You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
** xref:../../installing/installing_aws/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure]
47
47
** xref:../../installing/installing_aws/installing-aws-network-customizations.adoc#installing-aws-network-customizations[Install a cluster with network customizations on installer-provisioned infrastructure]
48
48
** xref:../../installing/installing_aws/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates]
49
+
** xref:../../installing/installing_aws/installing-aws-outposts-remote-workers.adoc#installing-aws-outposts-remote-workers[Installing a cluster on AWS with remote workers on AWS Outposts]
= Installing a cluster on AWS with remote workers on AWS Outposts
4
+
include::_attributes/common-attributes.adoc[]
5
+
:context: installing-aws-outposts-remote-workers
6
+
7
+
toc::[]
8
+
9
+
In {product-title} version {product-version}, you can install a cluster on
10
+
Amazon Web Services (AWS) with remote workers running in AWS Outposts.
11
+
This can be achieved by customizing the default AWS installation and performing some manual steps.
12
+
13
+
For more info about AWS Outposts see link:https://docs.aws.amazon.com/outposts/index.html[AWS Outposts Documentation].
14
+
15
+
[IMPORTANT]
16
+
====
17
+
In order to install a cluster with remote workers in AWS Outposts, all worker instances must be located within the same Outpost instance and cannot be located in an AWS region. It is not possible for the cluster to have instances in both AWS Outposts and AWS region. In addition, it also follows that control plane nodes mustn't be schedulable.
18
+
====
19
+
20
+
== Prerequisites
21
+
22
+
* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
23
+
* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
24
+
* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster.
25
+
* You are familiar with the instance types are supported in the AWS Outpost instance you use. This can be validated with link:https://docs.aws.amazon.com/cli/latest/reference/outposts/get-outpost-instance-types.html[get-outpost-instance-types AWS CLI command]
26
+
* You are familiar with the AWS Outpost instance details, such as OutpostArn and AvailabilityZone. This can be validated with link:https://docs.aws.amazon.com/cli/latest/reference/outposts/list-outposts.html[list-outposts AWS CLI command]
27
+
+
28
+
[IMPORTANT]
29
+
====
30
+
Since the cluster uses the provided AWS credentials to create AWS resources for its entire life cycle, the credentials must be key-based and long-lived. So, If you have an AWS profile stored on your computer, it must not use a temporary session token, generated while using a multi-factor authentication device. For more information about generating the appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You may supply the keys when you run the installation program.
31
+
====
32
+
* You have access to an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). See the section "About using a custom VPC" for more information.
33
+
* If a firewall is used, it was xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured to allow the sites] that your cluster requires access to.
34
+
* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, you can xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually create and maintain IAM credentials].
* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console.
70
+
* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service.
71
+
72
+
== Cluster Limitations
73
+
74
+
[IMPORTANT]
75
+
====
76
+
Network Load Balancer (NLB) and Classic Load Balancer are not supported on AWS Outposts. After the cluster is created, all the Load Balancers are created in the AWS region. In order to use Load Balancers created inside the Outpost instances, Application Load Balancer should be used. The AWS Load Balancer Operator can be used in order to achieve that goal.
77
+
78
+
If you want to use a public subnet located in the outpost instance for the ALB, you need to remove the special tag (`kubernetes.io/cluster/.*-outposts: owned`) that was added earlier during the VPC creation. This will prevent you from creating new Services of type LoadBalancer (Network Load Balancer).
79
+
80
+
See xref:../../networking/aws_load_balancer_operator/understanding-aws-load-balancer-operator.adoc[Understanding the AWS Load Balancer Operator] for more information
81
+
====
82
+
83
+
[IMPORTANT]
84
+
====
85
+
Persistent storage using AWS Elastic Block Store limitations
86
+
87
+
* AWS Outposts does not support Amazon Elastic Block Store (EBS) gp3 volumes. After installation, the cluster includes two storage classes - gp3-csi and gp2-csi, with gp3-csi being the default storage class. It is important to always use gp2-csi. You can change the default storage class using the following OpenShift CLI (oc) commands:
* To create a Volume in the Outpost instance, the CSI driver determines the Outpost ARN based on the topology keys stored on the CSINode objects. To ensure that the CSI driver uses the correct topology values, it is necessary to use the `WaitForConsumer` volume binding mode and avoid setting allowed topologies on any new storage class created.
95
+
====
96
+
97
+
== Next steps
98
+
99
+
* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation].
100
+
* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
101
+
* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
102
+
* If necessary, you can xref:../../authentication/managing_cloud_provider_credentials/cco-mode-mint.adoc#manually-removing-cloud-creds_cco-mode-mint[remove cloud provider credentials].
@@ -301,16 +333,24 @@ accounts for the dramatically decreased machine performance. Use larger
301
333
instance types, such as `m4.2xlarge` or `m5.2xlarge`, for your machines if you
302
334
disable simultaneous multithreading.
303
335
====
304
-
<6> To configure faster storage for etcd, especially for larger clusters, set the
305
-
storage type as `io1` and set `iops` to `2000`.
336
+
ifndef::aws-outposts[]
337
+
<6> To configure faster storage for etcd, especially for larger clusters, set the storage type as `io1` and set `iops` to `2000`.
306
338
<7> Whether to require the link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html[Amazon EC2 Instance Metadata Service v2] (IMDSv2). To require IMDSv2, set the parameter value to `Required`. To allow the use of both IMDSv1 and IMDSv2, set the parameter value to `Optional`. If no value is specified, both IMDSv1 and IMDSv2 are allowed.
307
339
+
308
340
[NOTE]
309
341
====
310
342
The IMDS configuration for control plane machines that is set during cluster installation can only be changed by using the AWS CLI. The IMDS configuration for compute machines can be changed by using compute machine sets.
311
343
====
312
-
ifdef::vpc,restricted[]
313
344
<8> The cluster network plugin to install. The supported values are `OVNKubernetes` and `OpenShiftSDN`. The default value is `OVNKubernetes`.
345
+
endif::aws-outposts[]
346
+
ifdef::aws-outposts[]
347
+
<6> For compute instances running in an AWS Outpost instance, specify a supported instance type in the AWS Outpost instance.
348
+
<7> For compute instances running in AWS Outpost instance, specify the Availability Zone where the Outpost instance is located.
349
+
<8> For compute instances running in AWS Outpost instance, specify volume type gp2, to avoid using gp3 volume type which is not supported.
350
+
<9> The cluster network plugin to install. The supported values are `OVNKubernetes` and `OpenShiftSDN`. The default value is `OVNKubernetes`.
351
+
<10> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
352
+
endif::aws-outposts[]
353
+
ifdef::vpc,restricted[]
314
354
<9> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
315
355
<10> The ID of the AMI used to boot machines for the cluster. If set, the AMI
316
356
must belong to the same region as the cluster.
@@ -325,36 +365,32 @@ ifndef::openshift-origin[]
325
365
====
326
366
The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
327
367
====
328
-
<14> You can optionally provide the `sshKey` value that you use to access the
329
-
machines in your cluster.
368
+
<14> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
330
369
endif::openshift-origin[]
331
370
ifdef::openshift-origin[]
332
-
<13> You can optionally provide the `sshKey` value that you use to access the
333
-
machines in your cluster.
371
+
<13> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
334
372
endif::openshift-origin[]
335
373
endif::vpc,restricted[]
336
-
ifndef::vpc,restricted[]
337
-
<8> The cluster network plugin to install. The supported values are `OVNKubernetes` and `OpenShiftSDN`. The default value is `OVNKubernetes`.
338
-
<9> The ID of the AMI used to boot machines for the cluster. If set, the AMI
339
-
must belong to the same region as the cluster.
340
-
<10> The AWS service endpoints. Custom endpoints are required when installing to
341
-
an unknown AWS region. The endpoint URL must use the `https` protocol and the
342
-
host must trust the certificate.
374
+
ifndef::vpc,restricted,aws-outposts[]
375
+
<9> The ID of the AMI used to boot machines for the cluster. If set, the AMI must belong to the same region as the cluster.
376
+
<10> The AWS service endpoints. Custom endpoints are required when installing to an unknown AWS region. The endpoint URL must use the `https` protocol and the host must trust the certificate.
343
377
ifndef::openshift-origin[]
344
378
<11> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
345
379
+
346
380
[IMPORTANT]
347
381
====
348
382
The use of FIPS Validated / Modules in Process cryptographic libraries is only supported on {product-title} deployments on the `x86_64` architecture.
349
383
====
350
-
<12> You can optionally provide the `sshKey` value that you use to access the
351
-
machines in your cluster.
384
+
<12> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
352
385
endif::openshift-origin[]
353
386
ifdef::openshift-origin[]
354
387
<11> You can optionally provide the `sshKey` value that you use to access the
355
388
machines in your cluster.
356
389
endif::openshift-origin[]
357
-
endif::vpc,restricted[]
390
+
endif::vpc,restricted,aws-outposts[]
391
+
ifdef::aws-outposts[]
392
+
<11> You can optionally provide the `sshKey` value that you use to access the machines in your cluster.
0 commit comments