Configuring for Amazon Web Services (AWS)

Overview

OKD can be configured to access an AWS EC2 infrastructure, including using AWS volumes as persistent storage for application data. After you configure AWS, some additional configurations must be completed on the OKD hosts.

Configuring authorization for Amazon Web Services (AWS)

Permissions AWS instances require either IAM account with Programmatic Access using an access and secret key or IAM role assigned to instances at creation to be able to request and manage load balancers and storage in OKD.

The IAM account or IAM role must have the following policy permissions permissions to have full cloud provider functionality.

  1. {
  2.     "Version": "2012-10-17",
  3.     "Statement": [
  4.         {
  5.             "Action": [
  6.                 "ec2:DescribeVolume*",
  7.                 "ec2:CreateVolume",
  8.                 "ec2:CreateTags",
  9.                 "ec2:DescribeInstances",
  10.                 "ec2:AttachVolume",
  11.                 "ec2:DetachVolume",
  12.                 "ec2:DeleteVolume",
  13.                 "ec2:DescribeSubnets",
  14.                 "ec2:CreateSecurityGroup",
  15.                 "ec2:DescribeSecurityGroups",
  16.                 "ec2:DeleteSecurityGroup",
  17.                 "ec2:DescribeRouteTables",
  18.                 "ec2:AuthorizeSecurityGroupIngress",
  19.                 "ec2:RevokeSecurityGroupIngress",
  20.                 "elasticloadbalancing:DescribeTags",
  21.                 "elasticloadbalancing:CreateLoadBalancerListeners",
  22.                 "elasticloadbalancing:ConfigureHealthCheck",
  23.                 "elasticloadbalancing:DeleteLoadBalancerListeners",
  24.                 "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
  25.                 "elasticloadbalancing:DescribeLoadBalancers",
  26.                 "elasticloadbalancing:CreateLoadBalancer",
  27.                 "elasticloadbalancing:DeleteLoadBalancer",
  28.                 "elasticloadbalancing:ModifyLoadBalancerAttributes",
  29.                 "elasticloadbalancing:DescribeLoadBalancerAttributes"
  30.             ],
  31.             "Resource": "*",
  32.             "Effect": "Allow",
  33.             "Sid": "1"
  34.         }
  35.     ]
  36. }
  1. aws iam put-role-policy \
  2.   --role-name openshift-role \
  3.   --policy-name openshift-admin \
  4.   --policy-document file: //openshift_iam_policy
  1. aws iam put-user-policy \
  2.   --user-name openshift-admin \
  3.   --policy-name openshift-admin \
  4.   --policy-document file: //openshift_iam_policy
The OpenShift node instances only need the ec2:DescribeInstance permission but the installer only allows for a single AWS access key and secret to be defined. This can be bypassed using IAM roles and assigning the permissions above to the master instances and the ec2:DescribeInstance to nodes.

Configuring the OKD cloud provider at installation

Procedure

To configure the configure the Amazon Web Services cloud provider using an IAM account with an access and secret key add the following values to the inventory:

  1. [OSEv3:vars]
  2. openshift_cloudprovider_kind=aws
  3. openshift_clusterid=openshift (1)
  4. openshift_cloudprovider_aws_access_key=AKIAJ6VLBLISADPBUA (2)
  5. openshift_cloudprovider_aws_secret_key=g/8PmDNYHVSQn0BQE+xtsHzbaZaGYjGNzhbdgwjH (3)
1A tag assigned to all resources (instances, load balancers, vpc, etc) used for OpenShift.
2AWS access key used by the IAM account.
3AWS secret key used by the IAM account.

To configure the configure the Amazon Web Services cloud provider using an IAM role add the following values to the inventory:

  1. [source,yaml]
  2. ----
  3. [OSEv3:vars]
  4. openshift_cloudprovider_kind=aws
  5. openshift_clusterid=openshift (1)
  6. ----
  7. <1> A tag assigned to all resources (instances, load balancers, vpc, etc) used for OpenShift.
  1. NOTE: The IAM role takes the place of needing an access and secret key.

Configuring the OKD cloud provider after installation

In the event that the Amazon Web Services cloud provider values were not provided at installation time the configuration can be defined and created after the installation. Follow the steps to configure the configuration file and manually configuring the master and node Manually Configuring OKD Masters for AWS.

  • Every master host, node host, and subnet must have the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag.

  • One security group, preferably the one linked to the nodes, must have the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag.

    • Do not tag all security groups with the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag or the Elastic Load Balancing (ELB) will not be able to create a load balancer.

Configuring a Security Group

When installing OKD on AWS, ensure that you set up the appropriate security groups.

These are some ports that you must have in your security groups, without which the installation fails. You may need more depending on the cluster configuration you want to install. For more information and to adjust your security groups accordingly, see Required Ports for more information.

All OKD Hosts

  • tcp/22 from host running the installer/Ansible

etcd Security Group

  • tcp/2379 from masters

  • tcp/2380 from etcd hosts

Master Security Group

  • tcp/8443 from 0.0.0.0/0

  • tcp/53 from all OKD hosts for environments installed prior to or upgraded to 1.2

  • udp/53 from all OKD hosts for environments installed prior to or upgraded to 1.2

  • tcp/8053 from all OKD hosts for new environments installed with 1.2

  • udp/8053 from all OKD hosts for new environments installed with 1.2

Node Security Group

  • tcp/10250 from masters

  • udp/4789 from nodes

Infrastructure Nodes (ones that can host the OKD router)

  • tcp/443 from 0.0.0.0/0

  • tcp/80 from 0.0.0.0/0

CRI-O

If using CRIO, you must open tcp/10010 to allow oc exec and oc rsh operations.

If configuring external load-balancers (ELBs) for load balancing the masters and/or routers, you also need to configure Ingress and Egress security groups for the ELBs appropriately.

Overriding Detected IP Addresses and Host Names

In AWS, situations that require overriding the variables include:

VariableUsage

hostname

The user is installing in a VPC that is not configured for both DNS hostnames and DNS resolution.

ip

You have multiple network interfaces configured and want to use one other than the default.

public_hostname

  • A master instance where the VPC subnet is not configured for Auto-assign Public IP. For external access to this master, you need to have an ELB or other load balancer configured that would provide the external access needed, or you need to connect over a VPN connection to the internal name of the host.

  • A master instance where metadata is disabled.

  • This value is not actually used by the nodes.

public_ip

  • A master instance where the VPC subnet is not configured for Auto-assign Public IP.

  • A master instance where metadata is disabled.

  • This value is not actually used by the nodes.

For EC2 hosts in particular, they must be deployed in a VPC that has both **DNS host names** and **DNS resolution** enabled.

Configuring the OKD registry for Amazon Web Services (AWS)

Amazon Web Services (AWS) provides object cloud storage that OKD can use to store container images using the OKD container registry.

For more information, see Amazon S3.

Prerequisites

OKD uses S3 for image storage. A S3 bucket, IAM policy, and IAM user with Programmatic Access should be created to allow for the installer to configure the registry.

The example below uses awscli to create a bucket with the name of openshift-registry-storage in the region of us-east-1.

  1. # aws s3api create-bucket \
  2.      --bucket openshift-registry-storage \
  3.      --region us-east-1

The default policy

  1. {
  2.   "Version": "2012-10-17",
  3.   "Statement": [
  4.     {
  5.       "Effect": "Allow",
  6.       "Action": [
  7.         "s3:ListBucket",
  8.         "s3:GetBucketLocation",
  9.         "s3:ListBucketMultipartUploads"
  10.       ],
  11.       "Resource": "arn:aws:s3:::S3_BUCKET_NAME"
  12.     },
  13.     {
  14.       "Effect": "Allow",
  15.       "Action": [
  16.         "s3:PutObject",
  17.         "s3:GetObject",
  18.         "s3:DeleteObject",
  19.         "s3:ListMultipartUploadParts",
  20.         "s3:AbortMultipartUpload"
  21.       ],
  22.       "Resource": "arn:aws:s3:::S3_BUCKET_NAME/*"
  23.     }
  24.   ]
  25. }
Configuring the OKD inventory to use S3

Procedure

To configure the Ansible inventory for the registry to use the S3 bucket and IAM user:

  1. [OSEv3:vars]
  2. # AWS Registry Configuration
  3. openshift_hosted_manage_registry=true
  4. openshift_hosted_registry_storage_kind=object
  5. openshift_hosted_registry_storage_provider=s3
  6. openshift_hosted_registry_storage_s3_accesskey=AKIAJ6VLREDHATSPBUA (1)
  7. openshift_hosted_registry_storage_s3_secretkey=g/8PmTYDQVGssFWWFvfawHpDbZyGkjGNZhbWQpjH (2)
  8. openshift_hosted_registry_storage_s3_bucket=openshift-registry-storage (3)
  9. openshift_hosted_registry_storage_s3_region=us-east-1 (4)
  10. openshift_hosted_registry_storage_s3_chunksize=26214400
  11. openshift_hosted_registry_storage_s3_rootdirectory=/registry
  12. openshift_hosted_registry_storage_s3_encrypt=false
  13. openshift_hosted_registry_storage_s3_kmskeyid=aws_kms_key_id (5)
  14. openshift_hosted_registry_pullthrough=true
  15. openshift_hosted_registry_acceptschema2=true
  16. openshift_hosted_registry_enforcequota=true
  17. openshift_hosted_registry_replicas=3
1The access key for the IAM user. (Not required with IAM Roles in place)
2The secret key for the IAM user. (Not required with IAM Roles in place)
3The S3 storage bucket name.
4The region in which the bucket exists.
5The AWS Key Management Service (AWS KMS) key ID of the encryption key used to encrypt data in the cluster.
Manually configuring OKD registry to use S3

To use Amazon Web Services (AWS) S3 object storage, edit the registry’s configuration file and mount to the registry pod.

Procedure

  1. Export the current config.yml:

    1. $ oc get secret registry-config \
    2.     -o jsonpath='{.data.config\.yml}' -n default | base64 -d \
    3.   >> config.yml.old

  2. Create a new configuration file from the old config.yml:

    1. $ cp config.yml.old config.yml

  3. Edit the file to include the S3 parameters. Specify the accountname, accountkey, container, and realm in the storage section of a registry’s configuration file:

    1. storage:
    2.   delete:
    3.     enabled: true
    4.   cache:
    5.     blobdescriptor: inmemory
    6.   s3:
    7.     accesskey: AKIAJ6VLREDHATSPBUA (1)
    8.     secretkey: g/8PmTYDQVGssFWWFvfawHpDbZyGkjGNZhbWQpjH (2)
    9.     region: us-east-1 (3)
    10.     bucket: openshift-registry-storage (4)
    11.     encrypt: False
    12.     secure: true
    13.     v4auth: true
    14.     rootdirectory: /registry (5)
    15.     chunksize: "26214400"
    1Replace with an AWS access key that is authorized to access the S3 bucket.
    2The secret key that corresponds to the defined AWS access key.
    3The name of the S3 bucket to be used as the registry.
    4The location in which the registry will store images and metadata. (Default is /registry)

  4. Delete the registry-config secret:

    1. $ oc delete secret registry-config -n default

  5. Recreate the secret to reference the updated configuration file:

    1. $ oc create secret generic registry-config \
    2.     --from-file=config.yml -n default

  6. Redeploy the registry to read the updated configuration:

    1. $ oc rollout latest docker-registry -n default
Verify the registry is using S3 storage

To verify if the registry is using Amazon S3 storage:

Procedure

  1. After a successful registry deployment, the registry deploymentconfig describes registry-storage as emptydir instead of AWS S3 but the configuration for the AWS S3 bucket resides in the secret docker-config. The docker-config secret mounts to REGISTRY_CONFIGURATION_PATH which provides all of the paramaters when using AWS S3 for the registry object storage.

    1. $ oc describe dc docker-registry -n default
    2. ...
    3.     Environment:
    4.       REGISTRY_HTTP_ADDR:                    :5000
    5.       REGISTRY_HTTP_NET:                    tcp
    6.       REGISTRY_HTTP_SECRET:                    SPLR83SDsPaGbGuwSMDfnDwrDRvGf6YXl4h9JQrToQU=
    7.       REGISTRY_MIDDLEWARE_REPOSITORY_OPENSHIFT_ENFORCEQUOTA:    false
    8.       REGISTRY_HTTP_TLS_KEY:                    /etc/secrets/registry.key
    9.       OPENSHIFT_DEFAULT_REGISTRY:                docker-registry.default.svc:5000
    10.       REGISTRY_CONFIGURATION_PATH:                /etc/registry/config.yml
    11.       REGISTRY_OPENSHIFT_SERVER_ADDR:                docker-registry.default.svc:5000
    12.       REGISTRY_HTTP_TLS_CERTIFICATE:                /etc/secrets/registry.crt
    13.     Mounts:
    14.       /etc/registry from docker-config (rw)
    15.       /etc/secrets from registry-certificates (rw)
    16.       /registry from registry-storage (rw)
    17.   Volumes:
    18.    registry-storage:
    19.     Type:    EmptyDir (a temporary directory that shares a pod's lifetime) (1)
    20.     Medium:
    21.    registry-certificates:
    22.     Type:    Secret (a volume populated by a Secret)
    23.     SecretName:    registry-certificates
    24.     Optional:    false
    25.    docker-config:
    26.     Type:    Secret (a volume populated by a Secret)
    27.     SecretName:    registry-config
    28.     Optional:    false
    29. ....
    1The temporary directory that shares a pod’s lifetime.

  2. Ensure that the /registry mountpoint is empty:

    1. $ oc exec \
    2.     $(oc get pod -l deploymentconfig=docker-registry \
    3.     -o=jsonpath='{.items[0].metadata.name}')  -i -t -- ls -l /registry
    4. total 0

    If it is empty, it is because the S3 configuration is defined in the registry-config secret:

    1. $ oc describe secret registry-config
    2. Name:         registry-config
    3. Namespace:    default
    4. Labels:       <none>
    5. Annotations:  <none>
    7. Type:  Opaque
    9. Data
    10. ====
    11. config.yml:  398 bytes

  3. The installer creates a config.yml file with the desired configuration using the extended registry capabilities as seen in Storage in the installation documentation. To view the configuration file, including the storage section where the storage bucket configuration is stored:

    1. $ oc exec \
    2.     $(oc get pod -l deploymentconfig=docker-registry \
    3.       -o=jsonpath='{.items[0].metadata.name}') \
    4.   cat /etc/registry/config.yml
    6.   version: 0.1
    7.   log:
    8.     level: debug
    9.   http:
    10.     addr: :5000
    11.   storage:
    12.     delete:
    13.       enabled: true
    14.     cache:
    15.       blobdescriptor: inmemory
    16.     s3:
    17.       accesskey: AKIAJ6VLREDHATSPBUA
    18.       secretkey: g/8PmTYDQVGssFWWFvfawHpDbZyGkjGNZhbWQpjH
    19.       region: us-east-1
    20.       bucket: openshift-registry-storage
    21.       encrypt: False
    22.       secure: true
    23.       v4auth: true
    24.       rootdirectory: /registry
    25.       chunksize: "26214400"
    26.   auth:
    27.     openshift:
    28.       realm: openshift
    29.   middleware:
    30.     registry:
    31.     - name: openshift
    32.     repository:
    33.     - name: openshift
    34.       options:
    35.         pullthrough: true
    36.         acceptschema2: true
    37.         enforcequota: true
    38.     storage:
    39.     - name: openshift

    Alternatively, you can view the secret:

    1. $ oc get secret registry-config -o jsonpath='{.data.config\.yml}' | base64 -d
    2. version: 0.1
    3. log:
    4.   level: debug
    5. http:
    6.   addr: :5000
    7.   storage:
    8.     delete:
    9.       enabled: true
    10.     cache:
    11.       blobdescriptor: inmemory
    12.     s3:
    13.       accesskey: AKIAJ6VLREDHATSPBUA
    14.       secretkey: g/8PmTYDQVGssFWWFvfawHpDbZyGkjGNZhbWQpjH
    15.       region: us-east-1
    16.       bucket: openshift-registry-storage
    17.       encrypt: False
    18.       secure: true
    19.       v4auth: true
    20.       rootdirectory: /registry
    21.       chunksize: "26214400"
    22. auth:
    23.   openshift:
    24.     realm: openshift
    25. middleware:
    26.   registry:
    27.   - name: openshift
    28.   repository:
    29.   - name: openshift
    30.   options:
    31.     pullthrough: true
    32.     acceptschema2: true
    33.     enforcequota: true
    34.   storage:
    35.   - name: openshift

If using an emptyDir volume, the /registry mountpoint looks like the following:

  1. $ oc exec \
  2.     $(oc get pod -l deploymentconfig=docker-registry \
  3.     -o=jsonpath='{.items[0].metadata.name}')  -i -t -- df -h /registry
  4. Filesystem      Size  Used Avail Use% Mounted on
  5. /dev/sdc         100G  226M   30G   1% /registry
  8. $ oc exec \
  9.     $(oc get pod -l deploymentconfig=docker-registry \
  10.     -o=jsonpath='{.items[0].metadata.name}')  -i -t -- ls -l /registry
  11. total 0
  12. drwxr-sr-x. 3 1000000000 1000000000 22 Jun 19 12:24 docker

Configuring AWS Variables

To set the required AWS variables, create a /etc/origin/cloudprovider/aws.conf file with the following contents on all of your OKD hosts, both masters and nodes:

  1. [Global]
  2. Zone = us-east-1c (1)
1This is the Availability Zone of your AWS Instance and where your EBS Volume resides; this information is obtained from the AWS Management Console.

Configuring OKD for AWS

You can set the AWS configuration on OKD in two ways:

Configuring OKD for AWS with Ansible

During cluster installations, AWS can be configured using the openshift_cloudprovider_aws_access_key, openshift_cloudprovider_aws_secret_key, openshift_cloudprovider_kind, openshift_clusterid parameters, which are configurable in the inventory file.

Example AWS Configuration with Ansible

  1. # Cloud Provider Configuration
  2. #
  3. # Note: You may make use of environment variables rather than store
  4. # sensitive configuration within the ansible inventory.
  5. # For example:
  6. #openshift_cloudprovider_aws_access_key="{{ lookup('env','AWS_ACCESS_KEY_ID') }}"
  7. #openshift_cloudprovider_aws_secret_key="{{ lookup('env','AWS_SECRET_ACCESS_KEY') }}"
  8. #
  9. #openshift_clusterid=unique_identifier_per_availablility_zone
  10. #
  11. # AWS (Using API Credentials)
  12. #openshift_cloudprovider_kind=aws
  13. #openshift_cloudprovider_aws_access_key=aws_access_key_id
  14. #openshift_cloudprovider_aws_secret_key=aws_secret_access_key
  15. #
  16. # AWS (Using IAM Profiles)
  17. #openshift_cloudprovider_kind=aws
  18. # Note: IAM roles must exist before launching the instances.

When Ansible configures AWS, it automatically makes the necessary changes to the following files:

  • /etc/origin/cloudprovider/aws.conf

  • /etc/origin/master/master-config.yaml

  • /etc/origin/node/node-config.yaml

Manually Configuring OKD Masters for AWS

Edit or create the master configuration file on all masters (/etc/origin/master/master-config.yaml by default) and update the contents of the **apiServerArguments** and **controllerArguments** sections:

  1. kubernetesMasterConfig:
  2.   ...
  3.   apiServerArguments:
  4.     cloud-provider:
  5.       - "aws"
  6.     cloud-config:
  7.       - "/etc/origin/cloudprovider/aws.conf"
  8.   controllerArguments:
  9.     cloud-provider:
  10.       - "aws"
  11.     cloud-config:
  12.       - "/etc/origin/cloudprovider/aws.conf"

Currently, the nodeName must match the instance name in AWS in order for the cloud provider integration to work properly. The name must also be RFC1123 compliant.

When triggering a containerized installation, only the directories of /etc/origin and /var/lib/origin are mounted to the master and node container. Therefore, aws.conf should be in /etc/origin/ instead of /etc/.

Manually Configuring OKD Nodes for AWS

Edit the appropriate node configuration map and update the contents of the **kubeletArguments** section:

  1. kubeletArguments:
  2.   cloud-provider:
  3.     - "aws"
  4.   cloud-config:
  5.     - "/etc/origin/cloudprovider/aws.conf"

When triggering a containerized installation, only the directories of /etc/origin and /var/lib/origin are mounted to the master and node container. Therefore, aws.conf should be in /etc/origin/ instead of /etc/.

Manually Setting Key-Value Access Pairs

Make sure the following environment variables are set in the /etc/origin/master/master.env file on masters and the /etc/sysconfig/origin-node file on nodes:

  1. AWS_ACCESS_KEY_ID=<key_ID>
  2. AWS_SECRET_ACCESS_KEY=<secret_key>

Access keys are obtained when setting up your AWS IAM user.

Applying Configuration Changes

Start or restart OKD services on all master and node hosts to apply your configuration changes, see Restarting OKD services:

  1. # master-restart api
  2. # master-restart controllers
  3. # systemctl restart atomic-openshift-node

Kubernetes architecture expects reliable endpoints from cloud providers. When a cloud provider is down, the kubelet prevents OKD from restarting. If the underlying cloud provider endpoints are not reliable, do not install a cluster that uses the cloud provider integration. Install the cluster as if it is a bare metal environment. It is not recommended to toggle cloud provider integration on or off in an installed cluster. However, if that scenario is unavoidable, then complete the following process.

Switching from not using a cloud provider to using a cloud provider produces an error message. Adding the cloud provider tries to delete the node because the node switches from using the hostname as the **externalID** (which would have been the case when no cloud provider was being used) to using the cloud provider’s **instance-id** (which is what the cloud provider specifies). To resolve this issue:

  1. Log in to the CLI as a cluster administrator.

  2. Check and back up existing node labels:

    1. $ oc describe node <node_name> | grep -Poz '(?s)Labels.*\n.*(?=Taints)'

  3. Delete the nodes:

    1. $ oc delete node <node_name>

  4. On each node host, restart the OKD service.

    1. # systemctl restart origin-node

  5. Add back any labels on each node that you previously had.

Labeling Clusters for AWS

If you configure AWS provider credentials, you must also ensure that all hosts are labeled.

To correctly identify which resources are associated with a cluster, tag resources with the key kubernetes.io/cluster/<clusterid>, where:

  • <clusterid> is a unique name for the cluster.

Set the corresponding value to owned if the node belongs exclusively to the cluster or to shared if it is a resource shared with other systems.

Tagging all resources with the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag avoids potential issues with multiple zones or multiple clusters.

See Pods and Services to learn more about labeling and tagging in OKD.

Resources That Need Tags

There are four types of resources that need to be tagged:

  • Instances

  • Security Groups

  • Load Balancers

  • EBS Volumes

Tagging an Existing Cluster

A cluster uses the value of the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag to determine which resources belong to the AWS cluster. This means that all relevant resources must be labeled with the kubernetes.io/cluster/<clusterid>,Value=(owned|shared) tag using the same values for that key. These resources include:

  • All hosts.

  • All relevant load balancers to be used in the AWS instances.

  • All EBS volumes. The EBS Volumes that need to be tagged can found with:

    1. $ oc get pv -o json|jq '.items[].spec.awsElasticBlockStore.volumeID'

  • All relevant security groups to be used with the AWS instances.

    Do not tag all existing security groups with the kubernetes.io/cluster/<name>,Value=<clusterid> tag, or the Elastic Load Balancing (ELB) will not be able to create a load balancer.

After tagging any resources, restart the master services on the master and restart the node service on all nodes. See the Applying Configuration Section.

About Red Hat OpenShift Container Storage

Red Hat OpenShift Container Storage (RHOCS) is a provider of agnostic persistent storage for OKD either in-house or in hybrid clouds. As a Red Hat storage solution, RHOCS is completely integrated with OKD for deployment, management, and monitoring regardless if it is installed on OKD (converged) or with OKD (independent). OpenShift Container Storage is not limited to a single availability zone or node, which makes it likely to survive an outage. You can find complete instructions for using RHOCS in the RHOCS3.11 Deployment Guide.