Expanding a cluster with on-premise bare metal nodes
You can expand an OKD cluster deployed on AWS by adding bare-metal nodes to the cluster. By default, a cluster deployed on AWS with OKD 4.11 or earlier has the Baremetal Operator (BMO) disabled. In OKD 4.12 and later releases, the BMO is enabled to support a hybrid cloud consisting of AWS control plane nodes and worker nodes with additional on-premise bare-metal worker nodes.
Expanding an OKD cluster deployed on AWS requires using virtual media with bare-metal nodes that meet the node requirements and firmware requirements for installing with virtual media. A provisioning
network is not required, and if present, should be disabled.
Connecting the VPC to the on-premise network
To expand the OKD cluster deployed on AWS with on-premise bare metal nodes, you must establish network connectivity between them. You will need to configure the networking using a virtual private network or AWS Direct Connect between the AWS VPC and your on-premise network. This allows traffic to flow between the on-premise nodes and the AWS nodes.
Additionally, you need to ensure secure access to the Baseboard Management Controllers (BMCs) of the bare metal nodes. When expanding the cluster with the Baremetal Operator, access to the BMCs is required for remotely managing and monitoring the hardware of your on-premise nodes.
To securely access the BMCs, you can create a separate, secure network segment or use a dedicated VPN connection specifically for BMC access. This way, you can isolate the BMC traffic from other network traffic, reducing the risk of unauthorized access or potential vulnerabilities.
Misconfiguration of the network connection between the AWS and on-premise environments can expose the on-premise network and bare-metal nodes to the internet. That is a significant security risk, which might result in an attacker having full access to the exposed machines, and through them to the private network in these environments. |
Additional resources
Creating firewall rules for port 6183
Port 6183
is open by default on the control plane. However, you must create a firewall rule for the VPC connection and for the on-premise network for the bare metal nodes to allow inbound and outbound traffic on that port.
Procedure
Modify the AWS VPC security group to open port
6183
:Navigate to the Amazon VPC console in the AWS Management Console.
In the left navigation pane, click on Security Groups.
Find and select the security group associated with the OKD cluster.
In the Inbound rules tab, click Edit inbound rules.
Click Add rule and select Custom TCP Rule as the rule type.
In the Port range field, enter
6183
.In the Source field, specify the CIDR block for the on-premise network or the security group ID of the peered VPC (if you have VPC peering) to allow traffic only from the desired sources.
Click Save rules.
Modify the AWS VPC network access control lists to open port
6183
:In the Amazon VPC console, click on Network ACLs in the left navigation pane.
Find and select the network ACL associated with your OKD cluster’s VPC.
In the Inbound rules tab, click Edit inbound rules.
Click Add rule and enter a rule number in the Rule # field. Choose a number that doesn’t conflict with existing rules.
Select
TCP
as the protocol.In the Port range field, enter
6183
.In the Source field, specify the CIDR block for the on-premise network to allow traffic only from the desired sources.
Click Save to save the new rule.
Repeat the same process for the Outbound rules tab to allow outbound traffic on port
6183
.
Modify the on-premise network to allow traffic on port
6183
:Execute the following command to identify the zone you want to modify:
$ sudo firewall-cmd --list-all-zones
To open port
6183
for TCP traffic in the desired zone execute the following command:$ sudo firewall-cmd --zone=<zone> --add-port=6183/tcp --permanent
Replace
<zone>
with the appropriate zone name.Reload
firewalld
to apply the new rule:$ sudo firewall-cmd --reload
After you have the networking configured, you can proceed with expanding the cluster.