osdocs-774 private Azure

2026-02-05 12:46:18 +01:00 · 2019-11-22 08:24:58 -05:00
parent 05ceb8bb2b
commit d4a188cc7f
15 changed files with 108 additions and 2 deletions
--- a/_topic_map.yml
+++ b/_topic_map.yml
@@ -119,6 +119,8 @@ Topics:
    File: installing-azure-network-customizations
  - Name: Installing a cluster on Azure into an existing VNet
    File: installing-azure-vnet
+  - Name: Installing a private cluster on Azure
+    File: installing-azure-private
  - Name: Uninstalling a cluster on Azure
    File: uninstalling-cluster-azure
 - Name: Installing on GCP
--- a/installing/installing_azure/installing-azure-private.adoc
+++ b/installing/installing_azure/installing-azure-private.adoc
@@ -0,0 +1,50 @@
+[id="installing-azure-private"]
+= Installing a private cluster on Azure
+include::modules/common-attributes.adoc[]
+:context: installing-azure-private
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a private cluster into an existing Azure Virtual Network (VNet) on Microsoft Azure. The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, you modify parameters in the `install-config.yaml` file before you install the cluster.
+
+.Prerequisites
+
+* Review details about the
+xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update]
+processes.
+* xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[Configure an Azure account] to host the cluster and determine the tested and validated region to deploy the cluster to.
+* If you use a firewall, you must
+xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to.
+
+include::modules/private-clusters-default.adoc[leveloffset=+1]
+
+include::modules/private-clusters-about-azure.adoc[leveloffset=+2]
+
+include::modules/installation-about-custom-azure-vnet.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing.adoc[leveloffset=+1]
+
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+
+include::modules/installation-azure-config-yaml.adoc[leveloffset=+2]
+
+// Removing; Proxy not supported for Azure IPI for 4.2
+// include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+.Next steps
+
+* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster].
+* If necessary, you can
+xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
--- a/modules/cli-installing-cli.adoc
+++ b/modules/cli-installing-cli.adoc
@@ -9,6 +9,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
--- a/modules/cli-logging-in-kubeadmin.adoc
+++ b/modules/cli-logging-in-kubeadmin.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
--- a/modules/cluster-entitlements.adoc
+++ b/modules/cluster-entitlements.adoc
@@ -9,6 +9,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
--- a/modules/installation-about-custom-azure-vnet.adoc
+++ b/modules/installation-about-custom-azure-vnet.adoc
@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc

 [id="installation-about-custom-azure-vnet_{context}"]
--- a/modules/installation-azure-config-yaml.adoc
+++ b/modules/installation-azure-config-yaml.adoc
@@ -13,6 +13,10 @@ endif::[]
 ifeval::["{context}" == "installing-azure-vnet"]
 :vnet:
 endif::[]
+ifeval::["{context}" == "installing-azure-private"]
+:vnet:
+:private:
+endif::[]

 [id="installation-azure-config-yaml_{context}"]
 = Sample customized `install-config.yaml` file for Azure
@@ -84,7 +88,9 @@ ifndef::vnet[]
 fips: false <8>
 sshKey: ssh-ed25519 AAAA... <9>
 endif::vnet[]
-
+ifdef::private[]
+publish: Internal <14>
+endif::private[]
 ----
 <1> Required. The installation program prompts you for this value.
 <2> If you do not provide these parameters and values, the installation program provides the default value.
@@ -117,7 +123,9 @@ endif::vnet[]
 ====
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery on, specify an SSH key that your `ssh-agent` process uses.
 ====
-
+ifdef::private[]
+<14> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
+endif::private[]

 ifeval::["{context}" == "installing-azure-network-customizations"]
 :!with-networking:
--- a/modules/installation-configuration-parameters.adoc
+++ b/modules/installation-configuration-parameters.adoc
@@ -6,6 +6,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-network-customizations.adoc
--- a/modules/installation-initializing.adoc
+++ b/modules/installation-initializing.adoc
@@ -6,6 +6,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-network-customizations
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-network-customizations.adoc
--- a/modules/installation-launching-installer.adoc
+++ b/modules/installation-launching-installer.adoc
@@ -7,6 +7,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
 // * installing/installing_gcp/installing-gcp-default.adoc
--- a/modules/installation-obtaining-installer.adoc
+++ b/modules/installation-obtaining-installer.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc
--- a/modules/installation-vsphere-config-yaml.adoc
+++ b/modules/installation-vsphere-config-yaml.adoc
@@ -40,6 +40,7 @@ fips: false <12>
 pullSecret: '{"auths": ...}' <13>
 endif::restricted[]
 ifdef::restricted[]
+fips: false <12>
 pullSecret: '{"auths":{"<bastion_host_name>:5000": {"auth": "<credentials>","email": "you@example.com"}}}' <13>
 endif::restricted[]
 sshKey: 'ssh-ed25519 AAAA...' <14>
--- a/modules/private-clusters-about-azure.adoc
+++ b/modules/private-clusters-about-azure.adoc
@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * installing/
+
+[id="private-clusters-about-azure_{context}"]
+= Private clusters in Azure
+
+To create a private cluster on Microsoft Azure, you must provide an existing private VNet and subnets to host the cluster. The installation program must also be able to resolve the DNS records that the cluster requires. The installation program configures the Ingress Operator and API server for only internal traffic.
+
+Depending how your network connects to the private VNET, you might need to use a DNS forwarder in order to resolve the cluster's private DNS records. The cluster's machines use `168.63.129.16` internally for DNS resolution. For more information, see link:https://docs.microsoft.com/en-us/azure/dns/private-dns-overview[What is Azure Private DNS?] and link:https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16[What is IP address 168.63.129.16?] in the Azure documentation.
+
+The cluster still requires access to Internet to access the Azure APIs.
+
+The following items are not required or created when you install a private cluster:
+
+* A `BaseDomainResourceGroup`, since the cluster does not create public records
+* Public IP addresses
+* Public DNS records
+* Public endpoints
+
+ The cluster is configured so that the Operators do not create public records for the cluster and all cluster machines are placed in the private subnets that you specify.
+
+[id="private-clusters-limitations-azure_{context}"]
+== Limitations
+
+Private clusters on Azure are subject to only the limitations that are associated with the use of an existing VNet
+
+
+////
+Is this also valid in Azure?
+
+The ability to add public functionality to a private cluster is limited.
+
+* You cannot make the Kubernetes API endpoints public after installation without taking additional actions, including creating public subnets in the VNet for each availablity zone in use, creating a public load balancer, and configuring the control plane security groups to allow traffic from Internet on 6443 (Kubernetes API port).
+////
--- a/modules/private-clusters-default.adoc
+++ b/modules/private-clusters-default.adoc
@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc
+// * installing/installing_azure/installing-azure-private.adoc

 [id="private-clusters-default_{context}"]
 = Private clusters
--- a/modules/ssh-agent-using.adoc
+++ b/modules/ssh-agent-using.adoc
@@ -8,6 +8,7 @@
 // * installing/installing_aws/installing-aws-vpc.adoc
 // * installing/installing_azure/installing-azure-customizations.adoc
 // * installing/installing_azure/installing-azure-default.adoc
+// * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-vnet.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_gcp/installing-gcp-customizations.adoc