openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

OSDOCS-16989_2:updating CQAs

Browse Source
This commit is contained in:
Brendan Daly
2025-12-02 09:25:41 +00:00
committed by openshift-cherrypick-robot
parent ad471d0314
commit 7709fa2278
23 changed files with 227 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
installing/installing_aws/installing-aws-account.adoc
View File

@@ -1,13 +1,15 @@
:_mod-docs-content-type: ASSEMBLY
[id="installing-aws-account"]
= Configuring an AWS account
include::_attributes/common-attributes.adoc[]
[id="installing-aws-account"]
= Configuring an {aws-short} account
:context: installing-aws-account
toc::[]
[role="_abstract"]
Before you can install {product-title}, you must configure an
Amazon Web Services (AWS) account.
{aws-first} account.
include::modules/installation-aws-route53.adoc[leveloffset=+1]
@@ -35,9 +37,8 @@ include::modules/installation-aws-marketplace.adoc[leveloffset=+1]
include::modules/installation-aws-regions.adoc[leveloffset=+1]
== Next steps
* Install an {product-title} cluster:
** xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Quickly install a cluster] with default options on installer-provisioned infrastructure
** xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure]
** xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates]
[role="_additional-resources"]
.Additional resources
* xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Quickly install a cluster]
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Install a cluster with cloud customizations on installer-provisioned infrastructure]
* xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates]

13
installing/installing_aws/installing-aws-three-node.adoc
View File

@@ -1,22 +1,25 @@
:_mod-docs-content-type: ASSEMBLY
[id="installing-aws-three-node"]
= Installing a three-node cluster on AWS
include::_attributes/common-attributes.adoc[]
[id="installing-aws-three-node"]
= Installing a three-node cluster on {aws-short}
:context: installing-aws-three-node
toc::[]
In {product-title} version {product-version}, you can install a three-node cluster on Amazon Web Services (AWS). A three-node cluster consists of three control plane machines, which also act as compute machines. This type of cluster provides a smaller, more resource efficient cluster, for cluster administrators and developers to use for testing, development, and production.
[role="_abstract"]
In {product-title} version {product-version}, you can install a three-node cluster on {aws-first}. A three-node cluster consists of three control plane machines, which also act as compute machines.
This type of cluster provides a smaller, more resource efficient cluster, for cluster administrators and developers to use for testing, development, and production.
You can install a three-node cluster using either installer-provisioned or user-provisioned infrastructure.
[NOTE]
====
Deploying a three-node cluster using an AWS Marketplace image is not supported.
Deploying a three-node cluster using an {aws-short} Marketplace image is not supported.
====
include::modules/installation-three-node-cluster-cloud-provider.adoc[leveloffset=+1]
== Next steps
== Additional resources
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a cluster on AWS with customizations]
* xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on user-provisioned infrastructure in AWS by using CloudFormation templates]

11
installing/installing_aws/ipi/ipi-aws-preparing-to-install.adoc
View File

@@ -6,11 +6,16 @@ include::_attributes/common-attributes.adoc[]
toc::[]
You prepare to install an {product-title} cluster on AWS by completing the following steps:
[role="_abstract"]
To install an {product-title} cluster on {aws-first}, you must verify your internet connectivity, download the installation program, install the {oc-first}, and generate an SSH key pair.
If required, you also need to manually create long-term credentials for {aws-short} or configure an {aws-short} cluster to use short-term credentials with Amazon Web Services Security Token Service ({aws-short} STS).
The following list outlines in detail the steps to prepare to install an {product-title} cluster on {aws-short}:
* Verifying internet connectivity for your cluster.
* xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configuring an AWS account].
* xref:../../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configuring an aws-short} account].
* Downloading the installation program.
+
@@ -26,7 +31,7 @@ If you are installing in a disconnected environment, install `oc` to the mirror
====
* Generating an SSH key pair. You can use this key pair to authenticate into the {product-title} cluster's nodes after it is deployed.
* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually creating long-term credentials for AWS] or xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[configuring an AWS cluster to use short-term credentials] with Amazon Web Services Security Token Service (AWS STS).
* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the `kube-system` namespace, xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#manually-create-iam_installing-aws-customizations[manually creating long-term credentials for {aws-short}] or xref:../../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-with-short-term-creds_installing-aws-customizations[configuring an {aws-short} cluster to use short-term credentials] with ({aws-short} STS).
include::modules/cluster-entitlements.adoc[leveloffset=+1]

47
installing/installing_aws/preparing-to-install-on-aws.adoc
View File

@@ -1,45 +1,36 @@
:_mod-docs-content-type: ASSEMBLY
[id="preparing-to-install-on-aws"]
[id="installing-methods-aws"]
= Installation methods
include::_attributes/common-attributes.adoc[]
:context: preparing-to-install-on-aws
toc::[]
You can install {product-title} on Amazon Web Services (AWS) using installer-provisioned or user-provisioned infrastructure. The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster. You can also install {product-title} on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself. You can also install {product-title} on a single node, which is a specialized installation method that is ideal for edge computing environments.
[role="_abstract"]
You can install {product-title} on {aws-full} using installer-provisioned, user-provisioned infrastructure, or on a single node, depending on the needs of your use case.
[id="choosing-an-method-to-install-ocp-on-aws-installer-provisioned"]
== Installing a cluster on installer-provisioned infrastructure
The default installation type uses installer-provisioned infrastructure, where the installation program provisions the underlying infrastructure for the cluster.
You can install a cluster on AWS infrastructure that is provisioned by the {product-title} installation program, by using one of the following methods:
You can also install {product-title} on infrastructure that you provision. If you do not use infrastructure that the installation program provisions, you must manage and maintain the cluster resources yourself.
* **xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Installing a cluster quickly on AWS]**: You can install {product-title} on AWS infrastructure that is provisioned by the {product-title} installation program. You can install a cluster quickly by using the default configuration options.
You can also install {product-title} on a single node, which is a specialized installation method that is ideal for edge computing environments.
* **xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS]**: You can install a customized cluster on AWS infrastructure that the installation program provisions. You can also customize your {product-title} network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[post-installation].
include::modules/installing-aws-ipi.adoc[leveloffset=+1]
* **xref:../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[Installing a cluster on AWS in a restricted network]**: You can install {product-title} on AWS on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components.
include::modules/installing-aws-upi.adoc[leveloffset=+1]
* **xref:../../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[Installing a cluster on an existing Virtual Private Cloud]**: You can install {product-title} on an existing AWS Virtual Private Cloud (VPC). You can use this installation method if you have constraints set by the guidelines of your company, such as limits when creating new accounts or infrastructure.
* **xref:../../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[Installing a private cluster on an existing VPC]**: You can install a private cluster on an existing AWS VPC. You can use this method to deploy {product-title} on an internal network that is not visible to the internet.
* **xref:../../installing/installing_aws/ipi/installing-aws-specialized-region.adoc#installing-aws-specialized-region[Installing a cluster on AWS into a government or secret region]**: {product-title} can be deployed into AWS regions that are specifically designed for US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that must run sensitive workloads in the cloud.
[id="choosing-an-method-to-install-ocp-on-aws-user-provisioned"]
== Installing a cluster on user-provisioned infrastructure
You can install a cluster on AWS infrastructure that you provision, by using one of the following methods:
* **xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on AWS infrastructure that you provide]**: You can install {product-title} on AWS infrastructure that you provide. You can use the provided CloudFormation templates to create stacks of AWS resources that represent each of the components required for an {product-title} installation.
* **xref:../../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[Installing a cluster on AWS in a restricted network with user-provisioned infrastructure]**: You can install {product-title} on AWS infrastructure that you provide by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components. You can also use this installation method to ensure that your clusters only use container images that satisfy your organizational controls on external content. While you can install {product-title} by using the mirrored content, your cluster still requires internet access to use the AWS APIs.
[id="choosing-an-method-to-install-ocp-on-aws-single-node"]
== Installing a cluster on a single node
Installing {product-title} on a single node alleviates some of the requirements for high availability and large scale clusters. However, you must address the xref:../../installing/installing_sno/install-sno-preparing-to-install-sno.adoc#install-sno-requirements-for-installing-on-a-single-node_install-sno-preparing[requirements for installing on a single node], and the xref:../../installing/installing_sno/install-sno-installing-sno.adoc#additional-requirements-for-installing-sno-on-a-cloud-provider_install-sno-installing-sno-with-the-assisted-installer[additional requirements for installing {sno} on a cloud provider]. After addressing the requirements for single node installation, use the xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS] procedure to install the cluster. The xref:../../installing/installing_sno/install-sno-installing-sno.adoc#install-sno-installing-sno-manually[installing single-node OpenShift manually] section contains an exemplary `install-config.yaml` file when installing an {product-title} cluster on a single node.
include::modules/installing-aws-single-node.adoc[leveloffset=+1]
[role="_additional-resources"]
[id="preparing-to-install-on-aws-additional-resources"]
[id="installing-methods-aws-ipi-additional-resources"]
== Additional resources
* xref:../../installing/installing_aws/ipi/installing-aws-default.adoc#installing-aws-default[Installing a cluster quickly on AWS]
* xref:../../installing/installing_aws/ipi/installing-aws-customizations.adoc#installing-aws-customizations[Installing a customized cluster on AWS]
* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-cluster-tasks[Post-installation]
* xref:../../installing/installing_aws/ipi/installing-restricted-networks-aws-installer-provisioned.adoc#installing-restricted-networks-aws-installer-provisioned[Installing a cluster on AWS in a restricted network]
* xref:../../installing/installing_aws/ipi/installing-aws-vpc.adoc#installing-aws-vpc[Installing a cluster on an existing Virtual Private Cloud]
* xref:../../installing/installing_aws/ipi/installing-aws-private.adoc#installing-aws-private[Installing a private cluster on an existing VPC]
* xref:../../installing/installing_aws/ipi/installing-aws-specialized-region.adoc#installing-aws-specialized-region[Installing a cluster on AWS into a government or secret region]
* xref:../../installing/installing_aws/upi/installing-aws-user-infra.adoc#installing-aws-user-infra[Installing a cluster on AWS infrastructure that you provide]
* xref:../../installing/installing_aws/upi/installing-restricted-networks-aws.adoc#installing-restricted-networks-aws[Installing a cluster on AWS in a restricted network with user-provisioned infrastructure]
* xref:../../architecture/architecture-installation.adoc#installation-process_architecture-installation[Installation process]

11
installing/installing_aws/uninstalling-cluster-aws.adoc
View File

@@ -1,12 +1,13 @@
:_mod-docs-content-type: ASSEMBLY
[id="uninstalling-cluster-aws"]
= Uninstalling a cluster on AWS
include::_attributes/common-attributes.adoc[]
[id="uninstalling-cluster-aws"]
= Uninstalling a cluster on {aws-short}
:context: uninstall-cluster-aws
toc::[]
You can remove a cluster that you deployed to Amazon Web Services (AWS).
[role="_abstract"]
You can remove a cluster that you deployed to {aws-first}.
include::modules/installation-uninstall-clouds.adoc[leveloffset=+1]
@@ -16,9 +17,9 @@ include::modules/installation-aws-delete-cluster.adoc[leveloffset=+1]
[role="_additional-resources"]
[id="installing-localzone-additional-resources"]
.Additional resources
== Additional resources
* See link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks] in the AWS documentation for more information about AWS CloudFormation stacks.
* link:https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacks.html[Working with stacks]
* link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#opt-in-local-zone[Opt into AWS Local Zones]
* link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/locations[AWS Local Zones available locations]
* link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features[AWS Local Zones features]

37
modules/cco-ccoctl-deleting-sts-resources.adoc
View File

@@ -27,6 +27,7 @@ endif::[]
[id="cco-ccoctl-deleting-sts-resources_{context}"]
= Deleting {cp-first} resources with the Cloud Credential Operator utility
[role="_abstract"]
After uninstalling an {product-title} cluster that uses short-term credentials managed outside the cluster, you can use the CCO utility (`ccoctl`) to remove the {cp-first} resources that `ccoctl` created during installation.
.Prerequisites
@@ -51,11 +52,14 @@ $ RELEASE_IMAGE=$(./openshift-install version | awk '/release image/ {print $3}'
$ oc adm release extract \
--from=$RELEASE_IMAGE \
--credentials-requests \
--included \// <1>
--to=<path_to_directory_for_credentials_requests> <2>
--included \
--to=<path_to_directory_for_credentials_requests>
----
<1> The `--included` parameter includes only the manifests that your specific cluster configuration requires.
<2> Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
+
where:
`--included`:: The parameter includes only the manifests that your specific cluster configuration requires.
`<path_to_directory_for_credentials_requests>':: Specify the path to the directory where you want to store the `CredentialsRequest` objects. If the specified directory does not exist, this command creates it.
. Delete the {cp} resources that `ccoctl` created by running the following command:
endif::gcp-workload-id[]
@@ -66,27 +70,30 @@ endif::aws-sts,azure-workload-id[]
[source,terminal,subs="attributes+"]
----
$ ccoctl {cp-name} delete \
--name=<name> \// <1>
ifdef::aws-sts[ --region=<{cp-name}_region> <2>]
--name=<name> \
ifdef::aws-sts
[ --region=<{cp-name}_region>]
ifdef::gcp-workload-id[]
--project=<{cp-name}_project_id> \// <2>
--project=<{cp-name}_project_id> \
--credentials-requests-dir=<path_to_credentials_requests_directory> \
--force-delete-custom-roles <3>
--force-delete-custom-roles
endif::gcp-workload-id[]
ifdef::azure-workload-id[]
--region=<{cp-name}_region> \// <2>
--subscription-id=<{cp-name}_subscription_id> \// <3>
--region=<{cp-name}_region> \
--subscription-id=<{cp-name}_subscription_id> \
--delete-oidc-resource-group
endif::azure-workload-id[]
----
+
<1> `<name>` matches the name that was originally used to create and tag the cloud resources.
ifdef::aws-sts,azure-workload-id[<2> `<{cp-name}_region>` is the {cp} region in which to delete cloud resources.]
where:
`<name>`:: Matches the name that was originally used to create and tag the cloud resources.
ifdef::aws-sts,azure-workload-id[`<{cp-name}_region>`:: is the {cp} region in which to delete cloud resources.]
ifdef::gcp-workload-id[]
<2> `<{cp-name}_project_id>` is the {cp} project ID in which to delete cloud resources.
<3> Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. {gcp-short} does not permanently delete custom roles immediately. For more information, see {gcp-short} documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role].
`<{cp-name}_project_id>`:: The {cp} project ID in which to delete cloud resources.
`force-delete-custom-roles`:: Optional: This parameter deletes the custom roles that the `ccoctl` utility creates during installation. {gcp-short} does not permanently delete custom roles immediately. For more information, see {gcp-short} documentation about link:https://cloud.google.com/iam/docs/creating-custom-roles#deleting-custom-role[deleting a custom role].
endif::gcp-workload-id[]
ifdef::azure-workload-id[<3> `<{cp-name}_subscription_id>` is the {cp} subscription ID for which to delete cloud resources.]
ifdef::azure-workload-id[`<{cp-name}_subscription_id>`:: is the {cp} subscription ID for which to delete cloud resources.]
ifdef::aws-sts[]
+
.Example output

8
modules/installation-aws-access-analyzer.adoc
View File

@@ -2,6 +2,9 @@
[id="create-custom-permissions-for-iam-instance-profiles_{context}"]
= Using AWS IAM Analyzer to create policy templates
[role="_abstract"]
To reduce security risk, you can use AWS IAM Access Analyzer and CloudTrail to generate and apply minimal, fine-grained IAM policies for cluster control plane and compute instance profiles.
The minimal set of permissions that the control plane and compute instance profiles require depends on how the cluster is configured for its daily operation.
One way to determine which permissions the cluster instances require is to use the AWS Identity and Access Management Access Analyzer (IAM Access Analyzer) to create a policy template:
@@ -10,9 +13,6 @@ One way to determine which permissions the cluster instances require is to use t
* You can then use the template to create policies with fine-grained permissions.
.Procedure
The overall process could be:
. Ensure that CloudTrail is enabled. CloudTrail records all of the actions and events in your AWS account, including the API calls that are required to create a policy template. For more information, see the AWS documentation for https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html[working with CloudTrail].
. Create an instance profile for control plane instances and an instance profile for compute instances. Be sure to assign each role a permissive policy, such as PowerUserAccess. For more information, see the AWS documentation for
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html[creating instance profile roles].
@@ -22,7 +22,7 @@ https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.ht
. Create and add a fine-grained policy to each instance profile.
. Remove the permissive policy from each instance profile.
. Deploy a production cluster using the existing instance profiles with the new policies.
+
[NOTE]
====
You can add https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html[IAM Conditions] to your policy to make it more restrictive and compliant with your organization security requirements.

3
modules/installation-aws-add-iam-roles.adoc
View File

@@ -6,6 +6,7 @@
[id="specify-an-existing-iam-role_{context}"]
= Specifying an existing IAM role
[role="_abstract"]
Instead of allowing the installation program to create IAM instance profiles with the default permissions, you can use the `install-config.yaml` file to specify an existing IAM role for control plane and compute instances.
.Prerequisites
@@ -38,8 +39,10 @@ controlPlane:
aws:
iamRole: ExampleRole
----
. Save the file and reference it when installing the {product-title} cluster.
+
[NOTE]
====
To change or update an IAM account after the cluster has been installed, see link:https://access.redhat.com/solutions/4284011[RHOCP 4 AWS cloud-credentials access key is expired] (Red{nbsp}Hat Knowledgebase).

18
modules/installation-aws-delete-cluster.adoc
View File

@@ -4,9 +4,10 @@
:_mod-docs-content-type: PROCEDURE
[id="installation-aws-delete-cluster"]
= Deleting a cluster with a configured AWS Local Zone infrastructure
= Deleting a cluster with a configured {aws-short} Local Zone infrastructure
After you install a cluster on Amazon Web Services (AWS) into an existing Virtual Private Cloud (VPC), and you set subnets for each Local Zone location, you can delete the cluster and any AWS resources associated with it.
[role="_abstract"]
After you install a cluster on {aws-first} into an existing Virtual Private Cloud (VPC), and you set subnets for each Local Zone location, you can delete the cluster and any {aws-short} resources associated with it.
The example in the procedure assumes that you created a VPC and its subnets by using a CloudFormation template.
@@ -22,11 +23,14 @@ The example in the procedure assumes that you created a VPC and its subnets by u
+
[source,terminal]
----
$ ./openshift-install destroy cluster --dir <installation_directory> \//<1>
--log-level=debug <2>
$ ./openshift-install destroy cluster --dir <installation_directory> \
--log-level=debug
----
<1> For `<installation_directory>`, specify the directory that stored any files created by the installation program.
<2> To view different log details, specify `error`, `info`, or `warn` instead of `debug`.
+
where:
`<installation_directory>`:: Specify the directory that stored any files created by the installation program.
`--log-level=debug`:: To view different log details, specify `error`, `info`, or `warn` instead of `debug`.
. Delete the CloudFormation stack for the Local Zone subnet:
+
@@ -44,7 +48,7 @@ $ aws cloudformation delete-stack --stack-name <vpc_stack_name>
.Verification
* Check that you removed the stack resources by issuing the following commands in the AWS CLI. The AWS CLI outputs that no template component exists.
* Check that you removed the stack resources by issuing the following commands in the {aws-short} CLI. The AWS CLI outputs that no template component exists.
+
[source,terminal]
----

7
modules/installation-aws-iam-policies-about.adoc
View File

@@ -4,9 +4,10 @@
:_mod-docs-content-type: CONCEPT
[id="iam-policies-and-aws-authentication_{context}"]
= IAM Policies and AWS authentication
= IAM Policies and {aws-short} authentication
By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate.
[role="_abstract"]
You can specify your own IAM roles if required. By default, the installation program creates instance profiles for the bootstrap, control plane, and compute instances with the necessary permissions for the cluster to operate.
[NOTE]
====
@@ -21,4 +22,4 @@ However, you can create your own IAM roles and specify them as part of the insta
If you choose to specify your own IAM roles, you can take the following steps:
* Begin with the default policies and adapt as required. For more information, see "Default permissions for IAM instance profiles".
* To create a policy template that is based on the cluster's activity, see "Using AWS IAM Analyzer to create policy templates".
* To create a policy template that is based on the cluster's activity, see "Using {aws-short} IAM Analyzer to create policy templates".

30
modules/installation-aws-iam-user.adoc
View File

@@ -6,33 +6,29 @@
[id="installation-aws-iam-user_{context}"]
= Creating an IAM user
Each Amazon Web Services (AWS) account contains a root user account that is based on the email address you used to create the account.
[role="_abstract"]
Before you install {product-title}, you must create a secondary IAM administrative user and assign permissions to create the cluster.
Each {aws-first} account contains a root user account that is based on the email address you used to create the account.
[IMPORTANT]
====
This is a highly-privileged account, and it is recommended to use it for only initial account and billing configuration, creating an initial set of users, and securing the account.
====
Before you install {product-title}, create a secondary IAM
administrative user. As you complete the
As you complete the
link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html[Creating an IAM User in Your AWS Account]
procedure in the AWS documentation, set the following options:
procedure in the {aws-first} documentation, set the following options:
.Procedure
. Specify the IAM user name and select `Programmatic access`.
. Attach the `AdministratorAccess` policy to ensure that the account has
sufficient permission to create the cluster. This policy provides the cluster
with the ability to grant credentials to each {product-title} component. The
cluster grants the components only the credentials that they require.
. Attach the `AdministratorAccess` policy to ensure that the account has sufficient permission to create the cluster. This policy provides the cluster with the ability to grant credentials to each {product-title} component. The cluster grants the components only the credentials that they require.
+
[NOTE]
====
While it is possible to create a policy that grants the all of the required
AWS permissions and attach it to the user, this is not the preferred option.
The cluster will not have the ability to grant additional credentials to
individual components, so the same credentials are used by all components.
While it is possible to create a policy that grants the all of the required AWS permissions and attach it to the user, this is not the preferred option. The cluster will not have the ability to grant additional credentials to individual components, so the same credentials are used by all components.
====
. Optional: Add metadata to the user by attaching tags.
@@ -40,14 +36,8 @@ individual components, so the same credentials are used by all components.
. Confirm that the user name that you specified is granted the
`AdministratorAccess` policy.
. Record the access key ID and secret access key values. You must use these
values when you configure your local machine to run the installation program.
. Record the access key ID and secret access key values. You must use these values when you configure your local machine to run the installation program.
+
[IMPORTANT]
====
You cannot use a temporary session token that you generated while using a
multi-factor authentication device to authenticate to AWS when you deploy a
cluster. The cluster continues to use your current AWS credentials to
create AWS resources for the entire life of the cluster, so you must
You cannot use a temporary session token that you generated while using a multi-factor authentication device to authenticate to {aws-short} when you deploy a cluster. The cluster continues to use your current {aws-short} credentials to create {aws-short} resources for the entire life of the cluster, so you must
use key-based, long-term credentials.
====

46
modules/installation-aws-limits.adoc
View File

@@ -4,22 +4,21 @@
:_mod-docs-content-type: CONCEPT
[id="installation-aws-limits_{context}"]
= AWS account limits
= {aws-short} account limits
The {product-title} cluster uses a number of Amazon Web Services (AWS)
[role="_abstract"]
The {product-title} cluster uses several {aws-first}
components, and the default
link:https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html[Service Limits]
affect your ability to install {product-title} clusters. If you use certain
cluster configurations, deploy your cluster in certain AWS regions, or
run multiple clusters from your account, you might need
to request additional resources for your AWS account.
link:https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html[Service Limits] affect your ability to install {product-title} clusters.
The following table summarizes the AWS components whose limits can impact your
ability to install and run {product-title} clusters.
If you use certain cluster configurations, deploy your cluster in certain {aws-short} regions, or run multiple clusters from your account, you might need
to request additional resources for your {aws-short} account.
The following table summarizes the {aws-short} components whose limits can impact your ability to install and run {product-title} clusters.
[cols="2a,3a,3a,8a",options="header"]
|===
|Component |Number of clusters available by default| Default AWS limit |Description
|Component |Number of clusters available by default| Default {aws-short} limit |Description
|Instance Limits
|Varies
@@ -30,15 +29,10 @@ ability to install and run {product-title} clusters.
* Three control plane nodes
* Three worker nodes
These instance type counts are within a new account's default limit. To deploy
more worker nodes, enable autoscaling, deploy large workloads, or use a
different instance type, review your account limits to ensure that your cluster
can deploy the machines that you need.
These instance type counts are within a new account's default limit. To deploy more worker nodes, enable autoscaling, deploy large workloads, or use a different instance type, review your account limits to ensure that your cluster can deploy the machines that you need.
In most regions, the worker machines use an `m6i.large` instance
and the bootstrap and control plane machines use `m6i.xlarge` instances. In some regions, including
all regions that do not support these instance types, `m5.large` and `m5.xlarge`
instances are used instead.
and the bootstrap and control plane machines use `m6i.xlarge` instances. In some regions, including all regions that do not support these instance types, `m5.large` and `m5.xlarge` instances are used instead.
|Elastic IPs (EIPs)
|0 to 1
@@ -52,10 +46,7 @@ and each NAT gateway requires a separate
link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html[elastic IP].
Review the
link:https://aws.amazon.com/about-aws/global-infrastructure/[AWS region map] to
determine how many availability zones are in each region. To take advantage of
the default high availability, install the cluster in a region with at least
three availability zones. To install a cluster in a region with more than five
availability zones, you must increase the EIP limit.
determine how many availability zones are in each region. To take advantage of the default high availability, install the cluster in a region with at least three availability zones. To install a cluster in a region with more than five availability zones, you must increase the EIP limit.
[IMPORTANT]
====
To use the `us-east-1` region, you must increase the EIP limit for your account.
@@ -70,8 +61,7 @@ To use the `us-east-1` region, you must increase the EIP limit for your account.
|3
|20 per region
|By default, each cluster creates internal and external network load balancers for the master
API server and a single Classic Load Balancer for the router. Deploying
more Kubernetes `Service` objects with type `LoadBalancer` will create additional
API server and a single Classic Load Balancer for the router. Deploying more Kubernetes `Service` objects with type `LoadBalancer` will create additional
link:https://aws.amazon.com/elasticloadbalancing/[load balancers].
@@ -84,13 +74,11 @@ link:https://aws.amazon.com/elasticloadbalancing/[load balancers].
|At least 12
|350 per region
|The default installation creates 21 ENIs and an ENI for each availability zone
in your region. For example, the `us-east-1` region contains six availability
zones, so a cluster that is deployed in that zone uses 27 ENIs. Review the
in your region. For example, the `us-east-1` region contains six availability zones, so a cluster that is deployed in that zone uses 27 ENIs. Review the
link:https://aws.amazon.com/about-aws/global-infrastructure/[AWS region map] to
determine how many availability zones are in each region.
Additional ENIs are created for additional machines and ELB load balancers
that are created by cluster usage and deployed workloads.
Additional ENIs are created for additional machines and ELB load balancers that are created by cluster usage and deployed workloads.
|VPC Gateway
|20
@@ -101,9 +89,7 @@ that are created by cluster usage and deployed workloads.
|S3 buckets
|99
|100 buckets per account
|Because the installation process creates a temporary bucket and the registry
component in each cluster creates a bucket, you can create only 99
{product-title} clusters per AWS account.
|Because the installation process creates a temporary bucket and the registry component in each cluster creates a bucket, you can create only 99 {product-title} clusters per {aws-short} account.
|Security Groups
|250

7
modules/installation-aws-marketplace.adoc
View File

@@ -4,9 +4,10 @@
:_mod-docs-content-type: CONCEPT
[id="installation-aws-marketplace_{context}"]
= Supported AWS Marketplace regions
= Supported {aws-short} Marketplace regions
Installing an {product-title} cluster using an AWS Marketplace image is available to customers who purchase the offer in North America.
[role="_abstract"]
Installing an {product-title} cluster using an {aws-short} Marketplace image is available to customers who purchase the offer in North America.
While the offer must be purchased in North America, you can deploy the cluster to any of the following supported paritions:
@@ -15,5 +16,5 @@ While the offer must be purchased in North America, you can deploy the cluster t
[NOTE]
====
Deploying a {product-title} cluster using an AWS Marketplace image is not supported for the AWS secret regions or China regions.
Deploying a {product-title} cluster using an {aws-short} Marketplace image is not supported for the {aws-short} secret regions or China regions.
====

1
modules/installation-aws-permissions-iam-roles.adoc
View File

@@ -6,6 +6,7 @@
[id="installation-aws-permissions-iam-roles_{context}"]
= Default permissions for IAM instance profiles
[role="_abstract"]
By default, the installation program creates IAM instance profiles for the bootstrap, control plane and worker instances with the necessary permissions for the cluster to operate.
The following lists specify the default permissions for control plane and compute machines:

12
modules/installation-aws-permissions.adoc
View File

@@ -6,15 +6,17 @@
:_mod-docs-content-type: REFERENCE
[id="installation-aws-permissions_{context}"]
= Required AWS permissions for the IAM user
= Required {aws-short} permissions for the IAM user
[role="_abstract"]
To deploy all components of an {product-title} cluster, you must grant the all the required permissions to the IAM user that you create in {aws-first}.
[NOTE]
====
Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the AWS API requirement, the {product-title} installation program performs various actions in this region.
Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the {aws-short} API requirement, the {product-title} installation program performs various actions in this region.
====
When you attach the `AdministratorAccess` policy to the IAM user that you create in Amazon Web Services (AWS),
you grant that user all of the required permissions. To deploy all components of an {product-title}
When you attach the `AdministratorAccess` policy to the IAM user that you create in {aws-first}, you grant that user all of the required permissions. To deploy all components of an {product-title}
cluster, the IAM user requires the following permissions:
.Required EC2 permissions for installation
@@ -158,7 +160,7 @@ If you use an existing Virtual Private Cloud (VPC), your account does not requir
=====
* If you specify an existing IAM role in the `install-config.yaml` file, the following IAM permissions are not required: `iam:CreateRole`,`iam:DeleteRole`, `iam:DeleteRolePolicy`, and `iam:PutRolePolicy`.
* If you have not created a load balancer in your AWS account, the IAM user also requires the `iam:CreateServiceLinkedRole` permission.
* If you have not created a load balancer in your {aws-short} account, the IAM user also requires the `iam:CreateServiceLinkedRole` permission.
=====
====

21
modules/installation-aws-regions.adoc
View File

@@ -4,19 +4,20 @@
:_mod-docs-content-type: REFERENCE
[id="installation-aws-regions_{context}"]
= Supported AWS regions
= Supported {aws-short} regions
[role="_abstract"]
You can deploy an {product-title} cluster to the following regions.
[NOTE]
====
Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the AWS API requirement, the {product-title} installation program performs various actions in this region.
Your IAM user must have the permission `tag:GetResources` in the region `us-east-1` to delete the base cluster resources. As part of the {aws-short} API requirement, the {product-title} installation program performs various actions in this region.
====
[id="installation-aws-public_{context}"]
== AWS public regions
== {aws-short} public regions
The following AWS public regions are supported:
The following {aws-short} public regions are supported:
* `af-south-1` (Cape Town)
* `ap-east-1` (Hong Kong)
@@ -53,25 +54,25 @@ The following AWS public regions are supported:
* `us-west-2` (Oregon)
[id="installation-aws-govcloud_{context}"]
== AWS GovCloud regions
== {aws-short} GovCloud regions
The following AWS GovCloud regions are supported:
The following {aws-short} GovCloud regions are supported:
* `us-gov-west-1`
* `us-gov-east-1`
[id="installation-aws-c2s_{context}"]
== AWS SC2S and C2S secret regions
== {aws-short} SC2S and C2S secret regions
The following AWS secret regions are supported:
The following {aws-short} secret regions are supported:
* `us-isob-east-1` Secret Commercial Cloud Services (SC2S)
* `us-iso-east-1` Commercial Cloud Services (C2S)
[id="installation-aws-china_{context}"]
== AWS China regions
== {aws-short} China regions
The following AWS China regions are supported:
The following {aws-short} China regions are supported:
* `cn-north-1` (Beijing)
* `cn-northwest-1` (Ningxia)

33
modules/installation-aws-route53.adoc
View File

@@ -6,43 +6,38 @@
[id="installation-aws-route53_{context}"]
= Configuring Route 53
To install {product-title}, the Amazon Web Services (AWS) account you use must
have a dedicated public hosted zone in your Route 53 service. This zone must be
authoritative for the domain. The Route 53 service provides
cluster DNS resolution and name lookup for external connections to the cluster.
[role="_abstract"]
To install {product-title}, the {aws-first} account you use must have a dedicated public hosted zone in your Route 53 service. This zone must be
authoritative for the domain. The Route 53 service provides cluster DNS resolution and name lookup for external connections to the cluster.
.Procedure
. Identify your domain, or subdomain, and registrar. You can transfer an existing domain and
registrar or obtain a new one through AWS or another source.
registrar or obtain a new one through {aws-short} or another source.
+
[NOTE]
====
If you purchase a new domain through AWS, it takes time for the relevant DNS
changes to propagate. For more information about purchasing domains
through AWS, see
If you purchase a new domain through {aws-short}, it takes time for the relevant DNS changes to propagate. For more information about purchasing domains
through {aws-short}, see
link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/registrar.html[Registering Domain Names Using Amazon Route 53]
in the AWS documentation.
in the {aws-short} documentation.
====
. If you are using an existing domain and registrar, migrate its DNS to AWS. See
. If you are using an existing domain and registrar, migrate its DNS to {aws-short}. See
link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/MigratingDNS.html[Making Amazon Route 53 the DNS Service for an Existing Domain]
in the AWS documentation.
in the {aws-short} documentation.
. Create a public hosted zone for your domain or subdomain. See
link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[Creating a Public Hosted Zone]
in the AWS documentation.
in the {aws-short} documentation.
+
Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain,
such as `clusters.openshiftcorp.com`.
Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain, such as `clusters.openshiftcorp.com`.
. Extract the new authoritative name servers from the hosted zone records. See
link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/GetInfoAboutHostedZone.html[Getting the Name Servers for a Public Hosted Zone]
in the AWS documentation.
in the {aws-short} documentation.
. Update the registrar records for the AWS Route 53 name servers that your domain
uses. For example, if you registered your domain to a Route 53 service in a
different accounts, see the following topic in the AWS documentation:
. Update the registrar records for the {aws-short} Route 53 name servers that your domain uses. For example, if you registered your domain to a Route 53 service in a different accounts, see the following topic in the {aws-short} documentation:
link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-name-servers-glue-records.html#domain-name-servers-glue-records-procedure[Adding or Changing Name Servers or Glue Records].
. If you are using a subdomain, add its delegation records to the parent domain. This gives Amazon Route 53 responsibility for the subdomain. Follow the delegation procedure outlined by the DNS provider of the parent domain. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html[Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain] in the AWS documentation for an example high level procedure.
. If you are using a subdomain, add its delegation records to the parent domain. This gives Amazon Route 53 responsibility for the subdomain. Follow the delegation procedure outlined by the DNS provider of the parent domain. See link:https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingNewSubdomain.html[Creating a subdomain that uses Amazon Route 53 as the DNS service without migrating the parent domain] in the {aws-short} documentation for an example high level procedure.

14
modules/installation-three-node-cluster-cloud-provider.adoc
View File

@@ -27,7 +27,10 @@ endif::[]
[id="installation-three-node-cluster_{context}"]
= Configuring a three-node cluster
You configure a three-node cluster by setting the number of worker nodes to `0` in the `install-config.yaml` file before deploying the cluster. Setting the number of worker nodes to `0` ensures that the control plane machines are schedulable. This allows application workloads to be scheduled to run from the control plane nodes.
[role="_abstract"]
To configure a three-node cluster, set the number of worker nodes to `0` in the `install-config.yaml` file before you deploy the cluster.
Setting the number of worker nodes to `0` ensures that the control plane machines are schedulable. This allows application workloads to be scheduled to run from the control plane nodes.
[NOTE]
====
@@ -40,13 +43,14 @@ Because application workloads run from control plane nodes, additional subscript
.Procedure
ifndef::nutanix,openstack[]
. Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza:
endif::nutanix,openstack[]
ifdef::nutanix,openstack[]
* Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza:
endif::nutanix,openstack[]
ifndef::nutanix,openstack[]
. Set the number of compute replicas to `0` in your `install-config.yaml` file, as shown in the following `compute` stanza:
endif::nutanix,openstack[]
+
.Example `install-config.yaml` file for a three-node cluster
[source,yaml]
@@ -59,6 +63,7 @@ compute:
replicas: 0
# ...
----
ifndef::vsphere,nutanix,openstack[]
. If you are deploying a cluster with user-provisioned infrastructure:
** After you create the Kubernetes manifest files, make sure that the `spec.mastersSchedulable` parameter is set to `true` in `cluster-scheduler-02-config.yml` file. You can locate this file in `<installation_directory>/manifests`.
@@ -84,6 +89,7 @@ endif::vsphere[]
** Do not create additional worker nodes.
endif::vsphere[]
ifndef::nutanix,openstack[]
.Example `cluster-scheduler-02-config.yml` file for a three-node cluster
[source,yaml]

11
modules/installation-uninstall-clouds.adoc
View File

@@ -31,6 +31,7 @@ endif::[]
[id="installation-uninstall-clouds_{context}"]
= Removing a cluster that uses installer-provisioned infrastructure
[role="_abstract"]
You can remove a cluster that uses installer-provisioned infrastructure that you provisioned from your cloud platform.
ifdef::aws[]
@@ -119,11 +120,13 @@ endif::ibm-cloud,ibm-power-vs[]
[source,terminal]
----
$ ./openshift-install destroy cluster \
--dir <installation_directory> --log-level info <1> <2>
--dir <installation_directory> --log-level info
----
<1> For `<installation_directory>`, specify the path to the directory that you
stored the installation files in.
<2> To view different details, specify `warn`, `debug`, or `error` instead of `info`.
+
where:
<installation_directory>:: Specify the path to the directory that you stored the installation files in.
--log-level info:: To view different details, specify `warn`, `debug`, or `error` instead of `info`.
ifndef::ibm-power-vs[]
+
[NOTE]

19
modules/installing-aws-ipi.adoc Normal file
View File

@@ -0,0 +1,19 @@
:_mod-docs-content-type: CONCEPT
[id="choosing-an-method-to-install-ocp-on-aws-installer-provisioned_{context}"]
= Installing a cluster on installer-provisioned infrastructure
:context: installing-aws-ipi
[role="_abstract"]
You can install a cluster on {aws-short} infrastructure that is provisioned by the {product-title} installation program, by using one of the following methods:
You can install {product-title} on {aws-short} infrastructure that is provisioned by the {product-title} installation program. You can install a cluster quickly by using the default configuration options.
You can install a customized cluster on {aws-short} infrastructure that the installation program provisions. You can also customize your {product-title} network configuration during installation, so that your cluster can coexist with your existing IP address allocations and adhere to your network requirements. The installation program allows for some customization to be applied at the installation stage. Many other customization options are available post-installation.
You can install {product-title} on {aws-short} on installer-provisioned infrastructure by using an internal mirror of the installation release content. You can use this method to install a cluster that does not require an active internet connection to obtain the software components.
You can install {product-title} on an existing {aws-short} Virtual Private Cloud (VPC). You can use this installation method if you have constraints set by the guidelines of your company, such as limits when creating new accounts or infrastructure.
You can install a private cluster on an existing {aws-short} VPC. You can use this method to deploy {product-title} on an internal network that is not visible to the internet.
{product-title} can be deployed into {aws-short} regions that are specifically designed for US government agencies at the federal, state, and local level, as well as contractors, educational institutions, and other US customers that must run sensitive workloads in the cloud.

11
modules/installing-aws-single-node.adoc Normal file
View File

@@ -0,0 +1,11 @@
:_mod-docs-content-type: CONCEPT
[id="choosing-an-method-to-install-ocp-on-aws-single-node"_{context}"]
= Installing a cluster on a single node
:context: installing-single-node-aws
[role="_abstract"]
Installing {product-title} on a single node alleviates some of the requirements for high availability and large scale clusters. However, you must address requirements for installing on a single node, and the additional requirements for installing {sno} on a cloud provider.
After addressing the requirements for single node installation, use the installing a customized cluster on AWS procedure to install the cluster. The installing single-node OpenShift manually section contains an exemplary `install-config.yaml` file when installing an {product-title} cluster on a single node.

11
modules/installing-aws-upi.adoc Normal file
View File

@@ -0,0 +1,11 @@
:_mod-docs-content-type: CONCEPT
[id="choosing-an-method-to-install-ocp-on-aws-user-provisioned-provisioned_{context}"]
= Installing a cluster on user-provisioned infrastructure
:context: installing-upi-aws
[role="_abstract"]
You can install a cluster on {aws-short} in one of two ways: on infrastructure that you provide or infrastructure that you provide by using an internal mirror of the installation release content.
To install {product-title} on {aws-short} infrastructure that you provide, you can use the provided CloudFormation templates to create stacks of {aws-short} resources that represent each of the components required for an {product-title} installation.
To install a cluster that does not require an active internet connection to obtain the software components, install {product-title} on {aws-short} infrastructure that you provide by using an internal mirror of the installation release content. You can also use this installation method to ensure that your clusters only use container images that satisfy your organizational controls on external content. While you can install {product-title} by using the mirrored content, your cluster still requires internet access to use the {aws-short} APIs.

18
modules/nw-endpoint-route53.adoc
View File

@@ -4,9 +4,10 @@
:_mod-docs-content-type: REFERENCE
[id="nw-endpoint-route53_{context}"]
= Ingress Operator endpoint configuration for AWS Route 53
= Ingress Operator endpoint configuration for {aws-short} Route 53
If you install in either Amazon Web Services (AWS) GovCloud (US) US-West or US-East region, the Ingress Operator uses `us-gov-west-1` region for Route53 and tagging API clients.
[role="_abstract"]
If you install in either {aws-first} GovCloud (US) US-West or US-East region, the Ingress Operator uses `us-gov-west-1` region for Route53 and tagging API clients.
The Ingress Operator uses `https://tagging.us-gov-west-1.amazonaws.com` as the tagging API endpoint if a tagging custom endpoint is configured that includes the string 'us-gov-east-1'.
@@ -14,7 +15,7 @@ For more information on AWS GovCloud (US) endpoints, see the link:https://docs.a
[IMPORTANT]
====
Private, disconnected installations are not supported for AWS GovCloud when you install in the `us-gov-east-1` region.
Private, disconnected installations are not supported for {aws-short} GovCloud when you install in the `us-gov-east-1` region.
====
.Example Route 53 configuration
@@ -29,9 +30,12 @@ platform:
- name: elasticloadbalancing
url: https://elasticloadbalancing.us-gov-west-1.amazonaws.com
- name: route53
url: https://route53.us-gov.amazonaws.com <1>
url: https://route53.us-gov.amazonaws.com
- name: tagging
url: https://tagging.us-gov-west-1.amazonaws.com <2>
url: https://tagging.us-gov-west-1.amazonaws.com
----
<1> Route 53 defaults to `https://route53.us-gov.amazonaws.com` for both AWS GovCloud (US) regions.
<2> Only the US-West region has endpoints for tagging. Omit this parameter if your cluster is in another region.
+
where:
`https://route53.us-gov.amazonaws.com`:: Defaults to `https://route53.us-gov.amazonaws.com` for both {aws-short} GovCloud (US) regions.
`https://tagging.us-gov-west-1.amazonaws.com`:: Only the US-West region has endpoints for tagging. Omit this parameter if your cluster is in another region.