diff --git a/modules/create-wif-cluster-ocm.adoc b/modules/create-wif-cluster-ocm.adoc index 7f0a2e3460..87f62884fc 100644 --- a/modules/create-wif-cluster-ocm.adoc +++ b/modules/create-wif-cluster-ocm.adoc @@ -55,14 +55,18 @@ Workload Identity Federation (WIF) is only supported on {product-title} version .. Select a cloud provider region from the *Region* drop-down menu. .. Select a *Single zone* or *Multi-zone* configuration. + -.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. +.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. + [IMPORTANT] ==== To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. ==== + - +[IMPORTANT] +==== +*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation. +==== ++ .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. . Optional: Expand *Advanced Encryption* to make changes to encryption settings. diff --git a/modules/creating-a-machine-pool-ocm.adoc b/modules/creating-a-machine-pool-ocm.adoc index e09afc5044..750da08786 100644 --- a/modules/creating-a-machine-pool-ocm.adoc +++ b/modules/creating-a-machine-pool-ocm.adoc @@ -146,8 +146,22 @@ Your Amazon EC2 Spot Instances might be interrupted at any time. Use Amazon EC2 ==== If you select *Use Amazon EC2 Spot Instances* for a machine pool, you cannot disable the option after the machine pool is created. ==== ++ endif::openshift-rosa-hcp[] - +ifdef::openshift-dedicated[] +. Optional: By default, {product-title} on {GCP} instances in the machine pools inherit the Shielded VM settings at the cluster level. You can override the cluster level Shielded VM settings at the machine pool level by selecting or clearing the *Enable Secure Boot support for Shielded VMs* checkbox. ++ +[IMPORTANT] +==== +Once a machine pool is created, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. +==== ++ +[IMPORTANT] +==== +*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation. +==== +endif::openshift-dedicated[] ++ . Click *Add machine pool* to create the machine pool. .Verification diff --git a/modules/osd-create-cluster-ccs.adoc b/modules/osd-create-cluster-ccs.adoc index 0fea9e810d..e229ab8c41 100644 --- a/modules/osd-create-cluster-ccs.adoc +++ b/modules/osd-create-cluster-ccs.adoc @@ -59,14 +59,23 @@ Clusters configured with Private Service Connect (PSC) are only supported on Ope .. Select a *Single zone* or *Multi-zone* configuration. + -.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. +.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. + [IMPORTANT] ==== To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. ==== +// + +// [IMPORTANT] +// ==== +// Once a machine pool is saved, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. +// ==== ++ +[IMPORTANT] +==== +*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation. +==== + - .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. . Optional: Expand *Advanced Encryption* to make changes to encryption settings. diff --git a/modules/osd-create-cluster-red-hat-account.adoc b/modules/osd-create-cluster-red-hat-account.adoc index 0d8ab4e5a7..cdf9595453 100644 --- a/modules/osd-create-cluster-red-hat-account.adoc +++ b/modules/osd-create-cluster-red-hat-account.adoc @@ -39,13 +39,18 @@ To customize the subdomain, select the *Create custom domain prefix* checkbox, a .. Select a *Persistent storage* capacity for the cluster. For more information, see the _Storage_ section in the {product-title} service definition. .. Specify the number of *Load balancers* that you require for your cluster. For more information, see the _Load balancers_ section in the {product-title} service definition. + -.. Optional: Select *Enable Secure Boot for Shielded VMs* to use Shielded VMs when installing your cluster. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. +.. Optional: Select *Enable Secure Boot support for Shielded VMs* to use Shielded VMs when installing your cluster. Once you create your cluster, the *Enable Secure Boot support for Shielded VMs* setting cannot be changed. For more information, see link:https://cloud.google.com/security/products/shielded-vm[Shielded VMs]. + [IMPORTANT] ==== To successfully create a cluster, you must select *Enable Secure Boot support for Shielded VMs* if your organization has the policy constraint `constraints/compute.requireShieldedVm` enabled. For more information regarding GCP organizational policy constraints, see link:https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints[Organization policy constraints]. ==== + +[IMPORTANT] +==== +*Enable Secure Boot support for Shielded VMs* is not supported for {product-title} on {GCP} clusters created using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation. +==== ++ .. Leave *Enable user workload monitoring* selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default. . Optional: Expand *Advanced Encryption* to make changes to encryption settings. + diff --git a/osd_whats_new/osd-whats-new.adoc b/osd_whats_new/osd-whats-new.adoc index 4de02b726c..f945db11ce 100644 --- a/osd_whats_new/osd-whats-new.adoc +++ b/osd_whats_new/osd-whats-new.adoc @@ -22,6 +22,10 @@ With its foundation in Kubernetes, {product-title} is a complete {OCP} cluster p // re-add once upgrade to 4.19 is available // For more information about upgrading to this latest version, see xref:../upgrading/osd-upgrades.adoc#osd-upgrades[Red Hat OpenShift Dedicated cluster upgrades]. +* **Support for enabling and disabling Secure Boot for Shielded VMs on a per machine basis.** +{product-title} on {GCP} users can now enable or disable Secure Boot for Shielded VMs on a per machine basis. For more information, see xref:../osd_cluster_admin/osd_nodes/osd-managing-worker-nodes.adoc#osd-managing-worker-nodes[Managing compute nodes]. + + [id="osd-q1-2025_{context}"] === Q1 2025 diff --git a/snippets/shieldedvm-baremetal-support.adoc b/snippets/shieldedvm-baremetal-support.adoc new file mode 100644 index 0000000000..ea9e6b92a2 --- /dev/null +++ b/snippets/shieldedvm-baremetal-support.adoc @@ -0,0 +1,18 @@ +// Text snippet included in the following assemblies: (1) +// +// * rosa_cluster_admin/rosa-configuring-pid-limits.adoc +// +// Text snippet included in the following modules: (2) +// +// * modules/setting-higher-pid-limit-on-existing-cluster.adoc + +:_mod-docs-content-type: SNIPPET + +// Snippet that notifies user that Shielded VM is not supported for clusters created using bare metal instance types. + +[IMPORTANT] +==== +[subs="attributes+"] +Shielded VM is not supported for {product-title} on {GCP} clusters using bare-metal instance types. For more information, see link:https://cloud.google.com/compute/shielded-vm/docs/shielded-vm#limitations[Limitations] in the Google Cloud documentation. +==== +// Undefine {FeatureName} attribute, so that any mistakes are easily spotted