openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/installation-about-restricted-network.adoc
Alisha Prabhu 8a053e3a3b OCP 4.19 IPI in a disconnected environment
2025-05-29 14:14:18 +00:00

170 lines
7.3 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-restricted-networks-aws.adoc
// * installing/installing_aws/installing-restricted-networks-aws-installer-provisioned.adoc
// * installing/installing_bare_metal/upi/installing-restricted-networks-bare-metal.adoc
// * installing/installing_gcp/installing-restricted-networks-gcp-installer-provisioned.adoc
// * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
// * installing/installing_vsphere/installing-restricted-networks-installer-provisioned-vsphere.adoc
// * installing/installing_openstack/installing-openstack-installer-restricted.adoc
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
// * installing/installing_ibm_power/installing-restricted-networks-ibm-power.adoc
// * installing/installing_ibm_powervs/installing-restricted-networks-ibm-power-vs.adoc
// * installing/installing-restricted-networks-nutanix-installer-provisioned.adoc
// * installing/installing-restricted-networks-azure-installer-provisioned.adoc
// * installing/installing_ibm_cloud/installing-ibm-cloud-restricted.adoc
ifeval::["{context}" == "installing-ibm-power"]
:ibm-power:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
:ibm-power:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
:ibm-cloud:
:ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
:ipi:
:ipi-powervs:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
:ipi:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-restricted"]
:ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
:ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
:ipi:
endif::[]
:_mod-docs-content-type: CONCEPT
[id="installation-about-restricted-networks_{context}"]
= About installations in restricted networks
In {product-title} {product-version}, you can perform an installation that does not
require an active connection to the internet to obtain software components. Restricted network installations can be completed using installer-provisioned infrastructure or user-provisioned infrastructure, depending on the cloud platform to which you are installing the cluster.
ifndef::ibm-power,ibm-cloud[]
If you choose to perform a restricted network installation on a cloud platform, you
still require access to its cloud APIs. Some cloud functions, like
Amazon Web Service's Route 53 DNS and IAM services, require internet access.
//behind a proxy
Depending on your network, you might require less internet
access for an installation on bare metal hardware, Nutanix, or on VMware vSphere.
endif::ibm-power,ibm-cloud[]
ifndef::ibm-cloud[]
To complete a restricted network installation, you must create a registry that
mirrors the contents of the {product-registry} and contains the
installation media. You can create this registry on a mirror host, which can
access both the internet and your closed network, or by using other methods
that meet your restrictions.
endif::ibm-cloud[]
ifndef::ipi[]
[IMPORTANT]
====
Because of the complexity of the configuration for user-provisioned installations, consider completing a standard user-provisioned infrastructure installation before you attempt a restricted network installation using user-provisioned infrastructure. Completing this test installation might make it easier to isolate and troubleshoot any issues that might arise during your installation in a restricted network.
====
endif::ipi[]
ifdef::ibm-cloud[]
[id="required-internet-access-and-an-installation-host_{context}"]
== Required internet access and an installation host
You complete the installation using a bastion host or portable device that can access both the internet and your closed network. You must use a host with internet access to:
* Download the installation program, the OpenShift CLI (`oc`), and the CCO utility (`ccoctl`).
* Use the installation program to locate the {op-system-first} image and create the installation configuration file.
* Use `oc` to extract `ccoctl` from the CCO container image.
* Use `oc` and `ccoctl` to configure IAM for {ibm-cloud-name}.
[id="access-to-a-mirror-registry_{context}"]
== Access to a mirror registry
To complete a restricted network installation, you must create a registry that
mirrors the contents of the {product-registry} and contains the installation media.
You can create this registry on a mirror host, which can access both the internet and your restricted network, or by using other methods that meet your organization's security restrictions.
For more information on mirroring images for a disconnected installation, see "Additional resources".
[id="access-to-ibm-service-endpoints_{context}"]
== Access to IBM service endpoints
The installation program requires access to the following {ibm-cloud-name} service endpoints:
* Cloud Object Storage
* DNS Services
* Global Search
* Global Tagging
* Identity Services
* Resource Controller
* Resource Manager
* VPC
[NOTE]
====
If you are specifying an {ibm-name} Key Protect for {ibm-cloud-name} root key as part of the installation process, the service endpoint for Key Protect is also required.
====
By default, the public endpoint is used to access the service. If network restrictions limit access to public service endpoints, you can override the default behavior.
Before deploying the cluster, you can update the installation configuration file (`install-config.yaml`) to specify the URI of an alternate service endpoint. For more information on usage, see "Additional resources".
endif::ibm-cloud[]
[id="installation-restricted-network-limits_{context}"]
== Additional limits
Clusters in restricted networks have the following additional limitations and restrictions:
* The `ClusterVersion` status includes an `Unable to retrieve available updates`
error.
//* The authentication Operator might randomly fail.
* By default, you cannot use the contents of the Developer Catalog because
you cannot access the required image stream tags.
//* The `TelemeterClientDown` and `Watchdog` alerts from the monitoring Operator always display.
ifeval::["{context}" == "installing-ibm-power"]
:!ibm-power:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
:!ibm-power:
endif::[]
ifeval::["{context}" == "installing-ibm-cloud-restricted"]
:!ibm-cloud:
:!ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-ibm-power-vs"]
:!ipi:
:!ipi-powervs:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-gcp-installer-provisioned"]
:!ipi:
endif::[]
ifeval::["{context}" == "installing-openstack-installer-restricted"]
:!ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-installer-provisioned-vsphere"]
:!ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-aws-installer-provisioned"]
:!ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-nutanix-installer-provisioned"]
:!ipi:
endif::[]
ifeval::["{context}" == "installing-restricted-networks-azure-installer-provisioned"]
:!ipi:
endif::[]
View Git Blame Copy Permalink