}sa" \ (3)
--parameters architecture="<architecture>" (4)
1 | The blob URL of the FCOS VHD to be used to create master and worker machines. |
2 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
3 | The name of your Azure storage account. |
4 | Specify the system architecture. Valid values are x64 (default) or Arm64 . |
You can use the following Azure Resource Manager (ARM) template to deploy the stored Fedora CoreOS (FCOS) image that you need for your OKD cluster:
02_storage.json
ARM template{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"architecture": {
"type": "string",
"metadata": {
"description": "The architecture of the Virtual Machines"
},
"defaultValue": "x64",
"allowedValues": [
"Arm64",
"x64"
]
},
"baseName": {
"type": "string",
"minLength": 1,
"metadata": {
"description": "Base name to be used in resource names (usually the cluster's Infra ID)"
}
},
"storageAccount": {
"type": "string",
"metadata": {
"description": "The Storage Account name"
}
},
"vhdBlobURL": {
"type": "string",
"metadata": {
"description": "URL pointing to the blob where the VHD to be used to create master and worker machines is located"
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"galleryName": "[concat('gallery_', replace(parameters('baseName'), '-', '_'))]",
"imageName": "[parameters('baseName')]",
"imageNameGen2": "[concat(parameters('baseName'), '-gen2')]",
"imageRelease": "1.0.0"
},
"resources": [
{
"apiVersion": "2021-10-01",
"type": "Microsoft.Compute/galleries",
"name": "[variables('galleryName')]",
"location": "[variables('location')]",
"resources": [
{
"apiVersion": "2021-10-01",
"type": "images",
"name": "[variables('imageName')]",
"location": "[variables('location')]",
"dependsOn": [
"[variables('galleryName')]"
],
"properties": {
"architecture": "[parameters('architecture')]",
"hyperVGeneration": "V1",
"identifier": {
"offer": "rhcos",
"publisher": "RedHat",
"sku": "basic"
},
"osState": "Generalized",
"osType": "Linux"
},
"resources": [
{
"apiVersion": "2021-10-01",
"type": "versions",
"name": "[variables('imageRelease')]",
"location": "[variables('location')]",
"dependsOn": [
"[variables('imageName')]"
],
"properties": {
"publishingProfile": {
"storageAccountType": "Standard_LRS",
"targetRegions": [
{
"name": "[variables('location')]",
"regionalReplicaCount": "1"
}
]
},
"storageProfile": {
"osDiskImage": {
"source": {
"id": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount'))]",
"uri": "[parameters('vhdBlobURL')]"
}
}
}
}
}
]
},
{
"apiVersion": "2021-10-01",
"type": "images",
"name": "[variables('imageNameGen2')]",
"location": "[variables('location')]",
"dependsOn": [
"[variables('galleryName')]"
],
"properties": {
"architecture": "[parameters('architecture')]",
"hyperVGeneration": "V2",
"identifier": {
"offer": "rhcos-gen2",
"publisher": "RedHat-gen2",
"sku": "gen2"
},
"osState": "Generalized",
"osType": "Linux"
},
"resources": [
{
"apiVersion": "2021-10-01",
"type": "versions",
"name": "[variables('imageRelease')]",
"location": "[variables('location')]",
"dependsOn": [
"[variables('imageNameGen2')]"
],
"properties": {
"publishingProfile": {
"storageAccountType": "Standard_LRS",
"targetRegions": [
{
"name": "[variables('location')]",
"regionalReplicaCount": "1"
}
]
},
"storageProfile": {
"osDiskImage": {
"source": {
"id": "[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccount'))]",
"uri": "[parameters('vhdBlobURL')]"
}
}
}
}
}
]
}
]
}
]
}
All the Fedora CoreOS (FCOS) machines require networking to be configured in initramfs
during boot
to fetch their Ignition config files.
You must configure the network connectivity between machines to allow OKD cluster components to communicate. Each machine must be able to resolve the hostnames of all other machines in the cluster.
This section provides details about the ports that are required.
In connected OKD environments, all nodes are required to have internet access to pull images for platform containers and provide telemetry data to Red Hat. |
Protocol | Port | Description |
---|---|---|
ICMP |
N/A |
Network reachability tests |
TCP |
|
Metrics |
|
Host level services, including the node exporter on ports |
|
|
The default ports that Kubernetes reserves |
|
UDP |
|
VXLAN |
|
Geneve |
|
|
Host level services, including the node exporter on ports |
|
|
IPsec IKE packets |
|
|
IPsec NAT-T packets |
|
|
Network Time Protocol (NTP) on UDP port If an external NTP time server is configured, you must open UDP port |
|
TCP/UDP |
|
Kubernetes node port |
ESP |
N/A |
IPsec Encapsulating Security Payload (ESP) |
Protocol | Port | Description |
---|---|---|
TCP |
|
Kubernetes API |
Protocol | Port | Description |
---|---|---|
TCP |
|
etcd server and peer ports |
You must configure networking and load balancing in Microsoft Azure for your OKD cluster to use. One way to create these components is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your Azure infrastructure, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs. |
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create and configure a VNet and associated subnets in Azure.
Copy the template from the ARM template for the network and load balancers
section of this topic and save it as 03_infra.json
in your cluster’s installation directory. This
template describes the networking and load balancing objects that your cluster
requires.
Create the deployment by using the az
CLI:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/03_infra.json" \
--parameters privateDNSZoneName="${CLUSTER_NAME}.${BASE_DOMAIN}" \ (1)
--parameters baseName="${INFRA_ID}"(2)
1 | The name of the private DNS zone. |
2 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
Create an api
DNS record in the public zone for the API public load
balancer. The ${BASE_DOMAIN_RESOURCE_GROUP}
variable must point to the
resource group where the public DNS zone exists.
Export the following variable:
$ export PUBLIC_IP=`az network public-ip list -g ${RESOURCE_GROUP} --query "[?name=='${INFRA_ID}-master-pip'] | [0].ipAddress" -o tsv`
Create the api
DNS record in a new public zone:
$ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n api -a ${PUBLIC_IP} --ttl 60
If you are adding the cluster to an existing public zone, you can create the api
DNS record in it instead:
$ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n api.${CLUSTER_NAME} -a ${PUBLIC_IP} --ttl 60
You can use the following Azure Resource Manager (ARM) template to deploy the networking objects and load balancers that you need for your OKD cluster:
03_infra.json
ARM template{
"$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"baseName" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Base name to be used in resource names (usually the cluster's Infra ID)"
}
},
"vnetBaseName": {
"type": "string",
"defaultValue": "",
"metadata" : {
"description" : "The specific customer vnet's base name (optional)"
}
},
"privateDNSZoneName" : {
"type" : "string",
"metadata" : {
"description" : "Name of the private DNS zone"
}
}
},
"variables" : {
"location" : "[resourceGroup().location]",
"virtualNetworkName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-vnet')]",
"virtualNetworkID" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
"masterSubnetName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-master-subnet')]",
"masterSubnetRef" : "[concat(variables('virtualNetworkID'), '/subnets/', variables('masterSubnetName'))]",
"masterPublicIpAddressName" : "[concat(parameters('baseName'), '-master-pip')]",
"masterPublicIpAddressID" : "[resourceId('Microsoft.Network/publicIPAddresses', variables('masterPublicIpAddressName'))]",
"masterLoadBalancerName" : "[parameters('baseName')]",
"masterLoadBalancerID" : "[resourceId('Microsoft.Network/loadBalancers', variables('masterLoadBalancerName'))]",
"internalLoadBalancerName" : "[concat(parameters('baseName'), '-internal-lb')]",
"internalLoadBalancerID" : "[resourceId('Microsoft.Network/loadBalancers', variables('internalLoadBalancerName'))]",
"skuName": "Standard"
},
"resources" : [
{
"apiVersion" : "2018-12-01",
"type" : "Microsoft.Network/publicIPAddresses",
"name" : "[variables('masterPublicIpAddressName')]",
"location" : "[variables('location')]",
"sku": {
"name": "[variables('skuName')]"
},
"properties" : {
"publicIPAllocationMethod" : "Static",
"dnsSettings" : {
"domainNameLabel" : "[variables('masterPublicIpAddressName')]"
}
}
},
{
"apiVersion" : "2018-12-01",
"type" : "Microsoft.Network/loadBalancers",
"name" : "[variables('masterLoadBalancerName')]",
"location" : "[variables('location')]",
"sku": {
"name": "[variables('skuName')]"
},
"dependsOn" : [
"[concat('Microsoft.Network/publicIPAddresses/', variables('masterPublicIpAddressName'))]"
],
"properties" : {
"frontendIPConfigurations" : [
{
"name" : "public-lb-ip-v4",
"properties" : {
"publicIPAddress" : {
"id" : "[variables('masterPublicIpAddressID')]"
}
}
}
],
"backendAddressPools" : [
{
"name" : "[variables('masterLoadBalancerName')]"
}
],
"loadBalancingRules" : [
{
"name" : "api-internal",
"properties" : {
"frontendIPConfiguration" : {
"id" :"[concat(variables('masterLoadBalancerID'), '/frontendIPConfigurations/public-lb-ip-v4')]"
},
"backendAddressPool" : {
"id" : "[concat(variables('masterLoadBalancerID'), '/backendAddressPools/', variables('masterLoadBalancerName'))]"
},
"protocol" : "Tcp",
"loadDistribution" : "Default",
"idleTimeoutInMinutes" : 30,
"frontendPort" : 6443,
"backendPort" : 6443,
"probe" : {
"id" : "[concat(variables('masterLoadBalancerID'), '/probes/api-internal-probe')]"
}
}
}
],
"probes" : [
{
"name" : "api-internal-probe",
"properties" : {
"protocol" : "Https",
"port" : 6443,
"requestPath": "/readyz",
"intervalInSeconds" : 10,
"numberOfProbes" : 3
}
}
]
}
},
{
"apiVersion" : "2018-12-01",
"type" : "Microsoft.Network/loadBalancers",
"name" : "[variables('internalLoadBalancerName')]",
"location" : "[variables('location')]",
"sku": {
"name": "[variables('skuName')]"
},
"properties" : {
"frontendIPConfigurations" : [
{
"name" : "internal-lb-ip",
"properties" : {
"privateIPAllocationMethod" : "Dynamic",
"subnet" : {
"id" : "[variables('masterSubnetRef')]"
},
"privateIPAddressVersion" : "IPv4"
}
}
],
"backendAddressPools" : [
{
"name" : "internal-lb-backend"
}
],
"loadBalancingRules" : [
{
"name" : "api-internal",
"properties" : {
"frontendIPConfiguration" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/frontendIPConfigurations/internal-lb-ip')]"
},
"frontendPort" : 6443,
"backendPort" : 6443,
"enableFloatingIP" : false,
"idleTimeoutInMinutes" : 30,
"protocol" : "Tcp",
"enableTcpReset" : false,
"loadDistribution" : "Default",
"backendAddressPool" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/backendAddressPools/internal-lb-backend')]"
},
"probe" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/probes/api-internal-probe')]"
}
}
},
{
"name" : "sint",
"properties" : {
"frontendIPConfiguration" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/frontendIPConfigurations/internal-lb-ip')]"
},
"frontendPort" : 22623,
"backendPort" : 22623,
"enableFloatingIP" : false,
"idleTimeoutInMinutes" : 30,
"protocol" : "Tcp",
"enableTcpReset" : false,
"loadDistribution" : "Default",
"backendAddressPool" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/backendAddressPools/internal-lb-backend')]"
},
"probe" : {
"id" : "[concat(variables('internalLoadBalancerID'), '/probes/sint-probe')]"
}
}
}
],
"probes" : [
{
"name" : "api-internal-probe",
"properties" : {
"protocol" : "Https",
"port" : 6443,
"requestPath": "/readyz",
"intervalInSeconds" : 10,
"numberOfProbes" : 3
}
},
{
"name" : "sint-probe",
"properties" : {
"protocol" : "Https",
"port" : 22623,
"requestPath": "/healthz",
"intervalInSeconds" : 10,
"numberOfProbes" : 3
}
}
]
}
},
{
"apiVersion": "2018-09-01",
"type": "Microsoft.Network/privateDnsZones/A",
"name": "[concat(parameters('privateDNSZoneName'), '/api')]",
"location" : "[variables('location')]",
"dependsOn" : [
"[concat('Microsoft.Network/loadBalancers/', variables('internalLoadBalancerName'))]"
],
"properties": {
"ttl": 60,
"aRecords": [
{
"ipv4Address": "[reference(variables('internalLoadBalancerName')).frontendIPConfigurations[0].properties.privateIPAddress]"
}
]
}
},
{
"apiVersion": "2018-09-01",
"type": "Microsoft.Network/privateDnsZones/A",
"name": "[concat(parameters('privateDNSZoneName'), '/api-int')]",
"location" : "[variables('location')]",
"dependsOn" : [
"[concat('Microsoft.Network/loadBalancers/', variables('internalLoadBalancerName'))]"
],
"properties": {
"ttl": 60,
"aRecords": [
{
"ipv4Address": "[reference(variables('internalLoadBalancerName')).frontendIPConfigurations[0].properties.privateIPAddress]"
}
]
}
}
]
}
You must create the bootstrap machine in Microsoft Azure to use during OKD cluster initialization. One way to create this machine is to modify the provided Azure Resource Manager (ARM) template.
If you do not use the provided ARM template to create your bootstrap machine, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, you might have to contact Red Hat support with your installation logs. |
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create and configure a VNet and associated subnets in Azure.
Create and configure networking and load balancers in Azure.
Create control plane and compute roles.
Copy the template from the ARM template for the bootstrap machine section of
this topic and save it as 04_bootstrap.json
in your cluster’s installation directory. This template
describes the bootstrap machine that your cluster requires.
Export the bootstrap URL variable:
$ bootstrap_url_expiry=`date -u -d "10 hours" '+%Y-%m-%dT%H:%MZ'`
$ export BOOTSTRAP_URL=`az storage blob generate-sas -c 'files' -n 'bootstrap.ign' --https-only --full-uri --permissions r --expiry $bootstrap_url_expiry --account-name ${CLUSTER_NAME}sa --account-key ${ACCOUNT_KEY} -o tsv`
Export the bootstrap ignition variable:
$ export BOOTSTRAP_IGNITION=`jq -rcnM --arg v "3.2.0" --arg url ${BOOTSTRAP_URL} '{ignition:{version:$v,config:{replace:{source:$url}}}}' | base64 | tr -d '\n'`
Create the deployment by using the az
CLI:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/04_bootstrap.json" \
--parameters bootstrapIgnition="${BOOTSTRAP_IGNITION}" \ (1)
--parameters baseName="${INFRA_ID}" \ (2)
--parameter bootstrapVMSize="Standard_D4s_v3" (3)
1 | The bootstrap Ignition content for the bootstrap cluster. |
2 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
3 | Optional: Specify the size of the bootstrap VM. Use a VM size compatible with your specified architecture. If this value is not defined, the default value from the template is set. |
You can use the following Azure Resource Manager (ARM) template to deploy the bootstrap machine that you need for your OKD cluster:
04_bootstrap.json
ARM template{
"$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"baseName" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Base name to be used in resource names (usually the cluster's Infra ID)"
}
},
"vnetBaseName": {
"type": "string",
"defaultValue": "",
"metadata" : {
"description" : "The specific customer vnet's base name (optional)"
}
},
"bootstrapIgnition" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Bootstrap ignition content for the bootstrap cluster"
}
},
"sshKeyData" : {
"type" : "securestring",
"defaultValue" : "Unused",
"metadata" : {
"description" : "Unused"
}
},
"bootstrapVMSize" : {
"type" : "string",
"defaultValue" : "Standard_D4s_v3",
"metadata" : {
"description" : "The size of the Bootstrap Virtual Machine"
}
},
"hyperVGen": {
"type": "string",
"metadata": {
"description": "VM generation image to use"
},
"defaultValue": "V2",
"allowedValues": [
"V1",
"V2"
]
}
},
"variables" : {
"location" : "[resourceGroup().location]",
"virtualNetworkName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-vnet')]",
"virtualNetworkID" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
"masterSubnetName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-master-subnet')]",
"masterSubnetRef" : "[concat(variables('virtualNetworkID'), '/subnets/', variables('masterSubnetName'))]",
"masterLoadBalancerName" : "[parameters('baseName')]",
"internalLoadBalancerName" : "[concat(parameters('baseName'), '-internal-lb')]",
"sshKeyPath" : "/home/core/.ssh/authorized_keys",
"identityName" : "[concat(parameters('baseName'), '-identity')]",
"vmName" : "[concat(parameters('baseName'), '-bootstrap')]",
"nicName" : "[concat(variables('vmName'), '-nic')]",
"galleryName": "[concat('gallery_', replace(parameters('baseName'), '-', '_'))]",
"imageName" : "[concat(parameters('baseName'), if(equals(parameters('hyperVGen'), 'V2'), '-gen2', ''))]",
"clusterNsgName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-nsg')]",
"sshPublicIpAddressName" : "[concat(variables('vmName'), '-ssh-pip')]"
},
"resources" : [
{
"apiVersion" : "2018-12-01",
"type" : "Microsoft.Network/publicIPAddresses",
"name" : "[variables('sshPublicIpAddressName')]",
"location" : "[variables('location')]",
"sku": {
"name": "Standard"
},
"properties" : {
"publicIPAllocationMethod" : "Static",
"dnsSettings" : {
"domainNameLabel" : "[variables('sshPublicIpAddressName')]"
}
}
},
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Network/networkInterfaces",
"name" : "[variables('nicName')]",
"location" : "[variables('location')]",
"dependsOn" : [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('sshPublicIpAddressName'))]"
],
"properties" : {
"ipConfigurations" : [
{
"name" : "pipConfig",
"properties" : {
"privateIPAllocationMethod" : "Dynamic",
"publicIPAddress": {
"id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('sshPublicIpAddressName'))]"
},
"subnet" : {
"id" : "[variables('masterSubnetRef')]"
},
"loadBalancerBackendAddressPools" : [
{
"id" : "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('masterLoadBalancerName'), '/backendAddressPools/', variables('masterLoadBalancerName'))]"
},
{
"id" : "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('internalLoadBalancerName'), '/backendAddressPools/internal-lb-backend')]"
}
]
}
}
]
}
},
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Compute/virtualMachines",
"name" : "[variables('vmName')]",
"location" : "[variables('location')]",
"identity" : {
"type" : "userAssigned",
"userAssignedIdentities" : {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]" : {}
}
},
"dependsOn" : [
"[concat('Microsoft.Network/networkInterfaces/', variables('nicName'))]"
],
"properties" : {
"hardwareProfile" : {
"vmSize" : "[parameters('bootstrapVMSize')]"
},
"osProfile" : {
"computerName" : "[variables('vmName')]",
"adminUsername" : "core",
"adminPassword" : "NotActuallyApplied!",
"customData" : "[parameters('bootstrapIgnition')]",
"linuxConfiguration" : {
"disablePasswordAuthentication" : false
}
},
"storageProfile" : {
"imageReference": {
"id": "[resourceId('Microsoft.Compute/galleries/images', variables('galleryName'), variables('imageName'))]"
},
"osDisk" : {
"name": "[concat(variables('vmName'),'_OSDisk')]",
"osType" : "Linux",
"createOption" : "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
},
"diskSizeGB" : 100
}
},
"networkProfile" : {
"networkInterfaces" : [
{
"id" : "[resourceId('Microsoft.Network/networkInterfaces', variables('nicName'))]"
}
]
}
}
},
{
"apiVersion" : "2018-06-01",
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"name" : "[concat(variables('clusterNsgName'), '/bootstrap_ssh_in')]",
"location" : "[variables('location')]",
"dependsOn" : [
"[resourceId('Microsoft.Compute/virtualMachines', variables('vmName'))]"
],
"properties": {
"protocol" : "Tcp",
"sourcePortRange" : "*",
"destinationPortRange" : "22",
"sourceAddressPrefix" : "*",
"destinationAddressPrefix" : "*",
"access" : "Allow",
"priority" : 100,
"direction" : "Inbound"
}
}
]
}
You must create the control plane machines in Microsoft Azure for your cluster to use. One way to create these machines is to modify the provided Azure Resource Manager (ARM) template.
By default, Microsoft Azure places control plane machines and compute machines in a pre-set availability zone. You can manually set an availability zone for a compute node or control plane node. To do this, modify a vendor’s Azure Resource Manager (ARM) template by specifying each of your availability zones in the |
If you do not use the provided ARM template to create your control plane machines, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, consider contacting Red Hat support with your installation logs.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create and configure a VNet and associated subnets in Azure.
Create and configure networking and load balancers in Azure.
Create control plane and compute roles.
Create the bootstrap machine.
Copy the template from the ARM template for control plane machines
section of this topic and save it as 05_masters.json
in your cluster’s installation directory.
This template describes the control plane machines that your cluster requires.
Export the following variable needed by the control plane machine deployment:
$ export MASTER_IGNITION=`cat <installation_directory>/master.ign | base64 | tr -d '\n'`
Create the deployment by using the az
CLI:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/05_masters.json" \
--parameters masterIgnition="${MASTER_IGNITION}" \ (1)
--parameters baseName="${INFRA_ID}" \ (2)
--parameters masterVMSize="Standard_D8s_v3" (3)
1 | The Ignition content for the control plane nodes. |
2 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
3 | Optional: Specify the size of the Control Plane VM. Use a VM size compatible with your specified architecture. If this value is not defined, the default value from the template is set. |
You can use the following Azure Resource Manager (ARM) template to deploy the control plane machines that you need for your OKD cluster:
05_masters.json
ARM template{
"$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"baseName" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Base name to be used in resource names (usually the cluster's Infra ID)"
}
},
"vnetBaseName": {
"type": "string",
"defaultValue": "",
"metadata" : {
"description" : "The specific customer vnet's base name (optional)"
}
},
"masterIgnition" : {
"type" : "string",
"metadata" : {
"description" : "Ignition content for the master nodes"
}
},
"numberOfMasters" : {
"type" : "int",
"defaultValue" : 3,
"minValue" : 2,
"maxValue" : 30,
"metadata" : {
"description" : "Number of OpenShift masters to deploy"
}
},
"sshKeyData" : {
"type" : "securestring",
"defaultValue" : "Unused",
"metadata" : {
"description" : "Unused"
}
},
"privateDNSZoneName" : {
"type" : "string",
"defaultValue" : "",
"metadata" : {
"description" : "unused"
}
},
"masterVMSize" : {
"type" : "string",
"defaultValue" : "Standard_D8s_v3",
"metadata" : {
"description" : "The size of the Master Virtual Machines"
}
},
"diskSizeGB" : {
"type" : "int",
"defaultValue" : 1024,
"metadata" : {
"description" : "Size of the Master VM OS disk, in GB"
}
},
"hyperVGen": {
"type": "string",
"metadata": {
"description": "VM generation image to use"
},
"defaultValue": "V2",
"allowedValues": [
"V1",
"V2"
]
}
},
"variables" : {
"location" : "[resourceGroup().location]",
"virtualNetworkName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-vnet')]",
"virtualNetworkID" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
"masterSubnetName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-master-subnet')]",
"masterSubnetRef" : "[concat(variables('virtualNetworkID'), '/subnets/', variables('masterSubnetName'))]",
"masterLoadBalancerName" : "[parameters('baseName')]",
"internalLoadBalancerName" : "[concat(parameters('baseName'), '-internal-lb')]",
"sshKeyPath" : "/home/core/.ssh/authorized_keys",
"identityName" : "[concat(parameters('baseName'), '-identity')]",
"galleryName": "[concat('gallery_', replace(parameters('baseName'), '-', '_'))]",
"imageName" : "[concat(parameters('baseName'), if(equals(parameters('hyperVGen'), 'V2'), '-gen2', ''))]",
"copy" : [
{
"name" : "vmNames",
"count" : "[parameters('numberOfMasters')]",
"input" : "[concat(parameters('baseName'), '-master-', copyIndex('vmNames'))]"
}
]
},
"resources" : [
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Network/networkInterfaces",
"copy" : {
"name" : "nicCopy",
"count" : "[length(variables('vmNames'))]"
},
"name" : "[concat(variables('vmNames')[copyIndex()], '-nic')]",
"location" : "[variables('location')]",
"properties" : {
"ipConfigurations" : [
{
"name" : "pipConfig",
"properties" : {
"privateIPAllocationMethod" : "Dynamic",
"subnet" : {
"id" : "[variables('masterSubnetRef')]"
},
"loadBalancerBackendAddressPools" : [
{
"id" : "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('masterLoadBalancerName'), '/backendAddressPools/', variables('masterLoadBalancerName'))]"
},
{
"id" : "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Network/loadBalancers/', variables('internalLoadBalancerName'), '/backendAddressPools/internal-lb-backend')]"
}
]
}
}
]
}
},
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Compute/virtualMachines",
"copy" : {
"name" : "vmCopy",
"count" : "[length(variables('vmNames'))]"
},
"name" : "[variables('vmNames')[copyIndex()]]",
"location" : "[variables('location')]",
"identity" : {
"type" : "userAssigned",
"userAssignedIdentities" : {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]" : {}
}
},
"dependsOn" : [
"[concat('Microsoft.Network/networkInterfaces/', concat(variables('vmNames')[copyIndex()], '-nic'))]"
],
"properties" : {
"hardwareProfile" : {
"vmSize" : "[parameters('masterVMSize')]"
},
"osProfile" : {
"computerName" : "[variables('vmNames')[copyIndex()]]",
"adminUsername" : "core",
"adminPassword" : "NotActuallyApplied!",
"customData" : "[parameters('masterIgnition')]",
"linuxConfiguration" : {
"disablePasswordAuthentication" : false
}
},
"storageProfile" : {
"imageReference": {
"id": "[resourceId('Microsoft.Compute/galleries/images', variables('galleryName'), variables('imageName'))]"
},
"osDisk" : {
"name": "[concat(variables('vmNames')[copyIndex()], '_OSDisk')]",
"osType" : "Linux",
"createOption" : "FromImage",
"caching": "ReadOnly",
"writeAcceleratorEnabled": false,
"managedDisk": {
"storageAccountType": "Premium_LRS"
},
"diskSizeGB" : "[parameters('diskSizeGB')]"
}
},
"networkProfile" : {
"networkInterfaces" : [
{
"id" : "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('vmNames')[copyIndex()], '-nic'))]",
"properties": {
"primary": false
}
}
]
}
}
}
]
}
After you create all of the required infrastructure in Microsoft Azure, wait for the bootstrap process to complete on the machines that you provisioned by using the Ignition config files that you generated with the installation program.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create and configure a VNet and associated subnets in Azure.
Create and configure networking and load balancers in Azure.
Create control plane and compute roles.
Create the bootstrap machine.
Create the control plane machines.
Change to the directory that contains the installation program and run the following command:
$ ./openshift-install wait-for bootstrap-complete --dir <installation_directory> \ (1)
--log-level info (2)
1 | For <installation_directory> , specify the path to the directory that you
stored the installation files in. |
2 | To view different installation details, specify warn , debug , or
error instead of info . |
If the command exits without a FATAL
warning, your production control plane
has initialized.
Delete the bootstrap resources:
$ az network nsg rule delete -g ${RESOURCE_GROUP} --nsg-name ${INFRA_ID}-nsg --name bootstrap_ssh_in
$ az vm stop -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap
$ az vm deallocate -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap
$ az vm delete -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap --yes
$ az disk delete -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap_OSDisk --no-wait --yes
$ az network nic delete -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap-nic --no-wait
$ az storage blob delete --account-key ${ACCOUNT_KEY} --account-name ${CLUSTER_NAME}sa --container-name files --name bootstrap.ign
$ az network public-ip delete -g ${RESOURCE_GROUP} --name ${INFRA_ID}-bootstrap-ssh-pip
If you do not delete the bootstrap server, installation may not succeed due to API traffic being routed to the bootstrap server. |
You can create worker machines in Microsoft Azure for your cluster to use by launching individual instances discretely or by automated processes outside the cluster, such as auto scaling groups. You can also take advantage of the built-in cluster scaling mechanisms and the machine API in OKD.
In this example, you manually launch one instance by using the Azure Resource
Manager (ARM) template. Additional instances can be launched by including
additional resources of type 06_workers.json
in the file.
By default, Microsoft Azure places control plane machines and compute machines in a pre-set availability zone. You can manually set an availability zone for a compute node or control plane node. To do this, modify a vendor’s ARM template by specifying each of your availability zones in the |
If you do not use the provided ARM template to create your control plane machines, you must review the provided information and manually create the infrastructure. If your cluster does not initialize correctly, consider contacting Red Hat support with your installation logs.
Configure an Azure account.
Generate the Ignition config files for your cluster.
Create and configure a VNet and associated subnets in Azure.
Create and configure networking and load balancers in Azure.
Create control plane and compute roles.
Create the bootstrap machine.
Create the control plane machines.
Copy the template from the ARM template for worker machines
section of this topic and save it as 06_workers.json
in your cluster’s installation directory. This
template describes the worker machines that your cluster requires.
Export the following variable needed by the worker machine deployment:
$ export WORKER_IGNITION=`cat <installation_directory>/worker.ign | base64 | tr -d '\n'`
Create the deployment by using the az
CLI:
$ az deployment group create -g ${RESOURCE_GROUP} \
--template-file "<installation_directory>/06_workers.json" \
--parameters workerIgnition="${WORKER_IGNITION}" \ (1)
--parameters baseName="${INFRA_ID}" \ (2)
--parameters nodeVMSize="Standard_D4s_v3" (3)
1 | The Ignition content for the worker nodes. |
2 | The base name to be used in resource names; this is usually the cluster’s infrastructure ID. |
3 | Optional: Specify the size of the compute node VM. Use a VM size compatible with your specified architecture. If this value is not defined, the default value from the template is set. |
You can use the following Azure Resource Manager (ARM) template to deploy the worker machines that you need for your OKD cluster:
06_workers.json
ARM template{
"$schema" : "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"parameters" : {
"baseName" : {
"type" : "string",
"minLength" : 1,
"metadata" : {
"description" : "Base name to be used in resource names (usually the cluster's Infra ID)"
}
},
"vnetBaseName": {
"type": "string",
"defaultValue": "",
"metadata" : {
"description" : "The specific customer vnet's base name (optional)"
}
},
"workerIgnition" : {
"type" : "string",
"metadata" : {
"description" : "Ignition content for the worker nodes"
}
},
"numberOfNodes" : {
"type" : "int",
"defaultValue" : 3,
"minValue" : 2,
"maxValue" : 30,
"metadata" : {
"description" : "Number of OpenShift compute nodes to deploy"
}
},
"sshKeyData" : {
"type" : "securestring",
"defaultValue" : "Unused",
"metadata" : {
"description" : "Unused"
}
},
"nodeVMSize" : {
"type" : "string",
"defaultValue" : "Standard_D4s_v3",
"metadata" : {
"description" : "The size of the each Node Virtual Machine"
}
},
"hyperVGen": {
"type": "string",
"metadata": {
"description": "VM generation image to use"
},
"defaultValue": "V2",
"allowedValues": [
"V1",
"V2"
]
}
},
"variables" : {
"location" : "[resourceGroup().location]",
"virtualNetworkName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-vnet')]",
"virtualNetworkID" : "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]",
"nodeSubnetName" : "[concat(if(not(empty(parameters('vnetBaseName'))), parameters('vnetBaseName'), parameters('baseName')), '-worker-subnet')]",
"nodeSubnetRef" : "[concat(variables('virtualNetworkID'), '/subnets/', variables('nodeSubnetName'))]",
"infraLoadBalancerName" : "[parameters('baseName')]",
"sshKeyPath" : "/home/capi/.ssh/authorized_keys",
"identityName" : "[concat(parameters('baseName'), '-identity')]",
"galleryName": "[concat('gallery_', replace(parameters('baseName'), '-', '_'))]",
"imageName" : "[concat(parameters('baseName'), if(equals(parameters('hyperVGen'), 'V2'), '-gen2', ''))]",
"copy" : [
{
"name" : "vmNames",
"count" : "[parameters('numberOfNodes')]",
"input" : "[concat(parameters('baseName'), '-worker-', variables('location'), '-', copyIndex('vmNames', 1))]"
}
]
},
"resources" : [
{
"apiVersion" : "2019-05-01",
"name" : "[concat('node', copyIndex())]",
"type" : "Microsoft.Resources/deployments",
"copy" : {
"name" : "nodeCopy",
"count" : "[length(variables('vmNames'))]"
},
"properties" : {
"mode" : "Incremental",
"template" : {
"$schema" : "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion" : "1.0.0.0",
"resources" : [
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Network/networkInterfaces",
"name" : "[concat(variables('vmNames')[copyIndex()], '-nic')]",
"location" : "[variables('location')]",
"properties" : {
"ipConfigurations" : [
{
"name" : "pipConfig",
"properties" : {
"privateIPAllocationMethod" : "Dynamic",
"subnet" : {
"id" : "[variables('nodeSubnetRef')]"
}
}
}
]
}
},
{
"apiVersion" : "2018-06-01",
"type" : "Microsoft.Compute/virtualMachines",
"name" : "[variables('vmNames')[copyIndex()]]",
"location" : "[variables('location')]",
"tags" : {
"kubernetes.io-cluster-ffranzupi": "owned"
},
"identity" : {
"type" : "userAssigned",
"userAssignedIdentities" : {
"[resourceID('Microsoft.ManagedIdentity/userAssignedIdentities/', variables('identityName'))]" : {}
}
},
"dependsOn" : [
"[concat('Microsoft.Network/networkInterfaces/', concat(variables('vmNames')[copyIndex()], '-nic'))]"
],
"properties" : {
"hardwareProfile" : {
"vmSize" : "[parameters('nodeVMSize')]"
},
"osProfile" : {
"computerName" : "[variables('vmNames')[copyIndex()]]",
"adminUsername" : "capi",
"adminPassword" : "NotActuallyApplied!",
"customData" : "[parameters('workerIgnition')]",
"linuxConfiguration" : {
"disablePasswordAuthentication" : false
}
},
"storageProfile" : {
"imageReference": {
"id": "[resourceId('Microsoft.Compute/galleries/images', variables('galleryName'), variables('imageName'))]"
},
"osDisk" : {
"name": "[concat(variables('vmNames')[copyIndex()],'_OSDisk')]",
"osType" : "Linux",
"createOption" : "FromImage",
"managedDisk": {
"storageAccountType": "Premium_LRS"
},
"diskSizeGB": 128
}
},
"networkProfile" : {
"networkInterfaces" : [
{
"id" : "[resourceId('Microsoft.Network/networkInterfaces', concat(variables('vmNames')[copyIndex()], '-nic'))]",
"properties": {
"primary": true
}
}
]
}
}
}
]
}
}
}
]
}
You can install the OpenShift CLI (oc
) to interact with
OKD
from a command-line interface. You can install oc
on Linux, Windows, or macOS.
If you installed an earlier version of |
You can install the OpenShift CLI (oc
) binary on Linux by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz
.
Unpack the archive:
$ tar xvf <file>
Place the oc
binary in a directory that is on your PATH
.
To check your PATH
, execute the following command:
$ echo $PATH
After you install the OpenShift CLI, it is available using the oc
command:
$ oc <command>
You can install the OpenShift CLI (oc
) binary on Windows by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.zip
.
Unzip the archive with a ZIP program.
Move the oc
binary to a directory that is on your PATH
.
To check your PATH
, open the command prompt and execute the following command:
C:\> path
After you install the OpenShift CLI, it is available using the oc
command:
C:\> oc <command>
You can install the OpenShift CLI (oc
) binary on macOS by using the following procedure.
Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz
.
Unpack and unzip the archive.
Move the oc
binary to a directory on your PATH.
To check your PATH
, open a terminal and execute the following command:
$ echo $PATH
Verify your installation by using an oc
command:
$ oc <command>
You can log in to your cluster as a default system user by exporting the cluster kubeconfig
file.
The kubeconfig
file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server.
The file is specific to a cluster and is created during OKD installation.
You deployed an OKD cluster.
You installed the oc
CLI.
Export the kubeadmin
credentials:
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)
1 | For <installation_directory> , specify the path to the directory that you stored
the installation files in. |
Verify you can run oc
commands successfully using the exported configuration:
$ oc whoami
system:admin
When you add machines to a cluster, two pending certificate signing requests (CSRs) are generated for each machine that you added. You must confirm that these CSRs are approved or, if necessary, approve them yourself. The client requests must be approved first, followed by the server requests.
You added machines to your cluster.
Confirm that the cluster recognizes the machines:
$ oc get nodes
NAME STATUS ROLES AGE VERSION
master-0 Ready master 63m v1.30.3
master-1 Ready master 63m v1.30.3
master-2 Ready master 64m v1.30.3
The output lists all of the machines that you created.
The preceding output might not include the compute nodes, also known as worker nodes, until some CSRs are approved. |
Review the pending CSRs and ensure that you see the client requests with the Pending
or Approved
status for each machine that you added to the cluster:
$ oc get csr
NAME AGE REQUESTOR CONDITION
csr-8b2br 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending
csr-8vnps 15m system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending
...
In this example, two machines are joining the cluster. You might see more approved CSRs in the list.
If the CSRs were not approved, after all of the pending CSRs for the machines you added are in Pending
status, approve the CSRs for your cluster machines:
Because the CSRs rotate automatically, approve your CSRs within an hour of adding the machines to the cluster. If you do not approve them within an hour, the certificates will rotate, and more than two certificates will be present for each node. You must approve all of these certificates. After the client CSR is approved, the Kubelet creates a secondary CSR for the serving certificate, which requires manual approval. Then, subsequent serving certificate renewal requests are automatically approved by the |
For clusters running on platforms that are not machine API enabled, such as bare metal and other user-provisioned infrastructure, you must implement a method of automatically approving the kubelet serving certificate requests (CSRs). If a request is not approved, then the |
To approve them individually, run the following command for each valid CSR:
$ oc adm certificate approve <csr_name> (1)
1 | <csr_name> is the name of a CSR from the list of current CSRs. |
To approve all pending CSRs, run the following command:
$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs --no-run-if-empty oc adm certificate approve
Some Operators might not become available until some CSRs are approved. |
Now that your client requests are approved, you must review the server requests for each machine that you added to the cluster:
$ oc get csr
NAME AGE REQUESTOR CONDITION
csr-bfd72 5m26s system:node:ip-10-0-50-126.us-east-2.compute.internal Pending
csr-c57lv 5m26s system:node:ip-10-0-95-157.us-east-2.compute.internal Pending
...
If the remaining CSRs are not approved, and are in the Pending
status, approve the CSRs for your cluster machines:
To approve them individually, run the following command for each valid CSR:
$ oc adm certificate approve <csr_name> (1)
1 | <csr_name> is the name of a CSR from the list of current CSRs. |
To approve all pending CSRs, run the following command:
$ oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve
After all client and server CSRs have been approved, the machines have the Ready
status. Verify this by running the following command:
$ oc get nodes
NAME STATUS ROLES AGE VERSION
master-0 Ready master 73m v1.30.3
master-1 Ready master 73m v1.30.3
master-2 Ready master 74m v1.30.3
worker-0 Ready worker 11m v1.30.3
worker-1 Ready worker 11m v1.30.3
It can take a few minutes after approval of the server CSRs for the machines to transition to the |
If you removed the DNS Zone configuration when creating Kubernetes manifests and
generating Ignition configs, you must manually create DNS records that point at
the Ingress load balancer. You can create either a wildcard
*.apps.{baseDomain}.
or specific records. You can use A, CNAME, and other
records per your requirements.
You deployed an OKD cluster on Microsoft Azure by using infrastructure that you provisioned.
Install the OpenShift CLI (oc
).
Install or update the Azure CLI.
Confirm the Ingress router has created a load balancer and populated the
EXTERNAL-IP
field:
$ oc -n openshift-ingress get service router-default
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
router-default LoadBalancer 172.30.20.10 35.130.120.110 80:32288/TCP,443:31215/TCP 20
Export the Ingress router IP as a variable:
$ export PUBLIC_IP_ROUTER=`oc -n openshift-ingress get service router-default --no-headers | awk '{print $4}'`
Add a *.apps
record to the public DNS zone.
If you are adding this cluster to a new public zone, run:
$ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n *.apps -a ${PUBLIC_IP_ROUTER} --ttl 300
If you are adding this cluster to an already existing public zone, run:
$ az network dns record-set a add-record -g ${BASE_DOMAIN_RESOURCE_GROUP} -z ${BASE_DOMAIN} -n *.apps.${CLUSTER_NAME} -a ${PUBLIC_IP_ROUTER} --ttl 300
Add a *.apps
record to the private DNS zone:
Create a *.apps
record by using the following command:
$ az network private-dns record-set a create -g ${RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n *.apps --ttl 300
Add the *.apps
record to the private DNS zone by using the following command:
$ az network private-dns record-set a add-record -g ${RESOURCE_GROUP} -z ${CLUSTER_NAME}.${BASE_DOMAIN} -n *.apps -a ${PUBLIC_IP_ROUTER}
If you prefer to add explicit domains instead of using a wildcard, you can create entries for each of the cluster’s current routes:
$ oc get --all-namespaces -o jsonpath='{range .items[*]}{range .status.ingress[*]}{.host}{"\n"}{end}{end}' routes
oauth-openshift.apps.cluster.basedomain.com
console-openshift-console.apps.cluster.basedomain.com
downloads-openshift-console.apps.cluster.basedomain.com
alertmanager-main-openshift-monitoring.apps.cluster.basedomain.com
prometheus-k8s-openshift-monitoring.apps.cluster.basedomain.com
After you start the OKD installation on Microsoft Azure user-provisioned infrastructure, you can monitor the cluster events until the cluster is ready.
Deploy the bootstrap machine for an OKD cluster on user-provisioned Azure infrastructure.
Install the oc
CLI and log in.
Complete the cluster installation:
$ ./openshift-install --dir <installation_directory> wait-for install-complete (1)
INFO Waiting up to 30m0s for the cluster to initialize...
1 | For <installation_directory> , specify the path to the directory that you
stored the installation files in. |
|
See About remote health monitoring for more information about the Telemetry service