installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc

:_mod-docs-content-type: ASSEMBLY
include::_attributes/common-attributes.adoc[]
[id="installing-restricted-networks-gcp-installer-provisioned"]
= Installing a cluster on {gcp-short} in a disconnected environment
:context: installing-restricted-networks-gcp-installer-provisioned

toc::[]

[role="_abstract"]
In {product-title} {product-version}, you can install a cluster on {gcp-first} in a restricted network by creating an internal mirror of the installation release content on an existing Google Virtual Private Cloud (VPC).

[IMPORTANT]
====
You can install an {product-title} cluster by using mirrored installation release content, but your cluster will require internet access to use the {gcp-short} APIs.
====

[id="prerequisites_installing-restricted-networks-gcp-installer-provisioned"]
== Prerequisites

* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
* You read the documentation on xref:../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
* You xref:../../installing/installing_gcp/installing-gcp-account.adoc#installing-gcp-account[configured a {gcp-short} project] to host the cluster.
* You xref:../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
+
[IMPORTANT]
====
Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
====
* You have an existing VPC in {gcp-short}. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
** Contains the mirror registry
** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere
* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. While you might need to grant access to more sites, you must grant access to `*.googleapis.com` and `accounts.google.com`.
* If you are installing using a link:https://cloud.google.com/vpc/docs/private-service-connect[Private Service Connect (PSC) endpoint], you must configure the endpoint in the same Virtual Private Cloud (VPC) where you install the cluster, specified in the `install-config.yaml` file, as described in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#installing-gcp-vpc[Installing a cluster on {gcp-short} into an existing VPC].

include::modules/installation-about-restricted-network.adoc[leveloffset=+1]

include::modules/cluster-entitlements.adoc[leveloffset=+1]

include::modules/ssh-agent-using.adoc[leveloffset=+1]

include::modules/installation-initializing.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-config-parameters-gcp[Installation configuration parameters for {gcp-short}]

include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources

* xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]

include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]

include::modules/installation-gcp-tested-machine-types-arm.adoc[leveloffset=+2]

include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]

include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]

include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-configuration-parameters-additional-gcp_installation-config-parameters-gcp[Additional {gcp-first} configuration parameters]

include::modules/installation-gcp-managing-dns-solution.adoc[leveloffset=+2]

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-config-parameters-gcp[Installation configuration parameters for {gcp-first}]

include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]

include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset=+2]

include::modules/installation-configure-proxy.adoc[leveloffset=+2]

// Installing the OpenShift CLI on Linux
include::modules/cli-installing-cli-linux.adoc[leveloffset=+1]

// Installing the OpenShift CLI on Windows
include::modules/cli-installing-cli-windows.adoc[leveloffset=+1]

// Installing the OpenShift CLI on macOS
include::modules/cli-installing-cli-macos.adoc[leveloffset=+1]

[id="installing-gcp-manual-modes_{context}"]
== Alternatives to storing administrator-level secrets in the kube-system project

By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-gcp-installer-provisioned[Manually creating long-term credentials].

* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-gcp-with-short-term-creds_installing-restricted-networks-gcp-installer-provisioned[Configuring a {gcp-short} cluster to use short-term credentials].

//Manually creating long-term credentials
include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]

//Supertask: Configuring a GCP cluster to use short-term credentials
[id="installing-gcp-with-short-term-creds_{context}"]
=== Configuring a {gcp-short} cluster to use short-term credentials

To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the CCO utility and create the required {gcp-short} resources for your cluster.

//Task part 1: Configuring the Cloud Credential Operator utility
include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]

//Task part 2: Creating the required GCP resources
include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]

//Restricting service account impersonation to the compute nodes service account
include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]

//Task part 3: Incorporating the Cloud Credential Operator utility manifests
include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]

include::modules/installation-launching-installer.adoc[leveloffset=+1]

include::modules/installation-gcp-provisioning-dns-records.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-configuration-parameters-additional-gcp_installation-config-parameters-gcp[Additional {gcp-first} configuration parameters]

include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]

include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+1]

include::modules/cluster-telemetry.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources

* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service

[id="next-steps_installing-restricted-networks-gcp-installer-provisioned"]
== Next steps

* xref:../../installing/validation_and_troubleshooting/validating-an-installation.adoc#validating-an-installation[Validate an installation].
* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-must-gather-disconnected[Configure image streams] for the Cluster Samples Operator and the `must-gather` tool.
* Learn how to xref:../../disconnected/using-olm.adoc#olm-restricted-networks[use Operator Lifecycle Manager in disconnected environments].
* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].
* If necessary, you can xref:../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].
* If necessary, see xref:../../support/remote_health_monitoring/remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_remote-health-reporting[Registering your disconnected cluster]
[enterprise-4.14] changing content type attribute 2023-10-30 10:13:25 -04:00			`:_mod-docs-content-type: ASSEMBLY`
moving attribute files 2022-02-16 11:35:56 -05:00			`include::_attributes/common-attributes.adoc[]`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`[id="installing-restricted-networks-gcp-installer-provisioned"]`
			`= Installing a cluster on {gcp-short} in a disconnected environment`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`:context: installing-restricted-networks-gcp-installer-provisioned`

			`toc::[]`

OSDOCS-13784_2:adding GCP endpoints access 1 2026-01-12 16:35:49 +00:00			`[role="_abstract"]`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`In {product-title} {product-version}, you can install a cluster on {gcp-first} in a restricted network by creating an internal mirror of the installation release content on an existing Google Virtual Private Cloud (VPC).`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00
			`[IMPORTANT]`
			`====`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`You can install an {product-title} cluster by using mirrored installation release content, but your cluster will require internet access to use the {gcp-short} APIs.`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`====`

			`[id="prerequisites_installing-restricted-networks-gcp-installer-provisioned"]`
			`== Prerequisites`

Adding decision tree to installation assembly prerequisite sections 2021-06-21 10:40:22 +01:00			`* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.`
moving install files 2024-07-26 10:14:24 -04:00			`* You read the documentation on xref:../../installing/overview/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`* You xref:../../installing/installing_gcp/installing-gcp-account.adoc#installing-gcp-account[configured a {gcp-short} project] to host the cluster.`
[enterprise-4.20] OSDOCS#16276: Flattened oc-mirror levels 2025-10-07 12:24:45 +05:30			* You xref:../../disconnected/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`+`
			`[IMPORTANT]`
			`====`
OSDOCS-2131 relocating the disconnected mirror assembly 2021-05-25 11:45:06 -04:00			`Because the installation media is on the mirror host, you can use that computer to complete all installation steps.`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`====`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`* You have an existing VPC in {gcp-short}. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`** Contains the mirror registry`
			`** Has firewall rules or a peering connection to access the mirror registry hosted elsewhere`
Adding decision tree to installation assembly prerequisite sections 2021-06-21 10:40:22 +01:00			* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. While you might need to grant access to more sites, you must grant access to `*.googleapis.com` and `accounts.google.com`.
OSDOCS-13784_2:adding GCP endpoints access 1 2026-01-12 16:35:49 +00:00			* If you are installing using a link:https://cloud.google.com/vpc/docs/private-service-connect[Private Service Connect (PSC) endpoint], you must configure the endpoint in the same Virtual Private Cloud (VPC) where you install the cluster, specified in the `install-config.yaml` file, as described in xref:../../installing/installing_gcp/installing-gcp-vpc.adoc#installing-gcp-vpc[Installing a cluster on {gcp-short} into an existing VPC].
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00
			`include::modules/installation-about-restricted-network.adoc[leveloffset=+1]`

			`include::modules/cluster-entitlements.adoc[leveloffset=+1]`

			`include::modules/ssh-agent-using.adoc[leveloffset=+1]`

			`include::modules/installation-initializing.adoc[leveloffset=+1]`

OSDOCS#6499: GCP - move install config parameters out of assemblies 2023-06-26 14:28:51 -04:00			`[role="_additional-resources"]`
			`.Additional resources`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-config-parameters-gcp[Installation configuration parameters for {gcp-short}]`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00
Modularize current UPI machine requirements info and add min resources table to IPI install assemblies 2021-09-22 13:22:41 -04:00			`include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2]`

OSDOCS#4515: Adding xref to Optimizing storage 2023-09-15 10:31:47 -04:00			`[role="_additional-resources"]`
			`.Additional resources`

			`* xref:../../scalability_and_performance/optimization/optimizing-storage.adoc#optimizing-storage[Optimizing storage]`

OCPBUGS#752 Changed 'supported' to 'tested' and added instance type lists to AWS, Azure, GCP 2022-02-11 14:05:18 -05:00			`include::modules/installation-gcp-tested-machine-types.adoc[leveloffset=+2]`

OSDOCS-6319: ARM support for GCP 2023-07-11 11:37:03 -04:00			`include::modules/installation-gcp-tested-machine-types-arm.adoc[leveloffset=+2]`

OSDOCS-4151: Adding section on using custom machine types 2022-09-27 14:30:05 -04:00			`include::modules/installation-using-gcp-custom-machine-types.adoc[leveloffset=+2]`

OSDOCS-5152 Add support for confidential compute 2023-03-04 21:09:06 -05:00			`include::modules/installation-gcp-enabling-shielded-vms.adoc[leveloffset=+2]`

			`include::modules/installation-gcp-enabling-confidential-vms.adoc[leveloffset=+2]`

OSDOCS-16352: AMD-SEV deprecation notice 2025-10-02 12:43:36 -04:00			`[role="_additional-resources"]`
			`.Additional resources`
			`* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-configuration-parameters-additional-gcp_installation-config-parameters-gcp[Additional {gcp-first} configuration parameters]`

OSDOCS-13735:adding new DNS module 2025-04-24 11:48:35 +01:00			`include::modules/installation-gcp-managing-dns-solution.adoc[leveloffset=+2]`

			`[role="_additional-resources"]`
			`.Additional resources`
			`* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-config-parameters-gcp[Installation configuration parameters for {gcp-first}]`

Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`include::modules/installation-gcp-config-yaml.adoc[leveloffset=+2]`

OSDOCS1834: Adding Ingress Global Access config topic to UPI/IPI GCP Install docs 2021-06-17 16:48:39 -04:00			`include::modules/nw-gcp-installing-global-access-configuration.adoc[leveloffset=+2]`

Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`include::modules/installation-configure-proxy.adoc[leveloffset=+2]`

OSDOCS-17013-bm-upi: CQA2.0 complete for BM UPI doc 2025-12-09 11:08:56 +00:00			`// Installing the OpenShift CLI on Linux`
			`include::modules/cli-installing-cli-linux.adoc[leveloffset=+1]`

			`// Installing the OpenShift CLI on Windows`
			`include::modules/cli-installing-cli-windows.adoc[leveloffset=+1]`

			`// Installing the OpenShift CLI on macOS`
			`include::modules/cli-installing-cli-macos.adoc[leveloffset=+1]`
Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00
Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00			`[id="installing-gcp-manual-modes_{context}"]`
			`== Alternatives to storing administrator-level secrets in the kube-system project`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00
Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00			By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives:

Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00			`* To manage long-term cloud credentials manually, follow the procedure in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#manually-create-iam_installing-restricted-networks-gcp-installer-provisioned[Manually creating long-term credentials].`
Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00
gcp-first replacement 2025-10-23 16:18:55 -04:00			`* To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in xref:../../installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc#installing-gcp-with-short-term-creds_installing-restricted-networks-gcp-installer-provisioned[Configuring a {gcp-short} cluster to use short-term credentials].`
Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00
Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00			`//Manually creating long-term credentials`
Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00			`include::modules/manually-create-identity-access-management.adoc[leveloffset=+2]`

Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00			`//Supertask: Configuring a GCP cluster to use short-term credentials`
			`[id="installing-gcp-with-short-term-creds_{context}"]`
gcp-first replacement 2025-10-23 16:18:55 -04:00			`=== Configuring a {gcp-short} cluster to use short-term credentials`
Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00
gcp-first replacement 2025-10-23 16:18:55 -04:00			`To install a cluster that is configured to use {gcp-short} Workload Identity, you must configure the CCO utility and create the required {gcp-short} resources for your cluster.`
Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00
			`//Task part 1: Configuring the Cloud Credential Operator utility`
			`include::modules/cco-ccoctl-configuring.adoc[leveloffset=+3]`

			`//Task part 2: Creating the required GCP resources`
			`include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3]`

OSDOCS-17996: reduce scope of mapi controller perms for gcp 2026-01-26 18:15:07 -05:00			`//Restricting service account impersonation to the compute nodes service account`
			`include::modules/restricting-sa-impersonation-compute-sa-gcp.adoc[leveloffset=+3]`

Unify ccoctl install step order across providers 2023-09-22 13:20:59 -04:00			`//Task part 3: Incorporating the Cloud Credential Operator utility manifests`
			`include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+3]`

Moving AWS & GCP short term creds install procs 2023-05-18 16:22:42 -04:00			`include::modules/installation-launching-installer.adoc[leveloffset=+1]`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00
OSDOCS-13735:adding new DNS module 2025-04-24 11:48:35 +01:00			`include::modules/installation-gcp-provisioning-dns-records.adoc[leveloffset=+1]`

			`[role="_additional-resources"]`
			`.Additional resources`
			`* xref:../../installing/installing_gcp/installation-config-parameters-gcp.adoc#installation-configuration-parameters-additional-gcp_installation-config-parameters-gcp[Additional {gcp-first} configuration parameters]`

Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]`

BZ1923767: adding module to disable OperatorHub in restricted installs 2021-06-15 13:33:34 -04:00			`include::modules/olm-restricted-networks-configuring-operatorhub.adoc[leveloffset=+1]`

BZ1854206: moving telemetry module in installation assemblies 2021-08-02 16:26:54 -04:00			`include::modules/cluster-telemetry.adoc[leveloffset=+1]`

adding additional resources tags 2022-02-17 13:08:23 -05:00			`[role="_additional-resources"]`
BZ1854206: moving telemetry module in installation assemblies 2021-08-02 16:26:54 -04:00			`.Additional resources`

			`* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service`

Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`[id="next-steps_installing-restricted-networks-gcp-installer-provisioned"]`
			`== Next steps`

moving install files 2024-07-26 10:14:24 -04:00			`* xref:../../installing/validation_and_troubleshooting/validating-an-installation.adoc#validating-an-installation[Validate an installation].`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].`
BZ1923772: clarifying must-gather image stream for disconnected 2021-06-24 16:07:12 -04:00			* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-must-gather-disconnected[Configure image streams] for the Cluster Samples Operator and the `must-gather` tool.
OSDOCS-11850: migrating disconnected OLM content 2024-10-02 09:58:16 -04:00			`* Learn how to xref:../../disconnected/using-olm.adoc#olm-restricted-networks[use Operator Lifecycle Manager in disconnected environments].`
Installing a cluster on GCP in a restricted network 2021-05-11 09:13:26 -04:00			`* If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by xref:../../openshift_images/image-configuration.adoc#images-configuration-cas_image-configuration[configuring additional trust stores].`
OCPBUGS-60988: Added update secret step to insights-operator-new-pull-secret 2025-09-02 15:33:22 +01:00			`* If necessary, you can xref:../../support/remote_health_monitoring/remote-health-reporting.adoc#remote-health-reporting[Remote health reporting].`
			`* If necessary, see xref:../../support/remote_health_monitoring/remote-health-reporting.adoc#insights-operator-register-disconnected-cluster_remote-health-reporting[Registering your disconnected cluster]`