OSDOCS-770 AWS existing VPC

_topic_map.yml

@@ -97,6 +97,8 @@ Topics:
     File: installing-aws-customizations
   - Name: Installing a cluster on AWS with network customizations
     File: installing-aws-network-customizations
+  - Name: Installing a cluster on AWS to an existing VPC
+    File: installing-aws-vpc
   - Name: Uninstalling a cluster on AWS
     File: uninstalling-cluster-aws
 - Name: Installing on Azure

installing/installing_aws/installing-aws-vpc.adoc

@@ -0,0 +1,60 @@
+[id="installing-aws-vpc"]
+= Installing a cluster on AWS to an existing VPC
+include::modules/common-attributes.adoc[]
+:context: installing-aws-vpc
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster into an existing Amazon Virtual Private Cloud (VPC) on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify
+parameters in the `install-config.yaml` file before you install the cluster.
+
+.Prerequisites
+
+* Review details about the
+xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update]
+processes.
+* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account]
+to host the cluster.
++
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary
+session token that you generated while using a multi-factor authentication
+device. The cluster continues to use your current AWS credentials to create
+AWS resources for the entire life of the cluster, so you must use long-lived
+credentials. To generate appropriate keys, see
+link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users]
+in the AWS documentation. You can supply the keys when you run the installation
+program.
+====
+* If you use a firewall, you must
+xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to.
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+
+// Removing; Proxy not supported for AWS IPI for 4.2
+// include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+.Next steps
+
+* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster].
+* If necessary, you can
+xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

modules/cli-installing-cli.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc

modules/cluster-entitlements.adoc

@@ -5,6 +5,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc

modules/installation-aws-config-yaml.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :with-networking:
@@ -9,6 +10,10 @@ endif::[]
 ifeval::["{context}" != "installing-aws-network-customizations"]
 :without-networking:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:vpc:
+endif::[]
+
 
 [id="installation-aws-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for AWS
@@ -75,9 +80,21 @@ platform:
     userTags:
       adminContact: jdoe
       costCenter: 7536
-fips: false <6>
+ifdef::vpc[]
+    subnets: <6>
+    - subnet-1
+    - subnet-2
+    - subnet-3
+endif::vpc[]
 pullSecret: '{"auths": ...}' <1>
+ifdef::vpc[]
+fips: false <7>
+sshKey: ssh-ed25519 AAAA... <8>
+endif::vpc[]
+ifndef::vpc[]
+fips: false <6>
 sshKey: ssh-ed25519 AAAA... <7>
+endif::vpc[]
 ----
 <1> Required. The installation program prompts you for this value.
 <2> If you do not provide these parameters and values, the installation program
@@ -105,9 +122,17 @@ disable simultaneous multithreading.
 ====
 <5> To configure faster storage for etcd, especially for larger clusters, set the
 storage type as `io1` and set `iops` to `2000`.
+ifdef::vpc[]
+<6> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
+<7> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
+<8> You can optionally provide the `sshKey` value that you use to access the
+machines in your cluster.
+endif::vpc[]
+ifndef::vpc[]
 <6> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the FIPS validated cryptography modules that are provided with {op-system} instead.
 <7> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
+endif::vpc[]
 +
 [NOTE]
 ====
@@ -120,3 +145,6 @@ endif::[]
 ifeval::["{context}" != "installing-aws-network-customizations"]
 :!without-networking:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:!vpc:
+endif::[]

modules/installation-aws-permissions.adoc

@@ -7,30 +7,23 @@
 [id="installation-aws-permissions_{context}"]
 = Required AWS permissions
 
-When you attach the `AdministratorAccess` policy to the IAM user that you create,
-you grant that user all of the required permissions. To deploy an {product-title}
+When you attach the `AdministratorAccess` policy to the IAM user that you create in Amazon Web Services (AWS),
+you grant that user all of the required permissions. To deploy all components of an {product-title}
 cluster, the IAM user requires the following permissions:
 
 .Required EC2 permissions for installation
 * `ec2:AllocateAddress`
 * `ec2:AssociateAddress`
-* `ec2:AssociateDhcpOptions`
-* `ec2:AssociateRouteTable`
-* `ec2:AttachInternetGateway`
 * `ec2:AuthorizeSecurityGroupEgress`
 * `ec2:AuthorizeSecurityGroupIngress`
 * `ec2:CopyImage`
-* `ec2:CreateDhcpOptions`
-* `ec2:CreateInternetGateway`
-* `ec2:CreateNatGateway`
-* `ec2:CreateRoute`
-* `ec2:CreateRouteTable`
+* `ec2:CreateNetworkInterface`
 * `ec2:CreateSecurityGroup`
-* `ec2:CreateSubnet`
 * `ec2:CreateTags`
-* `ec2:CreateVpc`
-* `ec2:CreateVpcEndpoint`
 * `ec2:CreateVolume`
+* `ec2:DeleteSecurityGroup`
+* `ec2:DeleteSnapshot`
+* `ec2:DeregisterImage`
 * `ec2:DescribeAccountAttributes`
 * `ec2:DescribeAddresses`
 * `ec2:DescribeAvailabilityZones`
@@ -43,52 +36,72 @@ cluster, the IAM user requires the following permissions:
 * `ec2:DescribeKeyPairs`
 * `ec2:DescribeNatGateways`
 * `ec2:DescribeNetworkAcls`
+* `ec2:DescribeNetworkInterfaces`
 * `ec2:DescribePrefixLists`
 * `ec2:DescribeRegions`
 * `ec2:DescribeRouteTables`
 * `ec2:DescribeSecurityGroups`
 * `ec2:DescribeSubnets`
 * `ec2:DescribeTags`
-* `ec2:DescribeVpcEndpoints`
-* `ec2:DescribeVpcs`
-* `ec2:DescribeVpcAttribute`
 * `ec2:DescribeVolumes`
+* `ec2:DescribeVpcAttribute`
 * `ec2:DescribeVpcClassicLink`
 * `ec2:DescribeVpcClassicLinkDnsSupport`
+* `ec2:DescribeVpcEndpoints`
+* `ec2:DescribeVpcs`
 * `ec2:ModifyInstanceAttribute`
-* `ec2:ModifySubnetAttribute`
-* `ec2:ModifyVpcAttribute`
+* `ec2:ModifyNetworkInterfaceAttribute`
+* `ec2:ReleaseAddress`
 * `ec2:RevokeSecurityGroupEgress`
+* `ec2:RevokeSecurityGroupIngress`
 * `ec2:RunInstances`
 * `ec2:TerminateInstances`
-* `ec2:RevokeSecurityGroupIngress`
-* `ec2:ReplaceRouteTableAssociation`
-* `ec2:DescribeNetworkInterfaces`
-* `ec2:ModifyNetworkInterfaceAttribute`
+
+
+.Required permissions for creating network resources during installation
+* `ec2:AssociateDhcpOptions`
+* `ec2:AssociateRouteTable`
+* `ec2:AttachInternetGateway`
+* `ec2:CreateDhcpOptions`
+* `ec2:CreateInternetGateway`
+* `ec2:CreateNatGateway`
+* `ec2:CreateRoute`
+* `ec2:CreateRouteTable`
+* `ec2:CreateSubnet`
+* `ec2:CreateVpc`
+* `ec2:CreateVpcEndpoint`
+* `ec2:ModifySubnetAttribute`
+* `ec2:ModifyVpcAttribute`
+
+[NOTE]
+====
+If you use an existing VPC, your account does not require these permissions for creating network resources.
+====
 
 .Required Elasticloadbalancing permissions for installation
 * `elasticloadbalancing:AddTags`
 * `elasticloadbalancing:ApplySecurityGroupsToLoadBalancer`
 * `elasticloadbalancing:AttachLoadBalancerToSubnets`
+* `elasticloadbalancing:ConfigureHealthCheck`
 * `elasticloadbalancing:CreateListener`
 * `elasticloadbalancing:CreateLoadBalancer`
 * `elasticloadbalancing:CreateLoadBalancerListeners`
 * `elasticloadbalancing:CreateTargetGroup`
-* `elasticloadbalancing:ConfigureHealthCheck`
+* `elasticloadbalancing:DeleteLoadBalancer`
 * `elasticloadbalancing:DeregisterInstancesFromLoadBalancer`
 * `elasticloadbalancing:DeregisterTargets`
 * `elasticloadbalancing:DescribeInstanceHealth`
 * `elasticloadbalancing:DescribeListeners`
-* `elasticloadbalancing:DescribeLoadBalancers`
 * `elasticloadbalancing:DescribeLoadBalancerAttributes`
+* `elasticloadbalancing:DescribeLoadBalancers`
 * `elasticloadbalancing:DescribeTags`
 * `elasticloadbalancing:DescribeTargetGroupAttributes`
 * `elasticloadbalancing:DescribeTargetHealth`
 * `elasticloadbalancing:ModifyLoadBalancerAttributes`
 * `elasticloadbalancing:ModifyTargetGroup`
 * `elasticloadbalancing:ModifyTargetGroupAttributes`
-* `elasticloadbalancing:RegisterTargets`
 * `elasticloadbalancing:RegisterInstancesWithLoadBalancer`
+* `elasticloadbalancing:RegisterTargets`
 * `elasticloadbalancing:SetLoadBalancerPoliciesOfListener`
 
 .Required IAM permissions for installation
@@ -114,9 +127,10 @@ cluster, the IAM user requires the following permissions:
 .Required Route53 permissions for installation
 * `route53:ChangeResourceRecordSets`
 * `route53:ChangeTagsForResource`
+* `route53:CreateHostedZone`
+* `route53:DeleteHostedZone`
 * `route53:GetChange`
 * `route53:GetHostedZone`
-* `route53:CreateHostedZone`
 * `route53:ListHostedZones`
 * `route53:ListHostedZonesByName`
 * `route53:ListResourceRecordSets`
@@ -145,38 +159,41 @@ cluster, the IAM user requires the following permissions:
 * `s3:PutEncryptionConfiguration`
 
 .S3 permissions that cluster Operators require
-* `s3:PutObject`
-* `s3:PutObjectAcl`
-* `s3:PutObjectTagging`
+* `s3:DeleteObject`
 * `s3:GetObject`
 * `s3:GetObjectAcl`
 * `s3:GetObjectTagging`
 * `s3:GetObjectVersion`
-* `s3:DeleteObject`
+* `s3:PutObject`
+* `s3:PutObjectAcl`
+* `s3:PutObjectTagging`
 
-.All additional permissions that are required to uninstall a cluster
+.Required permissions to delete base cluster resources
 * `autoscaling:DescribeAutoScalingGroups`
-* `ec2:DeleteDhcpOptions`
-* `ec2:DeleteInternetGateway`
-* `ec2:DeleteNatGateway`
 * `ec2:DeleteNetworkInterface`
-* `ec2:DeleteRoute`
-* `ec2:DeleteRouteTable`
-* `ec2:DeleteSnapshot`
-* `ec2:DeleteSecurityGroup`
-* `ec2:DeleteSubnet`
 * `ec2:DeleteVolume`
-* `ec2:DeleteVpc`
-* `ec2:DeleteVpcEndpoints`
-* `ec2:DeregisterImage`
-* `ec2:DetachInternetGateway`
-* `ec2:DisassociateRouteTable`
-* `ec2:ReleaseAddress`
-* `elasticloadbalancing:DescribeTargetGroups`
 * `elasticloadbalancing:DeleteTargetGroup`
-* `elasticloadbalancing:DeleteLoadBalancer`
+* `elasticloadbalancing:DescribeTargetGroups`
 * `iam:ListInstanceProfiles`
 * `iam:ListRolePolicies`
 * `iam:ListUserPolicies`
-* `route53:DeleteHostedZone`
+* `s3:DeleteObject`
 * `tag:GetResources`
+
+.Required permissions to delete network resources
+* `ec2:DeleteDhcpOptions`
+* `ec2:DeleteInternetGateway`
+* `ec2:DeleteNatGateway`
+* `ec2:DeleteRoute`
+* `ec2:DeleteRouteTable`
+* `ec2:DeleteSubnet`
+* `ec2:DeleteVpc`
+* `ec2:DeleteVpcEndpoints`
+* `ec2:DetachInternetGateway`
+* `ec2:DisassociateRouteTable`
+* `ec2:ReplaceRouteTableAssociation`
+
+[NOTE]
+====
+If you use an existing VPC, your account does not require these permissions to delete network resources.
+====

modules/installation-aws-user-infra-requirements.adoc

@@ -3,8 +3,6 @@
 // * installing/installing_aws_user_infra/installing-aws-user-infra.adoc
 // * installing/installing_restricted_networks/installing-restricted-networks-aws.adoc
 
-
-
 [id="installation-aws-user-infra-requirements_{context}"]
 = Required AWS infrastructure components
 
@@ -214,7 +212,7 @@ and associate them with appropriate Ingress rules.
 * `AWS::EC2::NatGateway`
 * `AWS::EC2::EIP`
 2+|You must have a public internet gateway, with public routes, attached to the
-VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private-subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios.
+VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios.
 
 .7+|Network access control
 .7+| * `AWS::EC2::NetworkAcl`
@@ -243,7 +241,7 @@ h|Reason
 |* `AWS::EC2::Subnet`
 * `AWS::EC2::RouteTable`
 * `AWS::EC2::SubnetRouteTableAssociation`
-2+|Your VPC can have a private subnets. The provided CloudFormation templates
+2+|Your VPC can have private subnets. The provided CloudFormation templates
 can create private subnets for between 1 and 3 availability zones.
 If you use private subnets, you must provide appropriate routes and tables
 for them.

modules/installation-configuration-parameters.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
@@ -16,6 +17,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :azure:
 endif::[]
@@ -191,8 +195,7 @@ such as `io1`.
 such as `c5.9xlarge`.
 
 |`compute.platform.aws.zones`
-|The availability zones where the installation program creates machines for the
-compute MachinePool.
+|The availability zones where the installation program creates machines for the compute MachinePool. If you provide your own VPC, you must provide a subnet in that availability zone.
 |A list of valid AWS availability zones, such as `us-east-1c`, in a
 link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 
@@ -224,6 +227,11 @@ resources that it creates.
 For more information about AWS tags,
 see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html[Tagging Your Amazon EC2 Resources]
 in the AWS documentation.
+
+|`platform.aws.subnets`
+|If you provide the VPC instead of allowing the installation program to create the VPC for you, specify the subnets for the cluster to use. The subnets must be part of the same `machineCIDR` range that you specify. For a standard cluster, specify a public and a private subnet for each availability zone. For a private cluster, specify a private subnet for each availability zone.
+|Valid subnet range.
+
 |====
 endif::aws[]
 
@@ -350,6 +358,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :!azure:
 endif::[]

modules/installation-custom-aws-vpc.adoc

@@ -0,0 +1,136 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-vpc.adoc
+
+[id="installation-custom-aws-vpc_{context}"]
+= About using a custom VPC
+
+In {product-title} {product-version}, you can deploy a cluster into existing subnets in an existing Amazon Virtual Private Cloud (VPC) in Amazon Web Services (AWS). By deploying {product-title} into an existing AWS VPC, you might be able to avoid limit constraints in new accounts or more easily abide by the operational constraints that your company's guidelines set. If you cannot obtain the infrastructure creation permissions that are required to create the VPC yourself, use this installation option.
+
+Because the installation program cannot know what other components are also in your existing subnets, it cannot choose subnet CIDRs and so forth on your behalf. You must configure networking for the subnets that you install your cluster to yourself.
+
+[id="installation-custom-aws-vpc-requirements_{context}"]
+== Requirements for using your VPC
+
+The installation program no longer creates the following components:
+
+* Internet gateways
+* NAT gateways
+* Subnets
+* Route tables
+* VPCs
+* VPC DHCP options
+* VPC endpoints
+
+If you use a custom VPC, you must correctly configure it and its subnets for the installation program and the cluster to use. The installation program cannot subdivide network ranges for the cluster to use, set route tables for the subnets, or set VPC options like DHCP, so you must do so before you install the cluster.
+
+Your VPC must meet the following characteristics:
+
+* The VPC's CIDR block must contain the `Networking.MachineCIDR` range, which is the IP address pool for cluster machines.
+* The VPC must not use the `kubernetes.io/cluster/.*: owned` tag.
+* You must enable the `enableDnsSupport` and `enableDnsHostnames` attributes in your VPC so that the cluster can use the Route53 zones that are attached to the VPC to resolve cluster’s internal DNS records. See link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-support[DNS Support in Your VPC] in the AWS documentation.
+
+If you use a cluster with public access, you must create a public and a private subnet for each availability zone that your cluster uses. The installation program modifies your subnets to add the `kubernetes.io/cluster/.*: shared` tag, so your subnets must have at least one free tag slot available for it. Review the current link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions[Tag Restrictions] in the AWS documentation to ensure that the installation program can add a tag to each subnet that you specify.
+
+.Required VPC components
+
+You must provide a suitable VPC and subnets that allow communication to your
+machines.
+
+[cols="2a,7a,3a,3a",options="header"]
+|===
+
+|Component
+|AWS type
+2+|Description
+
+|VPC
+|* `AWS::EC2::VPC`
+* `AWS::EC2::VPCEndpoint`
+2+|You must provide a public VPC for the cluster to use. The VPC uses an
+endpoint that references the route tables for each subnet to improve communication with the registry that is hosted in S3.
+
+|Public subnets
+|* `AWS::EC2::Subnet`
+* `AWS::EC2::SubnetNetworkAclAssociation`
+2+|Your VPC must have public subnets for between 1 and 3 availability zones
+and associate them with appropriate Ingress rules.
+
+|Internet gateway
+|
+* `AWS::EC2::InternetGateway`
+* `AWS::EC2::VPCGatewayAttachment`
+* `AWS::EC2::RouteTable`
+* `AWS::EC2::Route`
+* `AWS::EC2::SubnetRouteTableAssociation`
+* `AWS::EC2::NatGateway`
+* `AWS::EC2::EIP`
+2+|You must have a public internet gateway, with public routes, attached to the
+VPC. In the provided templates, each public subnet has a NAT gateway with an EIP address. These NAT gateways allow cluster resources, like private subnet instances, to reach the internet and are not required for some restricted network or proxy scenarios.
+
+.7+|Network access control
+.7+| * `AWS::EC2::NetworkAcl`
+* `AWS::EC2::NetworkAclEntry`
+2+|You must allow the VPC to access the following ports:
+h|Port
+h|Reason
+
+|`80`
+|Inbound HTTP traffic
+
+|`443`
+|Inbound HTTPS traffic
+
+|`22`
+|Inbound SSH traffic
+
+|`1024` - `65535`
+|Inbound ephemeral traffic
+
+|`0` - `65535`
+|Outbound ephemeral traffic
+
+
+|Private subnets
+|* `AWS::EC2::Subnet`
+* `AWS::EC2::RouteTable`
+* `AWS::EC2::SubnetRouteTableAssociation`
+2+|Your VPC can have private subnets. The provided CloudFormation templates
+can create private subnets for between 1 and 3 availability zones.
+If you use private subnets, you must provide appropriate routes and tables
+for them.
+
+|===
+
+[id="installation-custom-aws-vpc-validation_{context}"]
+== VPC validation
+
+To ensure that the subnets that you provide to the installation program are suitable, it confirms the following data:
+
+* All the subnets that you specify exist.
+* You provide private subnets.
+* The subnet CIDRs belong to the machine CIDR that you specified.
+* You provide subnets for each availability zone. Each availability zone contains no more than one public and one private subnet. If you use a private cluster, provide only a private subnet for each availability zone. Otherwise, provide exactly one public and private subnet for each availability zone.
+* You provide a public subnet for each private subnet availability zone. Machines are not provisioned in availability zones that you do not provide private subnets for.
+
+If you destroy a cluster that uses an existing VPC, the VPC is not deleted. When you remove the {product-title} cluster from a VPC, the `kubernetes.io/cluster/.*: shared` tag is removed from the subnets that it used.
+
+[id="installation-about-custom-aws-permissions_{context}"]
+== Division of permissions
+
+Starting with {product-title} 4.3, you do not need all of the permissions that are required for an installation program-provisioned infrastructure cluster to deploy a cluster. This change mimics the division of permissions that you might have at your company: some individuals can create different resource in your clouds than others. For example, you might be able to create application-specific items, like instances, buckets, and load balancers, but not networking-related components such as VPCs, subnet, or ingress rules.
+
+The AWS credentials that you use when you create your cluster do not need the networking permissions that are required to make VPCs and networking core components within the VPC, such as subnets, routing tables, internet gateways, NAT, and VPN. You still need permission to make the application resources that the machines within the cluster require, such as ELBs, security groups, S3 buckets, and nodes.
+
+[id="installation-custom-aws-vpc-isolation_{context}"]
+== Isolation between clusters
+
+If you deploy {product-title} to an existing network, the isolation of cluster services is reduced in the following ways:
+
+* You can install multiple {product-title} clusters in the same VPC.
+* ICMP ingress is allowed from the entire network.
+* TCP 22 ingress (SSH) is allowed to the entire network.
+//You can restrict ingress to the control plane and compute security groups by either adding the security groups to an SSH bastion instance or altering rules to allow the bastion.
+* Control plane TCP 6443 ingress (Kubernetes API) is allowed to the entire network.
+* Control plane TCP 22623 ingress (MCS) is allowed to the entire network.
+//This should be restricted to the control plane and compute security groups, instead of the current by-VPC-CIDR logic to avoid leaking sensitive Ignition configs to non-cluster entities sharing the VPC.

modules/installation-initializing.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations
 // * installing/installing_azure/installing-azure-vnet.adoc
@@ -19,6 +20,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :azure:
 endif::[]
@@ -195,6 +199,9 @@ endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-azure-customizations"]
 :!azure:
 endif::[]

modules/installation-launching-installer.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
@@ -22,6 +23,10 @@ ifeval::["{context}" == "installing-aws-network-customizations"]
 :custom-config:
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:custom-config:
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-default"]
 :no-config:
 :aws:
@@ -237,6 +242,10 @@ ifeval::["{context}" == "installing-aws-network-customizations"]
 :!custom-config:
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-vpc"]
+:!custom-config:
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-default"]
 :!no-config:
 :!aws:

modules/installation-obtaining-installer.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc

modules/olm-operatorhub-architecture.adoc

@@ -49,7 +49,7 @@ spec:
   ]
 ----
 <1> `disableAllDefaultSources` is an override that controls availability of all
-default OperatorSources that are configured by default during a {product-title}
+default OperatorSources that are configured by default during an {product-title}
 installation.
 <2> Disable default OperatorSources individually by changing the `disabled`
 parameter value per source.

modules/ssh-agent-using.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
+// * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc