Installing a cluster on vSphere in a restricted network

You reviewed details about the processes.
You read the documentation on selecting a cluster installation method and preparing it for users.
You and obtained the data for your version of OKD.

Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
You provisioned persistent storage for your cluster. To deploy a private image registry, your storage must provide the ReadWriteMany access mode.
The OKD installer requires access to port 443 on the vCenter and ESXi hosts. You verified that port 443 is accessible.
If you use a firewall, you confirmed with the administrator that port 443 is accessible. Control plane nodes must be able to reach vCenter and ESXi hosts on port 443 for the installation to succeed.
If you use a firewall and plan to use the Telemetry service, you that your cluster requires access to.

If you are configuring a proxy, be sure to also review this site list.

About installations in restricted networks

In OKD 4.13, you can perform an installation that does not require an active connection to the internet to obtain software components. Restricted network installations can be completed using installer-provisioned infrastructure or user-provisioned infrastructure, depending on the cloud platform to which you are installing the cluster.

If you choose to perform a restricted network installation on a cloud platform, you still require access to its cloud APIs. Some cloud functions, like Amazon Web Service’s Route 53 DNS and IAM services, require internet access. Depending on your network, you might require less internet access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.

To complete a restricted network installation, you must create a registry that mirrors the contents of the OpenShift image registry and contains the installation media. You can create this registry on a mirror host, which can access both the internet and your closed network, or by using other methods that meet your restrictions.

Clusters in restricted networks have the following additional limitations and restrictions:

The ClusterVersion status includes an Unable to retrieve available updates error.
By default, you cannot use the contents of the Developer Catalog because you cannot access the required image stream tags.

VMware vSphere infrastructure requirements

You must install the OKD cluster on a VMware vSphere version 7.0 Update 2 or later instance that meets the requirements for the components that you use.

OKD version 4.13 supports VMware vSphere version 8.0.

You can host the VMware vSphere infrastructure on-premise or on a that meets the requirements outlined in the following table:

Table 1. Version requirements for vSphere virtual environments
Virtual environment product	Required version
VMware virtual hardware	15 or later
vSphere ESXi hosts	7.0 Update 2 or later
vCenter host	7.0 Update 2 or later

Table 2. Minimum supported vSphere version for VMware components
Component	Minimum supported versions	Description
Hypervisor	vSphere 7.0 Update 2 and later with virtual hardware version 15	This version is the minimum version that Fedora CoreOS (FCOS) supports. See the Red Hat Enterprise Linux 8 supported hypervisors list.
Storage with in-tree drivers	vSphere 7.0 Update 2 and later	This plugin creates vSphere storage by using the in-tree storage drivers for vSphere included in OKD.
Optional: Networking (NSX-T)	vSphere 7.0 Update 2 and later	vSphere 7.0 Update 2 is required for OKD. For more information about the compatibility of NSX and OKD, see the Release Notes section of VMware’s .

You must ensure that the time on your ESXi hosts is synchronized before you install OKD. See Edit Time Configuration for a Host in the VMware documentation.

Network connectivity requirements

You must configure the network connectivity between machines to allow OKD cluster components to communicate.

Review the following details about the required network ports.

Table 3. Ports used for all-machine to all-machine communications
Protocol	Port	Description
ICMP	N/A	Network reachability tests
TCP	`1936`	Metrics
	`9000`-`9999`	Host level services, including the node exporter on ports `9100`-`9101` and the Cluster Version Operator on port `9099`.
	`10250`-`10259`	The default ports that Kubernetes reserves
	`10256`	openshift-sdn
UDP	`4789`	virtual extensible LAN (VXLAN)
	`6081`	Geneve
	`9000`-`9999`	Host level services, including the node exporter on ports `9100`-`9101`.
	`500`	IPsec IKE packets
	`4500`	IPsec NAT-T packets
TCP/UDP	`30000`-`32767`	Kubernetes node port
ESP	N/A	IPsec Encapsulating Security Payload (ESP)

Table 4. Ports used for all-machine to control plane communications
Protocol	Port	Description
TCP	`6443`	Kubernetes API

Table 5. Ports used for control plane machine to control plane machine communications
Protocol	Port	Description
TCP	`2379`-`2380`	etcd server and peer ports

VMware vSphere CSI Driver Operator requirements

To install the vSphere CSI Driver Operator, the following requirements must be met:

VMware vSphere version 7.0 Update 2 or later
vCenter 7.0 Update 2 or later
Virtual machines of hardware version 15 or later
No third-party vSphere CSI driver already installed in the cluster

If a third-party vSphere CSI driver is present in the cluster, OKD does not overwrite it. The presence of a third-party vSphere CSI driver prevents OKD from upgrading to OKD 4.13 or later.

Additional resources

To remove a third-party vSphere CSI driver, see .
To update the hardware version for your vSphere nodes, see Updating hardware on nodes running in vSphere.

vCenter requirements

Before you install an OKD cluster on your vCenter that uses infrastructure that the installer provisions, you must prepare your environment.

Required vCenter account privileges

To install an OKD cluster in a vCenter, the installation program requires access to an account with privileges to read and create the required resources. Using an account that has global administrative privileges is the simplest way to access all of the necessary permissions.

If you cannot use an account with global administrative privileges, you must create roles to grant the privileges necessary for OKD cluster installation. While most of the privileges are always required, some are required only if you plan for the installation program to provision a folder to contain the OKD cluster on your vCenter instance, which is the default behavior. You must create or amend vSphere roles for the specified objects to grant the required privileges.

An additional role is required if the installation program is to create a vSphere virtual machine folder.

Roles and privileges required for installation in vSphere API

vSphere object for role	When required	Required privileges in vSphere API
vSphere vCenter	Always	`Cns.Searchable` `InventoryService.Tagging.AttachTag` `InventoryService.Tagging.CreateCategory` `InventoryService.Tagging.CreateTag` `InventoryService.Tagging.DeleteCategory` `InventoryService.Tagging.DeleteTag` `InventoryService.Tagging.EditCategory` `InventoryService.Tagging.EditTag` `Sessions.ValidateSession` `StorageProfile.Update` `StorageProfile.View`
vSphere vCenter Cluster	If VMs will be created in the cluster root	`Host.Config.Storage` `Resource.AssignVMToPool` `VApp.AssignResourcePool` `VApp.Import` `VirtualMachine.Config.AddNewDisk`
vSphere vCenter Resource Pool	If an existing resource pool is provided	`Host.Config.Storage` `Resource.AssignVMToPool` `VApp.AssignResourcePool` `VApp.Import` `VirtualMachine.Config.AddNewDisk`
vSphere Datastore	Always	`Datastore.AllocateSpace` `Datastore.Browse` `Datastore.FileManagement` `InventoryService.Tagging.ObjectAttachable`
vSphere Port Group	Always	`Network.Assign`
Virtual Machine Folder	Always	`InventoryService.Tagging.ObjectAttachable` `Resource.AssignVMToPool` `VApp.Import` `VirtualMachine.Config.AddExistingDisk` `VirtualMachine.Config.AddNewDisk` `VirtualMachine.Config.AddRemoveDevice` `VirtualMachine.Config.AdvancedConfig` `VirtualMachine.Config.Annotation` `VirtualMachine.Config.CPUCount` `VirtualMachine.Config.DiskExtend` `VirtualMachine.Config.DiskLease` `VirtualMachine.Config.EditDevice` `VirtualMachine.Config.Memory` `VirtualMachine.Config.RemoveDisk` `VirtualMachine.Config.Rename` `VirtualMachine.Config.ResetGuestInfo` `VirtualMachine.Config.Resource` `VirtualMachine.Config.Settings` `VirtualMachine.Config.UpgradeVirtualHardware` `VirtualMachine.Interact.GuestControl` `VirtualMachine.Interact.PowerOff` `VirtualMachine.Interact.PowerOn` `VirtualMachine.Interact.Reset` `VirtualMachine.Inventory.Create` `VirtualMachine.Inventory.CreateFromExisting` `VirtualMachine.Inventory.Delete` `VirtualMachine.Provisioning.Clone` `VirtualMachine.Provisioning.MarkAsTemplate` `VirtualMachine.Provisioning.DeployTemplate`
vSphere vCenter Datacenter	If the installation program creates the virtual machine folder	`InventoryService.Tagging.ObjectAttachable` `Resource.AssignVMToPool` `VApp.Import` `VirtualMachine.Config.AddExistingDisk` `VirtualMachine.Config.AddNewDisk` `VirtualMachine.Config.AddRemoveDevice` `VirtualMachine.Config.AdvancedConfig` `VirtualMachine.Config.Annotation` `VirtualMachine.Config.CPUCount` `VirtualMachine.Config.DiskExtend` `VirtualMachine.Config.DiskLease` `VirtualMachine.Config.EditDevice` `VirtualMachine.Config.Memory` `VirtualMachine.Config.RemoveDisk` `VirtualMachine.Config.Rename` `VirtualMachine.Config.ResetGuestInfo` `VirtualMachine.Config.Resource` `VirtualMachine.Config.Settings` `VirtualMachine.Config.UpgradeVirtualHardware` `VirtualMachine.Interact.GuestControl` `VirtualMachine.Interact.PowerOff` `VirtualMachine.Interact.PowerOn` `VirtualMachine.Interact.Reset` `VirtualMachine.Inventory.Create` `VirtualMachine.Inventory.CreateFromExisting` `VirtualMachine.Inventory.Delete` `VirtualMachine.Provisioning.Clone` `VirtualMachine.Provisioning.DeployTemplate` `VirtualMachine.Provisioning.MarkAsTemplate` `Folder.Create` `Folder.Delete`

Roles and privileges required for installation in vCenter graphical user interface (GUI)

vSphere object for role	When required	Required privileges in vCenter GUI
vSphere vCenter	Always	`Cns.Searchable` `“vSphere Tagging”.”Assign or Unassign vSphere Tag”` `“vSphere Tagging”.”Create vSphere Tag Category”` `“vSphere Tagging”.”Create vSphere Tag”` `vSphere Tagging”.”Delete vSphere Tag Category”` `“vSphere Tagging”.”Delete vSphere Tag”` `“vSphere Tagging”.”Edit vSphere Tag Category”` `“vSphere Tagging”.”Edit vSphere Tag”` `Sessions.”Validate session”` `“Profile-driven storage”.”Profile-driven storage update”` `“Profile-driven storage”.”Profile-driven storage view”`
vSphere vCenter Cluster	If VMs will be created in the cluster root	`Host.Configuration.”Storage partition configuration”` `Resource.”Assign virtual machine to resource pool”` `VApp.”Assign resource pool”` `VApp.Import` `“Virtual machine”.”Change Configuration”.”Add new disk”`
vSphere vCenter Resource Pool	If an existing resource pool is provided	`Host.Configuration.”Storage partition configuration”` `Resource.”Assign virtual machine to resource pool”` `VApp.”Assign resource pool”` `VApp.Import` `“Virtual machine”.”Change Configuration”.”Add new disk”`
vSphere Datastore	Always	`Datastore.”Allocate space”` `Datastore.”Browse datastore”` `Datastore.”Low level file operations”` `“vSphere Tagging”.”Assign or Unassign vSphere Tag on Object”`
vSphere Port Group	Always	`Network.”Assign network”`
Virtual Machine Folder	Always	`“vSphere Tagging”.”Assign or Unassign vSphere Tag on Object”` `Resource.”Assign virtual machine to resource pool”` `VApp.Import` `“Virtual machine”.”Change Configuration”.”Add existing disk”` `“Virtual machine”.”Change Configuration”.”Add new disk”` `“Virtual machine”.”Change Configuration”.”Add or remove device”` `“Virtual machine”.”Change Configuration”.”Advanced configuration”` `“Virtual machine”.”Change Configuration”.”Set annotation”` `“Virtual machine”.”Change Configuration”.”Change CPU count”` `“Virtual machine”.”Change Configuration”.”Extend virtual disk”` `“Virtual machine”.”Change Configuration”.”Acquire disk lease”` `“Virtual machine”.”Change Configuration”.”Modify device settings”` `“Virtual machine”.”Change Configuration”.”Change Memory”` `“Virtual machine”.”Change Configuration”.”Remove disk”` `“Virtual machine”.”Change Configuration”.Rename` `“Virtual machine”.”Change Configuration”.”Reset guest information”` `“Virtual machine”.”Change Configuration”.”Change resource”` `“Virtual machine”.”Change Configuration”.”Change Settings”` `“Virtual machine”.”Change Configuration”.”Upgrade virtual machine compatibility”` `“Virtual machine”.Interaction.”Guest operating system management by VIX API”` `“Virtual machine”.Interaction.”Power off”` `“Virtual machine”.Interaction.”Power on”` `“Virtual machine”.Interaction.Reset` `“Virtual machine”.”Edit Inventory”.”Create new”` `“Virtual machine”.”Edit Inventory”.”Create from existing”` `“Virtual machine”.”Edit Inventory”.”Remove”` `“Virtual machine”.Provisioning.”Clone virtual machine”` `“Virtual machine”.Provisioning.”Mark as template”` `“Virtual machine”.Provisioning.”Deploy template”`
vSphere vCenter Datacenter	If the installation program creates the virtual machine folder	`“vSphere Tagging”.”Assign or Unassign vSphere Tag on Object”` `Resource.”Assign virtual machine to resource pool”` `VApp.Import` `“Virtual machine”.”Change Configuration”.”Add existing disk”` `“Virtual machine”.”Change Configuration”.”Add new disk”` `“Virtual machine”.”Change Configuration”.”Add or remove device”` `“Virtual machine”.”Change Configuration”.”Advanced configuration”` `“Virtual machine”.”Change Configuration”.”Set annotation”` `“Virtual machine”.”Change Configuration”.”Change CPU count”` `“Virtual machine”.”Change Configuration”.”Extend virtual disk”` `“Virtual machine”.”Change Configuration”.”Acquire disk lease”` `“Virtual machine”.”Change Configuration”.”Modify device settings”` `“Virtual machine”.”Change Configuration”.”Change Memory”` `“Virtual machine”.”Change Configuration”.”Remove disk”` `“Virtual machine”.”Change Configuration”.Rename` `“Virtual machine”.”Change Configuration”.”Reset guest information”` `“Virtual machine”.”Change Configuration”.”Change resource”` `“Virtual machine”.”Change Configuration”.”Change Settings”` `“Virtual machine”.”Change Configuration”.”Upgrade virtual machine compatibility”` `“Virtual machine”.Interaction.”Guest operating system management by VIX API”` `“Virtual machine”.Interaction.”Power off”` `“Virtual machine”.Interaction.”Power on”` `“Virtual machine”.Interaction.Reset` `“Virtual machine”.”Edit Inventory”.”Create new”` `“Virtual machine”.”Edit Inventory”.”Create from existing”` `“Virtual machine”.”Edit Inventory”.”Remove”` `“Virtual machine”.Provisioning.”Clone virtual machine”` `“Virtual machine”.Provisioning.”Deploy template”` `“Virtual machine”.Provisioning.”Mark as template”` `Folder.”Create folder”` `Folder.”Delete folder”`

Additionally, the user requires some ReadOnly permissions, and some of the roles require permission to propogate the permissions to child objects. These settings vary depending on whether or not you install the cluster into an existing folder.

Required permissions and propagation settings

vSphere object	When required	Propagate to children	Permissions required
vSphere vCenter	Always	False	Listed required privileges
vSphere vCenter Datacenter	Existing folder	False	`ReadOnly` permission
vSphere vCenter Datacenter	Installation program creates the folder	True	Listed required privileges
vSphere vCenter Cluster	Existing resource pool	True	`ReadOnly` permission
vSphere vCenter Cluster	VMs in cluster root	True	Listed required privileges
vSphere vCenter Datastore	Always	False	Listed required privileges
vSphere Switch	Always	False	`ReadOnly` permission
vSphere Port Group	Always	False	Listed required privileges
vSphere vCenter Virtual Machine Folder	Existing folder	True	Listed required privileges
vSphere vCenter Resource Pool	Existing resource pool	True	Listed required privileges

For more information about creating an account with only the required privileges, see in the vSphere documentation.

Using OKD with vMotion

If you intend on using vMotion in your vSphere environment, consider the following before installing a OKD cluster.

OKD generally supports compute-only vMotion. Using Storage vMotion can cause issues and is not supported.

To help ensure the uptime of your compute and control plane nodes, it is recommended that you follow the VMware best practices for vMotion. It is also recommended to use VMware anti-affinity rules to improve the availability of OKD during maintenance or hardware issues.

For more information about vMotion and anti-affinity rules, see the VMware vSphere documentation for and VM anti-affinity rules.
If you are using vSphere volumes in your pods, migrating a VM across datastores either manually or through Storage vMotion causes, invalid references within OKD persistent volume (PV) objects. These references prevent affected pods from starting up and can result in data loss.
Similarly, OKD does not support selective migration of VMDKs across datastores, using datastore clusters for VM provisioning or for dynamic or static provisioning of PVs, or using a datastore that is part of a datastore cluster for dynamic or static provisioning of PVs.

Cluster resources

When you deploy an OKD cluster that uses installer-provisioned infrastructure, the installation program must be able to create several resources in your vCenter instance.

A standard OKD installation creates the following vCenter resources:

1 Folder
1 Tag category
1 Tag
Virtual machines:
- 1 template
- 1 temporary bootstrap node
- 3 control plane nodes
- 3 compute machines

Although these resources use 856 GB of storage, the bootstrap node is destroyed during the cluster installation process. A minimum of 800 GB of storage is required to use a standard cluster.

If you deploy more compute machines, the OKD cluster will use more storage.

Cluster limits

Available resources vary between clusters. The number of possible clusters within a vCenter is limited primarily by available storage space and any limitations on the number of required resources. Be sure to consider both limitations to the vCenter resources that the cluster creates and the resources that you require to deploy a cluster, such as IP addresses and networks.

You must use DHCP for the network and ensure that the DHCP server is configured to provide persistent IP addresses to the cluster machines. You must configure the default gateway to use the DHCP server. All nodes must be in the same VLAN. You cannot scale the cluster using a second VLAN as a Day 2 operation. The VM in your restricted network must have access to vCenter so that it can provision and manage nodes, persistent volume claims (PVCs), and other resources. Additionally, you must create the following networking resources before you install the OKD cluster:

It is recommended that each OKD node in the cluster must have access to a Network Time Protocol (NTP) server that is discoverable via DHCP. Installation is possible without an NTP server. However, asynchronous server clocks will cause errors, which NTP server prevents.

Required IP Addresses

An installer-provisioned vSphere installation requires two static IP addresses:

The API address is used to access the cluster API.
The Ingress address is used for cluster ingress traffic.

You must provide these IP addresses to the installation program when you install the OKD cluster.

DNS records

You must create DNS records for two static IP addresses in the appropriate DNS server for the vCenter instance that hosts your OKD cluster. In each record, <cluster_name> is the cluster name and <base_domain> is the cluster base domain that you specify when you install the cluster. A complete DNS record takes the form: <component>.<cluster_name>.<base_domain>..

Table 6. Required DNS records
Component	Record	Description
API VIP	`api.<cluster_name>.<base_domain>.`	This DNS A/AAAA or CNAME record must point to the load balancer for the control plane machines. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.
Ingress VIP	`*.apps.<cluster_name>.<base_domain>.`	A wildcard DNS A/AAAA or CNAME record that points to the load balancer that targets the machines that run the Ingress router pods, which are the worker nodes by default. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.

During an OKD installation, you can provide an SSH public key to the installation program. The key is passed to the Fedora CoreOS (FCOS) nodes through their Ignition config files and is used to authenticate SSH access to the nodes. The key is added to the ~/.ssh/authorized_keys list for the core user on each node, which enables password-less authentication.

After the key is passed to the nodes, you can use the key pair to SSH in to the FCOS nodes as the user core. To access the nodes through SSH, the private key identity must be managed by SSH for your local user.

If you want to SSH in to your cluster nodes to perform installation debugging or disaster recovery, you must provide the SSH public key during the installation process. The ./openshift-install gather command also requires the SSH public key to be in place on the cluster nodes.

Do not skip this procedure in production environments, where disaster recovery and debugging is required.

You must use a local key, not one that you configured with platform-specific approaches such as .

On clusters running Fedora CoreOS (FCOS), the SSH keys specified in the Ignition config files are written to the /home/core/.ssh/authorized_keys.d/core file. However, the Machine Config Operator manages SSH keys in the /home/core/.ssh/authorized_keys file and configures sshd to ignore the /home/core/.ssh/authorized_keys.d/core file. As a result, newly provisioned OKD nodes are not accessible using SSH until the Machine Config Operator reconciles the machine configs with the authorized_keys file. After you can access the nodes using SSH, you can delete the /home/core/.ssh/authorized_keys.d/core file.

Procedure

If you do not have an existing SSH key pair on your local machine to use for authentication onto your cluster nodes, create one. For example, on a computer that uses a Linux operating system, run the following command:

1	Specify the path and file name, such as `~/.ssh/id_ed25519`, of the new SSH key. If you have an existing key pair, ensure your public key is in the your `~/.ssh` directory.

If you plan to install an OKD cluster that uses FIPS Validated / Modules in Process cryptographic libraries on the x86_64 architecture, do not create a key that uses the ed25519 algorithm. Instead, create a key that uses the rsa or ecdsa algorithm.

View the public SSH key:
```
$ cat <path>/<file_name>.pub
```
For example, run the following to view the ~/.ssh/id_ed25519.pub public key:
```
$ cat ~/.ssh/id_ed25519.pub
```
Add the SSH private key identity to the SSH agent for your local user, if it has not already been added. SSH agent management of the key is required for password-less SSH authentication onto your cluster nodes, or if you want to use the ./openshift-install gather command.

On some distributions, default SSH private key identities such as ~/.ssh/id_rsa and ~/.ssh/id_dsa are managed automatically.
1. If the ssh-agent process is not already running for your local user, start it as a background task:
```
$ eval "$(ssh-agent -s)"
```
  Example output
```
Agent pid 31874
```
  If your cluster is in FIPS mode, only use FIPS-compliant algorithms to generate the SSH key. The key must be either RSA or ECDSA.
Add your SSH private key to the ssh-agent:
```
$ ssh-add <path>/<file_name> (1)
```
1 Specify the path and file name for your SSH private key, such as ~/.ssh/id_ed25519

Example output
```
Identity added: /home/<you>/<path>/<file_name> (<computer_name>)
```

Next steps

When you install OKD, provide the SSH public key to the installation program.

Adding vCenter root CA certificates to your system trust

Because the installation program requires access to your vCenter’s API, you must add your vCenter’s trusted root CA certificates to your system trust before you install an OKD cluster.

Procedure

Extract the compressed file that contains the vCenter root CA certificates. The contents of the compressed file resemble the following file structure:

certs
├── lin
│   ├── 108f4d17.0
│   ├── 108f4d17.r1
│   ├── 7e757f6a.0
│   ├── 8e4f8471.0
│   └── 8e4f8471.r0
├── mac
│   ├── 108f4d17.0
│   ├── 108f4d17.r1
│   ├── 7e757f6a.0
│   ├── 8e4f8471.0
│   └── 8e4f8471.r0
└── win
    ├── 108f4d17.0.crt
    ├── 108f4d17.r1.crl
    ├── 7e757f6a.0.crt
    ├── 8e4f8471.0.crt
    └── 8e4f8471.r0.crl
3 directories, 15 files

Add the files for your operating system to the system trust. For example, on a Fedora operating system, run the following command:
```
# cp certs/lin/* /etc/pki/ca-trust/source/anchors
```
Update your system trust. For example, on a Fedora operating system, run the following command:
```
# update-ca-trust extract
```

Creating the FCOS image for restricted network installations

Download the Fedora CoreOS (FCOS) image to install OKD on a restricted network VMware vSphere environment.

Prerequisites

Obtain the OKD installation program. For a restricted network installation, the program is on your mirror registry host.

Procedure

Under Version, select the most recent release of OKD 4.13 for RHEL 8.

The FCOS images might not change with every release of OKD. You must download images with the highest version that is less than or equal to the OKD version that you install. Use the image versions that match your OKD version if they are available.

Download the Fedora CoreOS (FCOS) - vSphere image.
Upload the image you downloaded to a location that is accessible from the bastion server.

The image is now available for a restricted installation. Note the image name or location for use in OKD deployment.

VMware vSphere region and zone enablement

You can deploy an OKD cluster to multiple vSphere datacenters that run in a single VMware vCenter. Each datacenter can run multiple clusters. This configuration reduces the risk of a hardware failure or network outage that can cause your cluster to fail.

The VMware vSphere region and zone enablement feature requires the vSphere Container Storage Interface (CSI) driver as the default storage driver in the cluster. As a result, the feature only available on a newly installed cluster.

A cluster that was upgraded from a previous release defaults to using the in-tree vSphere driver, so you must enable CSI automatic migration for the cluster. You can then configure multiple regions and zones for the upgraded cluster.

The default installation configuration deploys a cluster to a single vSphere datacenter. If you want to deploy a cluster to multiple vSphere datacenters, you must create an installation configuration file that enables the region and zone feature.

The default install-config.yaml file includes vcenters and failureDomains fields, where you can specify multiple vSphere datacenters and clusters for your OKD cluster. You can leave these fields blank if you want to install an OKD cluster in a vSphere environment that consists of single datacenter.

The following list describes terms associated with defining zones and regions for your cluster:

Failure domain: Establishes the relationships between a region and zone. You define a failure domain by using vCenter objects, such as a datastore object. A failure domain defines the vCenter location for OKD cluster nodes.
Region: Specifies a vCenter datacenter. You define a region by using a tag from the openshift-region tag category.
Zone: Specifies a vCenter cluster. You define a zone by using a tag from the openshift-zone tag category.

You must create a vCenter tag for each vCenter datacenter, which represents a region. Additionally, you must create a vCenter tag for each cluster than runs in a datacenter, which represents a zone. After you create the tags, you must attach each tag to their respective datacenters and clusters.

The following table outlines an example of the relationship among regions, zones, and tags for a configuration with multiple vSphere datacenters running in a single VMware vCenter.

Datacenter (region)	Cluster (zone)	Tags
us-east	us-east-1	us-east-1a
	us-east-1	us-east-1b
	us-east-2	us-east-2a
	us-east-2	us-east-2b
us-west	us-west-1	us-west-1a
	us-west-1	us-west-1b
	us-west-2	us-west-2a
	us-west-2	us-west-2b

Additional resources

Creating the installation configuration file

You can customize the OKD cluster you install on VMware vSphere.

Prerequisites

Obtain the OKD installation program and the pull secret for your cluster. For a restricted network installation, these files are on your mirror host.
Have the imageContentSources values that were generated during mirror registry creation.
Obtain the contents of the certificate for your mirror registry.
Retrieve a Fedora CoreOS (FCOS) image and upload it to an accessible location.
Obtain service principal permissions at the subscription level.

Procedure

Create the install-config.yaml file.

Change to the directory that contains the installation program and run the following command:
```
$ ./openshift-install create install-config --dir <installation_directory> (1)
```
1 For <installation_directory>, specify the directory name to store the files that the installation program creates.

When specifying the directory:
- Verify that the directory has the execute permission. This permission is required to run Terraform binaries under the installation directory.
- Use an empty directory. Some installation assets, such as bootstrap X.509 certificates, have short expiration intervals, therefore you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OKD version.

At the prompts, provide the configuration details for your cloud:

Optional: Select an SSH key to use to access your cluster machines.

For production OKD clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agent process uses.
Select vsphere as the platform to target.
Specify the name of your vCenter instance.
Specify the user name and password for the vCenter account that has the required permissions to create the cluster.

The installation program connects to your vCenter instance.

Select the data center in your vCenter instance to connect to.

After you create the installation configuration file, you can modify the file to create a multiple vSphere datacenters environment. This means that you can deploy an OKD cluster to multiple vSphere datacenters that run in a single VMware vCenter. For more information about creating this environment, see the section named VMware vSphere region and zone enablement.

Select the default vCenter datastore to use.
Select the vCenter cluster to install the OKD cluster in. The installation program uses the root resource pool of the vSphere cluster as the default resource pool.
Select the network in the vCenter instance that contains the virtual IP addresses and DNS records that you configured.
Enter the virtual IP address that you configured for control plane API access.
Enter the virtual IP address that you configured for cluster ingress.
Enter the base domain. This base domain must be the same one that you used in the DNS records that you configured.
Enter a descriptive name for your cluster. The cluster name you enter must match the cluster name you specified when configuring the DNS records.
Paste the . This field is optional.

In the install-config.yaml file, set the value of platform.vsphere.clusterOSImage to the image location or name. For example:

platform:
      clusterOSImage: http://mirror.example.com/images/rhcos-43.81.201912131630.0-vmware.x86_64.ova?sha256=ffebbd68e8a1f2a245ca19522c16c86f67f9ac8e4e0c1f0a812b068b16f7265d

Edit the install-config.yaml file to give the additional information that is required for an installation in a restricted network.
1. Update the pullSecret value to contain the authentication information for your registry:
```
pullSecret: '{"auths":{"<mirror_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}'
```
  For <mirror_host_name>, specify the registry domain name that you specified in the certificate for your mirror registry, and for <credentials>, specify the base64-encoded user name and password for your mirror registry.
2. Add the additionalTrustBundle parameter and value.
```
additionalTrustBundle: |
  -----BEGIN CERTIFICATE-----
  -----END CERTIFICATE-----
```
  The value must be the contents of the certificate file that you used for your mirror registry. The certificate file can be an existing, trusted certificate authority, or the self-signed certificate that you generated for the mirror registry.
3. Add the image content resources, which resemble the following YAML excerpt:
```
imageContentSources:
- mirrors:
  - <mirror_host_name>:5000/<repo_name>/release
  source: quay.io/openshift-release-dev/ocp-release
- mirrors:
  - <mirror_host_name>:5000/<repo_name>/release
  source: registry.redhat.io/ocp/release
```
  For these values, use the imageContentSources that you recorded during mirror registry creation.
Make any other modifications to the install-config.yaml file that you require. You can find more information about the available parameters in the Installation configuration parameters section.
Back up the install-config.yaml file so that you can use it to install multiple clusters.

The install-config.yaml file is consumed during the installation process. If you want to reuse the file, you must back it up now.

Installation configuration parameters

Before you deploy an OKD cluster, you provide parameter values to describe your account on the cloud platform that hosts your cluster and optionally customize your cluster’s platform. When you create the install-config.yaml installation configuration file, you provide values for the required parameters through the command line. If you customize your cluster, you can modify the install-config.yaml file to provide more details about the platform.

After installation, you cannot modify these parameters in the install-config.yaml file.

Required configuration parameters

Required installation configuration parameters are described in the following table:

Table 7. Required parameters
Parameter	Description	Values
`apiVersion`	The API version for the `install-config.yaml` content. The current version is `v1`. The installation program may also support older API versions.	String
`baseDomain`	The base domain of your cloud provider. The base domain is used to create routes to your OKD cluster components. The full DNS name for your cluster is a combination of the `baseDomain` and `metadata.name` parameter values that uses the `<metadata.name>.<baseDomain>` format.	A fully-qualified domain or subdomain name, such as `example.com`.
`metadata`	Kubernetes resource `ObjectMeta`, from which only the `name` parameter is consumed.	Object
`metadata.name`	The name of the cluster. DNS records for the cluster are all subdomains of `{{.metadata.name}}.{{.baseDomain}}`.	String of lowercase letters and hyphens (`-`), such as `dev`.
`platform`	The configuration for the specific platform upon which to perform the installation: `alibabacloud`, `aws`, `baremetal`, `azure`, `gcp`, `ibmcloud`, `nutanix`, `openstack`, `ovirt`, `powervs`, `vsphere`, or `{}`. For additional information about `platform.<platform>` parameters, consult the table for your specific platform that follows.	Object

Network configuration parameters

You can customize your installation configuration based on the requirements of your existing network infrastructure. For example, you can expand the IP address block for the cluster network or provide different IP address blocks than the defaults.

If you use the Red Hat OpenShift Networking OVN-Kubernetes network plugin, both IPv4 and IPv6 address families are supported.
If you use the Red Hat OpenShift Networking OpenShift SDN network plugin, only the IPv4 address family is supported.

On VMware vSphere, dual-stack networking must specify IPv4 as the primary address family.

The following additional limitations apply to dual-stack networking:

Nodes report only their IPv6 IP address in node.status.addresses
Nodes with only a single NIC are supported
Pods configured for host networking report only their IPv6 addresses in pod.status.IP

If you configure your cluster to use both IP address families, review the following requirements:

Both IP families must use the same network interface for the default gateway.
Both IP families must have the default gateway.
You must specify IPv4 and IPv6 addresses in the same order for all network configuration parameters. For example, in the following configuration IPv4 addresses are listed before IPv6 addresses.

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23
  - cidr: fd00:10:128::/56
    hostPrefix: 64
  serviceNetwork:
  - 172.30.0.0/16
  - fd00:172:16::/112

Globalnet is not supported with Red Hat OpenShift Data Foundation disaster recovery solutions. For regional disaster recovery scenarios, ensure that you use a nonoverlapping range of private IP addresses for the cluster and service networks in each cluster.

Parameter Description Values

networking

The configuration for the cluster network.

Object

You cannot modify parameters specified by the networking object after installation.

networking.networkType

The Red Hat OpenShift Networking network plugin to install.

Either OpenShiftSDN or OVNKubernetes. The default value is OVNKubernetes.

networking.clusterNetwork

The IP address blocks for pods.

The default value is 10.128.0.0/14 with a host prefix of /23.

If you specify multiple IP address blocks, the blocks must not overlap.

An array of objects. For example:

networking:
  clusterNetwork:
  - cidr: 10.128.0.0/14
    hostPrefix: 23

networking.clusterNetwork.cidr

Required if you use networking.clusterNetwork. An IP address block.

An IPv4 network.

An IP address block in Classless Inter-Domain Routing (CIDR) notation. The prefix length for an IPv4 block is between 0 and 32.

networking.clusterNetwork.hostPrefix

The subnet prefix length to assign to each individual node. For example, if hostPrefix is set to 23 then each node is assigned a /23 subnet out of the given cidr. A hostPrefix value of 23 provides 510 (2^(32 - 23) - 2) pod IP addresses.

A subnet prefix.

The default value is 23.

networking.serviceNetwork

The IP address block for services. The default value is 172.30.0.0/16.

The OpenShift SDN and OVN-Kubernetes network plugins support only a single IP address block for the service network.

An array with an IP address block in CIDR format. For example:

networking:
  serviceNetwork:
   - 172.30.0.0/16

networking.machineNetwork

The IP address blocks for machines.

If you specify multiple IP address blocks, the blocks must not overlap.

An array of objects. For example:

networking.machineNetwork.cidr

Required if you use networking.machineNetwork. An IP address block. The default value is 10.0.0.0/16 for all platforms other than libvirt and IBM Power Virtual Server. For libvirt, the default value is 192.168.126.0/24. For IBM Power Virtual Server, the default value is 192.168.0.0/24.

An IP network block in CIDR notation.

For example, 10.0.0.0/16.

Set the networking.machineNetwork to match the CIDR that the preferred NIC resides in.

Optional configuration parameters

Optional installation configuration parameters are described in the following table:

Parameter Description Values

additionalTrustBundle

A PEM-encoded X.509 certificate bundle that is added to the nodes’ trusted certificate store. This trust bundle may also be used when a proxy has been configured.

String

capabilities

Controls the installation of optional core cluster components. You can reduce the footprint of your OKD cluster by disabling optional components. For more information, see the “Cluster capabilities” page in Installing.

String array

capabilities.baselineCapabilitySet

Selects an initial set of optional capabilities to enable. Valid values are None, v4.11, v4.12 and vCurrent. The default value is vCurrent.

String

capabilities.additionalEnabledCapabilities

Extends the set of optional capabilities beyond what you specify in baselineCapabilitySet. You may specify multiple capabilities in this parameter.

String array

compute

The configuration for the machines that comprise the compute nodes.

Array of MachinePool objects.

compute.architecture

Determines the instruction set architecture of the machines in the pool. Currently, clusters with varied architectures are not supported. All pools must specify the same architecture. Valid values are amd64 (the default).

String

compute.hyperthreading

Whether to enable or disable simultaneous multithreading, or hyperthreading, on compute machines. By default, simultaneous multithreading is enabled to increase the performance of your machines’ cores.

If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance.

Enabled or Disabled

compute.name

Required if you use compute. The name of the machine pool.

worker

compute.platform

Required if you use compute. Use this parameter to specify the cloud provider to host the worker machines. This parameter value must match the controlPlane.platform parameter value.

alibabacloud, aws, azure, gcp, ibmcloud, nutanix, openstack, ovirt, powervs, vsphere, or {}

compute.replicas

The number of compute machines, which are also known as worker machines, to provision.

A positive integer greater than or equal to 2. The default value is 3.

featureSet

Enables the cluster for a feature set. A feature set is a collection of OKD features that are not enabled by default. For more information about enabling a feature set during installation, see “Enabling features using feature gates”.

String. The name of the feature set to enable, such as TechPreviewNoUpgrade.

controlPlane

The configuration for the machines that comprise the control plane.

Array of MachinePool objects.

controlPlane.architecture

String

controlPlane.hyperthreading

Whether to enable or disable simultaneous multithreading, or hyperthreading, on control plane machines. By default, simultaneous multithreading is enabled to increase the performance of your machines’ cores.

If you disable simultaneous multithreading, ensure that your capacity planning accounts for the dramatically decreased machine performance.

Enabled or Disabled

controlPlane.name

Required if you use controlPlane. The name of the machine pool.

master

controlPlane.platform

Required if you use controlPlane. Use this parameter to specify the cloud provider that hosts the control plane machines. This parameter value must match the compute.platform parameter value.

alibabacloud, aws, azure, gcp, ibmcloud, nutanix, openstack, ovirt, powervs, vsphere, or {}

controlPlane.replicas

The number of control plane machines to provision.

The only supported value is 3, which is the default value.

credentialsMode

The Cloud Credential Operator (CCO) mode. If no mode is specified, the CCO dynamically tries to determine the capabilities of the provided credentials, with a preference for mint mode on the platforms where multiple modes are supported.

Not all CCO modes are supported for all cloud providers. For more information about CCO modes, see the Cloud Credential Operator entry in the Cluster Operators reference content.

If your AWS account has service control policies (SCP) enabled, you must configure the credentialsMode parameter to Mint, Passthrough or Manual.

Mint, Passthrough, Manual or an empty string (“”).

imageContentSources

Sources and repositories for the release-image content.

Array of objects. Includes a source and, optionally, mirrors, as described in the following rows of this table.

imageContentSources.source

Required if you use imageContentSources. Specify the repository that users refer to, for example, in image pull specifications.

String

imageContentSources.mirrors

Specify one or more repositories that may also contain the same images.

Array of strings

publish

How to publish or expose the user-facing endpoints of your cluster, such as the Kubernetes API, OpenShift routes.

Internal or External. The default value is External.

Setting this field to Internal is not supported on non-cloud platforms.

If the value of the field is set to Internal, the cluster will become non-functional. For more information, refer to BZ#1953035.

sshKey

The SSH key or keys to authenticate access your cluster machines.

One or more keys. For example:

sshKey:
  <key1>
  <key2>
  <key3>

Additional VMware vSphere configuration parameters

Additional VMware vSphere configuration parameters are described in the following table:

Table 10. Additional VMware vSphere cluster parameters
Parameter	Description	Values
`platform.vsphere.apiVIPs`	Virtual IP (VIP) addresses that you configured for control plane API access.	Multiple IP addresses
`platform.vsphere.diskType`	Optional. The disk provisioning method. This value defaults to the vSphere default storage policy if not set.	Valid values are `thin`, `thick`, or `eagerZeroedThick`.
`platform.vsphere.failureDomains`	Establishes the relationships between a region and zone. You define a failure domain by using vCenter objects, such as a `datastore` object. A failure domain defines the vCenter location for OKD cluster nodes.	String
`platform.vsphere.failureDomains.topology.networks`	Lists any network in the vCenter instance that contains the virtual IP addresses and DNS records that you configured.	String
`platform.vsphere.failureDomains.region`	You define a region by using a tag from the `openshift-region` tag category. The tag must be attached to the vCenter datacenter.	String
`platform.vsphere.failureDomains.zone`	You define a zone by using a tag from the `openshift-zone` tag category. The tag must be attached to the vCenter datacenter.	`String`
`platform.vsphere.ingressVIPs`	Virtual IP (VIP) addresses that you configured for cluster Ingress.	Multiple IP addresses
`platform.vsphere`	Describes your account on the cloud platform that hosts your cluster. You can use the parameter to customize the platform. When providing additional configuration settings for compute and control plane machines in the machine pool, the parameter is optional. You can only specify one vCenter server for your OKD cluster.	String
`platform.vsphere.vcenters`	Lists any fully-qualified hostname or IP address of a vCenter server.	String
`platform.vsphere.vcenters.datacenters`	Lists and defines the datacenters where OKD virtual machines (VMs) operate. The list of datacenters must match the list of datacenters specified in the `failureDomains` field.	String

Deprecated VMware vSphere configuration parameters

In OKD 4.13, the following vSphere configuration parameters are deprecated. You can continue to use these parameters, but the installation program does not automatically specify these parameters in the install-config.yaml file.

The following table lists each deprecated vSphere configuration parameter:

Parameter Description Values

platform.vsphere.apiVIP

The virtual IP (VIP) address that you configured for control plane API access.

An IP address, for example 128.0.0.1.

In OKD 4.12 and later, the apiVIP configuration setting is deprecated. Instead, use a List format to enter a value in the apiVIPs configuration setting.

platform.vsphere.cluster

The vCenter cluster to install the OKD cluster in.

String

platform.vsphere.datacenter

Defines the datacenter where OKD virtual machines (VMs) operate.

String

platform.vsphere.defaultDatastore

The name of the default datastore to use for provisioning volumes.

String

platform.vsphere.folder

Optional. The absolute path of an existing folder where the installation program creates the virtual machines. If you do not provide this value, the installation program creates a folder that is named with the infrastructure ID in the data center virtual machine folder.

String, for example, /<datacenter_name>/vm/<folder_name>/<subfolder_name>.

platform.vsphere.ingressVIP

Virtual IP (VIP) addresses that you configured for cluster Ingress.

An IP address, for example 128.0.0.1.

In OKD 4.12 and later, the ingressVIP configuration setting is deprecated. Instead, use a List format to enter a value in the ingressVIPs configuration setting.

platform.vsphere.network

The network in the vCenter instance that contains the virtual IP addresses and DNS records that you configured.

String

platform.vsphere.password

The password for the vCenter user name.

String

platform.vsphere.resourcePool

Optional. The absolute path of an existing resource pool where the installation program creates the virtual machines. If you do not specify a value, the installation program installs the resources in the root of the cluster under /<datacenter_name>/host/<cluster_name>/Resources.

String, for example, /<datacenter_name>/host/<cluster_name>/Resources/<resource_pool_name>/<optional_nested_resource_pool_name>.

platform.vsphere.username

The user name to use to connect to the vCenter instance with. This user must have at least the roles and privileges that are required for in vSphere.

String

platform.vsphere.vCenter

The fully-qualified hostname or IP address of a vCenter server.

String

Optional VMware vSphere machine pool configuration parameters

Optional VMware vSphere machine pool configuration parameters are described in the following table:

Table 12. Optional VMware vSphere machine pool parameters
Parameter	Description	Values
`platform.vsphere.clusterOSImage`	The location from which the installation program downloads the FCOS image. You must set this parameter to perform an installation in a restricted network.	An HTTP or HTTPS URL, optionally with a SHA-256 checksum. For example, .
`platform.vsphere.osDisk.diskSizeGB`	The size of the disk in gigabytes.	Integer
`platform.vsphere.cpus`	The total number of virtual processor cores to assign a virtual machine. The value of `platform.vsphere.cpus` must be a multiple of `platform.vsphere.coresPerSocket` value.	Integer
`platform.vsphere.coresPerSocket`	The number of cores per socket in a virtual machine. The number of virtual sockets on the virtual machine is `platform.vsphere.cpus`/`platform.vsphere.coresPerSocket`. The default value for control plane nodes and worker nodes is `4` and `2`, respectively.	Integer
`platform.vsphere.memoryMB`	The size of a virtual machine’s memory in megabytes.	Integer

Sample install-config.yaml file for an installer-provisioned VMware vSphere cluster

You can customize the install-config.yaml file to specify more details about your OKD cluster’s platform or modify the values of the required parameters.

apiVersion: v1
baseDomain: example.com (1)
compute: (2)
- architecture: amd64
  hyperthreading: Enabled (3)
  name:  <worker_node>
  platform: {}
  replicas: 3
controlPlane: (2)
- architecture: amd64
  hyperthreading: Enabled (3)
  name: <parent_node>
  platform: {}
  replicas: 3
metadata:
  creationTimestamp: null
  name: test (4)
platform:
  vsphere: (5)
    apiVIPs:
      - 10.0.0.1
    failureDomains: (6)
    - name: <failure_domain_name>
      region: <default_region_name>
      server: <fully_qualified_domain_name>
      topology:
        computeCluster: "/<datacenter>/host/<cluster>"
        datacenter: <datacenter>
        datastore: "/<datacenter>/datastore/<datastore>"
        networks:
        - <VM_Network_name>
        resourcePool: "/<datacenter>/host/<cluster>/Resources/<resourcePool>" (7)
        folder: "/<datacenter_name>/vm/<folder_name>/<subfolder_name>"
      zone: <default_zone_name>
    ingressVIPs:
    - 10.0.0.2
    vcenters:
    - datacenters:
      - <datacenter>
      password: <password>
      port: 443
      server: <fully_qualified_domain_name>
    diskType: thin (8)
    clusterOSImage: http://mirror.example.com/images/rhcos-47.83.202103221318-0-vmware.x86_64.ova (9)
pullSecret: '{"auths":{"<local_registry>": {"auth": "<credentials>","email": "you@example.com"}}}' (10)
sshKey: 'ssh-ed25519 AAAA...'
additionalTrustBundle: | (11)
  -----BEGIN CERTIFICATE-----
  ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
  -----END CERTIFICATE-----
imageContentSources: (12)
- mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-release
- mirrors:
  - <local_registry>/<local_repository_name>/release
  source: quay.io/openshift-release-dev/ocp-v4.0-art-dev

In OKD 4.12 and later, the apiVIP and ingressVIP configuration settings are deprecated. Instead, use a list format to enter values in the apiVIPs and ingressVIPs configuration settings.

Configuring the cluster-wide proxy during installation

Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure a new OKD cluster to use a proxy by configuring the proxy settings in the install-config.yaml file.

Prerequisites

You have an existing install-config.yaml file.

You reviewed the sites that your cluster requires access to and determined whether any of them need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. You added sites to the Proxy object’s spec.noProxy field to bypass the proxy if necessary.

The Proxy object status.noProxy field is populated with the values of the networking.machineNetwork[].cidr, networking.clusterNetwork[].cidr, and networking.serviceNetwork[] fields from your installation configuration.

For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and OpenStack, the Proxy object status.noProxy field is also populated with the instance metadata endpoint (169.254.169.254).

Procedure

Edit your install-config.yaml file and add the proxy settings. For example:

apiVersion: v1
baseDomain: my.domain.com
proxy:
  httpProxy: http://<username>:<pswd>@<ip>:<port> (1)
  httpsProxy: https://<username>:<pswd>@<ip>:<port> (2)
  noProxy: example.com (3)
additionalTrustBundle: | (4)
    -----BEGIN CERTIFICATE-----
    <MY_TRUSTED_CA_CERT>
    -----END CERTIFICATE-----
additionalTrustBundlePolicy: <policy_to_add_additionalTrustBundle> (5)

1	A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be `http`.
2	A proxy URL to use for creating HTTPS connections outside the cluster.
3	A comma-separated list of destination domain names, IP addresses, or other network CIDRs to exclude from proxying. Preface a domain with `.` to match subdomains only. For example, `.y.com` matches `x.y.com`, but not `y.com`. Use `*` to bypass the proxy for all destinations. You must include vCenter’s IP address and the IP range that you use for its machines.
4	If provided, the installation program generates a config map that is named `user-ca-bundle` in the `openshift-config` namespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates a `trusted-ca-bundle` config map that merges these contents with the Fedora CoreOS (FCOS) trust bundle, and this config map is referenced in the `trustedCA` field of the `Proxy` object. The `additionalTrustBundle` field is required unless the proxy’s identity certificate is signed by an authority from the FCOS trust bundle.
5	Optional: The policy to determine the configuration of the `Proxy` object to reference the `user-ca-bundle` config map in the `trustedCA` field. The allowed values are `Proxyonly` and `Always`. Use `Proxyonly` to reference the `user-ca-bundle` config map only when `http/https` proxy is configured. Use `Always` to always reference the `user-ca-bundle` config map. The default value is `Proxyonly`.

The installation program does not support the proxy readinessEndpoints field.

If the installer times out, restart and then complete the deployment by using the wait-for command of the installer. For example:

$ ./openshift-install wait-for install-complete —log-level debug

Save the file and reference it when installing OKD.

The installation program creates a cluster-wide proxy that is named cluster that uses the proxy settings in the provided install-config.yaml file. If no proxy settings are provided, a cluster Proxy object is still created, but it will have a nil spec.

Only the Proxy object named cluster is supported, and no additional proxies can be created.

Configuring regions and zones for a VMware vCenter

You can modify the default installation configuration file, so that you can deploy an OKD cluster to multiple vSphere datacenters that run in a single VMware vCenter.

The default install-config.yaml file configuration from the previous release of OKD is deprecated. You can continue to use the deprecated default configuration, but the openshift-installer will prompt you with a warning message that indicates the use of deprecated fields in the configuration file.

The example uses the govc command. The govc command is an open source command available from VMware; it is not available from Red Hat. The Red Hat support team does not maintain the govc command. Instructions for downloading and installing govc are found on the VMware documentation website

Prerequisites

You have an existing install-config.yaml installation configuration file.

You must specify at least one failure domain for your OKD cluster, so that you can provision datacenter objects for your VMware vCenter server. Consider specifying multiple failure domains if you need to provision virtual machine nodes in different datacenters, clusters, datastores, and other components.

Procedure

Enter the following govc command-line tool commands to create the openshift-region and openshift-zone vCenter tag categories:

If you specify different names for the openshift-region and openshift-zone vCenter tag categories, the installation of the OKD cluster fails.
```
$ govc tags.category.create -d "OpenShift region" openshift-region
```
```
$ govc tags.category.create -d "OpenShift zone" openshift-zone
```
To create a region tag for each region vSphere datacenter where you want to deploy your cluster, enter the following command in your terminal:
```
$ govc tags.create -c <region_tag_category> <region_tag>
```
To create a zone tag for each vSphere cluster where you want to deploy your cluster, enter the following command:
```
$ govc tags.create -c <zone_tag_category> <zone_tag>
```
Attach region tags to each vCenter datacenter object by entering the following command:
```
$ govc tags.attach -c <region_tag_category> <region_tag_1> /<datacenter_1>
```

Attach the zone tags to each vCenter datacenter object by entering the following command:

$ govc tags.attach -c <zone_tag_category> <zone_tag_1> /<datacenter_1>/host/vcs-mdcnc-workload-1

Change to the directory that contains the installation program and initialize the cluster deployment according to your chosen installation requirements.

Sample install-config.yaml file with multiple datacenters defined in a vSphere center

---
compute:
---
  vsphere:
      zones:
        - "<machine_pool_zone_1>"
        - "<machine_pool_zone_2>"
---
controlPlane:
---
vsphere:
      zones:
        - "<machine_pool_zone_1>"
---
platform:
  vsphere:
    vcenters:
---
    datacenters:
      - <datacenter1_name>
      - <datacenter2_name>
    failureDomains:
    - name: <machine_pool_zone_1>
      region: <region_tag_1>
      zone: <zone_tag_1>
      server: <fully_qualified_domain_name>
      topology:
        datacenter: <datacenter1>
        computeCluster: "/<datacenter1>/host/<cluster1>"
        networks:
        - <VM_Network1_name>
        datastore: "/<datacenter1>/datastore/<datastore1>"
        resourcePool: "/<datacenter1>/host/<cluster1>/Resources/<resourcePool1>"
        folder: "/<datacenter1>/vm/<folder1>"
    - name: <machine_pool_zone_2>
      region: <region_tag_2>
      zone: <zone_tag_2>
      server: <fully_qualified_domain_name>
      topology:
        datacenter: <datacenter2>
        computeCluster: "/<datacenter2>/host/<cluster2>"
        networks:
        - <VM_Network2_name>
        datastore: "/<datacenter2>/datastore/<datastore2>"
        resourcePool: "/<datacenter2>/host/<cluster2>/Resources/<resourcePool2>"
        folder: "/<datacenter2>/vm/<folder2>"
---

Deploying the cluster

You can install OKD on a compatible cloud platform.

You can run the create cluster command of the installation program only once, during initial installation.

Prerequisites

Obtain the OKD installation program and the pull secret for your cluster.
Verify the cloud provider account on your host has the correct permissions to deploy the cluster. An account with incorrect permissions causes the installation process to fail with an error message that displays the missing permissions.

Procedure

Change to the directory that contains the installation program and initialize the cluster deployment:
```
$ ./openshift-install create cluster --dir <installation_directory> \ (1)
    --log-level=info (2)
```
1 For <installation_directory>, specify the location of your customized ./install-config.yaml file.
2 To view different installation details, specify warn, debug, or error instead of info.

Verification

When the cluster deployment completes successfully:

The terminal displays directions for accessing your cluster, including a link to the web console and credentials for the kubeadmin user.
Credential information also outputs to <installation_directory>/.openshift_install.log.

Do not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.

Example output

...
INFO Install complete!
INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/home/myuser/install_dir/auth/kubeconfig'
INFO Access the OpenShift web-console here: https://console-openshift-console.apps.mycluster.example.com
INFO Login to the console with user: "kubeadmin", and password: "4vYBz-Ee6gm-ymBZj-Wt5AL"
INFO Time elapsed: 36m22s

The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.
It is recommended that you use Ignition config files within 12 hours after they are generated because the 24-hour certificate rotates from 16 to 22 hours after the cluster is installed. By using the Ignition config files within 12 hours, you can avoid installation failure if the certificate update runs during installation.

You can install the OpenShift CLI (oc) to interact with OKD from a command-line interface. You can install oc on Linux, Windows, or macOS.

If you installed an earlier version of oc, you cannot use it to complete all of the commands in OKD 4.13. Download and install the new version of oc.

You can install the OpenShift CLI (oc) binary on Linux by using the following procedure.

Procedure

Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz.
Unpack the archive:
```
$ tar xvf <file>
```
Place the oc binary in a directory that is on your PATH.

To check your PATH, execute the following command:
```
$ echo $PATH
```

After you install the OpenShift CLI, it is available using the oc command:

$ oc <command>

Installing the OpenShift CLI on Windows

You can install the OpenShift CLI (oc) binary on Windows by using the following procedure.

Procedure

Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.zip.
Unzip the archive with a ZIP program.
Move the oc binary to a directory that is on your PATH.

To check your PATH, open the command prompt and execute the following command:
```
C:\> path
```

After you install the OpenShift CLI, it is available using the oc command:

Installing the OpenShift CLI on macOS

You can install the OpenShift CLI (oc) binary on macOS by using the following procedure.

Procedure

Navigate to https://mirror.openshift.com/pub/openshift-v4/clients/oc/latest/ and choose the folder for your operating system and architecture.
Download oc.tar.gz.
Unpack and unzip the archive.
Move the oc binary to a directory on your PATH.

To check your PATH, open a terminal and execute the following command:
```
$ echo $PATH
```

After you install the OpenShift CLI, it is available using the oc command:

$ oc <command>

Logging in to the cluster by using the CLI

You can log in to your cluster as a default system user by exporting the cluster kubeconfig file. The kubeconfig file contains information about the cluster that is used by the CLI to connect a client to the correct cluster and API server. The file is specific to a cluster and is created during OKD installation.

Prerequisites

You deployed an OKD cluster.
You installed the oc CLI.

Procedure

Export the kubeadmin credentials:
```
$ export KUBECONFIG=<installation_directory>/auth/kubeconfig (1)
```
1 For <installation_directory>, specify the path to the directory that you stored the installation files in.
Verify you can run oc commands successfully using the exported configuration:
```
$ oc whoami
```
Example output
```
system:admin
```

Disabling the default OperatorHub catalog sources

Operator catalogs that source content provided by Red Hat and community projects are configured for OperatorHub by default during an OKD installation. In a restricted network environment, you must disable the default catalogs as a cluster administrator.

Procedure

Disable the sources for the default catalogs by adding disableAllDefaultSources: true to the OperatorHub object:

$ oc patch OperatorHub cluster --type json \
    -p '[{"op": "add", "path": "/spec/disableAllDefaultSources", "value": true}]'

Alternatively, you can use the web console to manage catalog sources. From the Administration → Cluster Settings → Configuration → OperatorHub page, click the Sources tab, where you can create, delete, disable, and enable individual sources.

Creating registry storage

After you install the cluster, you must create storage for the Registry Operator.

Image registry removed during installation

On platforms that do not provide shareable object storage, the OpenShift Image Registry Operator bootstraps itself as Removed. This allows openshift-installer to complete installations on these platform types.

After installation, you must edit the Image Registry Operator configuration to switch the managementState from Removed to Managed.

The Prometheus console provides an ImageRegistryRemoved alert, for example:

“Image Registry has been removed. ImageStreamTags, BuildConfigs and DeploymentConfigs which reference ImageStreamTags may not work as expected. Please configure storage and update the config to Managed state by editing configs.imageregistry.operator.openshift.io.”

Image registry storage configuration

The Image Registry Operator is not initially available for platforms that do not provide default storage. After installation, you must configure your registry to use storage so that the Registry Operator is made available.

Instructions are shown for configuring a persistent volume, which is required for production clusters. Where applicable, instructions are shown for configuring an empty directory as the storage location, which is available for only non-production clusters.

Additional instructions are provided for allowing the image registry to use block storage types by using the Recreate rollout strategy during upgrades.

Configuring registry storage for VMware vSphere

As a cluster administrator, following installation you must configure your registry to use storage.

Prerequisites

Cluster administrator permissions.
A cluster on VMware vSphere.

Persistent storage provisioned for your cluster, such as Red Hat OpenShift Data Foundation.

OKD supports ReadWriteOnce access for image registry storage when you have only one replica. ReadWriteOnce access also requires that the registry uses the Recreate rollout strategy. To deploy an image registry that supports high availability with two or more replicas, ReadWriteMany access is required.

Must have “100Gi” capacity.

Testing shows issues with using the NFS server on RHEL as storage backend for core services. This includes the OpenShift Container Registry and Quay, Prometheus for monitoring storage, and Elasticsearch for logging storage. Therefore, using RHEL NFS to back PVs used by core services is not recommended.

Other NFS implementations on the marketplace might not have these issues. Contact the individual NFS implementation vendor for more information on any testing that was possibly completed against these OKD core components.

Procedure

To configure your registry to use storage, change the spec.storage.pvc in the configs.imageregistry/cluster resource.

When using shared storage, review your security settings to prevent outside access.
Verify that you do not have a registry pod:
```
$ oc get pod -n openshift-image-registry -l docker-registry=default
```
Example output
```
No resourses found in openshift-image-registry namespace
```
If you do have a registry pod in your output, you do not need to continue with this procedure.

Check the registry configuration:

$ oc edit configs.imageregistry.operator.openshift.io

Example output

storage:
  pvc:
    claim: (1)

1 Leave the claim field blank to allow the automatic creation of an image-registry-storage persistent volume claim (PVC). The PVC is generated based on the default storage class. However, be aware that the default storage class might provide ReadWriteOnce (RWO) volumes, such as a RADOS Block Device (RBD), which can cause issues when replicating to more than one replica.

Check the clusteroperator status:

$ oc get clusteroperator image-registry

Example output

NAME             VERSION                              AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
image-registry   4.7                                  True        False         False      6h50m

Additional resources

See for more information about the Telemetry service

Configuring an external load balancer

You can configure an OKD cluster to use an external load balancer in place of the default load balancer.

You can also configure an OKD cluster to use an external load balancer that supports multiple subnets. If you use multiple subnets, you can explicitly list all the IP addresses in any networks that are used by your load balancer targets. This configuration can reduce maintenance overhead because you can create and destroy nodes within those networks without reconfiguring the load balancer targets.

If you deploy your ingress pods by using a machine set on a smaller network, such as a /27 or /28, you can simplify your load balancer targets.

You do not need to specify API and Ingress static addresses for your installation program. If you choose this configuration, you must take additional actions to define network targets that accept an IP address from each referenced vSphere subnet.

Prerequisites

On your load balancer, TCP over ports 6443, 443, and 80 must be reachable by all users of your system that are located outside the cluster.
Load balance the application ports, 443 and 80, between all the compute nodes.
Load balance the API port, 6443, between each of the control plane nodes.
On your load balancer, port 22623, which is used to serve ignition startup configurations to nodes, is not exposed outside of the cluster.
Your load balancer can access the required ports on each node in your cluster. You can ensure this level of access by completing the following actions:
- The API load balancer can access ports 22623 and 6443 on the control plane nodes.
- The ingress load balancer can access ports 443 and 80 on the nodes where the ingress pods are located.

Procedure

Enable access to the cluster from your load balancer on ports 6443, 443, and 80.

As an example, note this HAProxy configuration:

A section of a sample HAProxy configuration

...
listen my-cluster-api-6443
    bind 0.0.0.0:6443
    mode tcp
    balance roundrobin
    server my-cluster-master-2 192.0.2.2:6443 check
    server my-cluster-master-0 192.0.2.3:6443 check
    server my-cluster-master-1 192.0.2.1:6443 check
listen my-cluster-apps-443
        bind 0.0.0.0:443
        mode tcp
        balance roundrobin
        server my-cluster-worker-0 192.0.2.6:443 check
        server my-cluster-worker-1 192.0.2.5:443 check
        server my-cluster-worker-2 192.0.2.4:443 check
listen my-cluster-apps-80
        bind 0.0.0.0:80
        mode tcp
        balance roundrobin
        server my-cluster-worker-0 192.0.2.7:80 check
        server my-cluster-worker-1 192.0.2.9:80 check
        server my-cluster-worker-2 192.0.2.8:80 check

Add records to your DNS server for the cluster API and apps over the load balancer. For example:

<load_balancer_ip_address> api.<cluster_name>.<base_domain>
<load_balancer_ip_address> apps.<cluster_name>.<base_domain>

From a command line, use curl to verify that the external load balancer and DNS configuration are operational.
1. Verify that the cluster API is accessible:
```
$ curl https://<loadbalancer_ip_address>:6443/version --insecure
```
  If the configuration is correct, you receive a JSON object in response:
```
{
  "major": "1",
  "minor": "11+",
  "gitVersion": "v1.11.0+ad103ed",
  "gitCommit": "ad103ed",
  "gitTreeState": "clean",
  "buildDate": "2019-01-09T06:44:10Z",
  "goVersion": "go1.10.3",
  "compiler": "gc",
  "platform": "linux/amd64"
}
```
2. Verify that cluster applications are accessible:
  
  You can also verify application accessibility by opening the OKD console in a web browser.
  If the configuration is correct, you receive an HTTP response:

Next steps

Customize your cluster.
If necessary, you can .

1	For `<installation_directory>`, specify the location of your customized `./install-config.yaml` file.
2	To view different installation details, specify `warn`, `debug`, or `error` instead of `info`.