openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/private-clusters-setting-api-private.adoc
Jeana Routh e2b6870d3e OSDOCS-17046: MACH-6 CQA split CPMS config assemblies
2025-12-15 16:13:14 +00:00

167 lines
5.6 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * post_installation_configuration/configuring-private-cluster.adoc
// * machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-aws.adoc
// * machine_management/control_plane_machine_management/cpmso_provider_configurations/cpmso-config-options-azure.adoc
ifeval::["{context}" == "configuring-private-cluster"]
:post-install:
endif::[]
ifeval::["{context}" == "cpmso-supported-features-aws"]
:cpmso-using-aws:
endif::[]
ifeval::["{context}" == "cpmso-supported-features-azure"]
:cpmso-using-azure:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="private-clusters-setting-api-private_{context}"]
= Restricting the API server to private
After you deploy a cluster to
ifdef::cpmso-using-aws[Amazon Web Services (AWS),]
ifdef::post-install[Amazon Web Services (AWS) or]
ifndef::cpmso-using-aws[Microsoft Azure,]
you can reconfigure the API server to use only the private zone.
.Prerequisites
* Install the {oc-first}.
* Have access to the web console as a user with `admin` privileges.
.Procedure
. In the web portal or console for your cloud provider, take the following actions:
.. Locate and delete the appropriate load balancer component:
ifndef::cpmso-using-azure[]
*** {aws-short} clusters: Delete the external load balancer. The API DNS entry in the private zone already points to the internal load balancer, which uses an identical configuration, so you do not need to modify the internal load balancer.
endif::cpmso-using-azure[]
ifndef::cpmso-using-aws[]
*** {azure-short}: Delete the following resources:
** The `api-v4` rule for the public load balancer.
** The `frontendIPConfiguration` parameter that is associated with the `api-v4` rule for the public load balancer.
** The public IP that is specified in the `frontendIPConfiguration` parameter.
.. {azure-short} clusters: Configure the Ingress Controller endpoint publishing scope to `Internal`.
For more information, see "Configuring the Ingress Controller endpoint publishing scope to Internal".
endif::cpmso-using-aws[]
.. Delete the
ifdef::cpmso-using-aws[`api.$clustername.$yourdomain`]
ifdef::post-install[`api.$clustername.$yourdomain` or]
ifndef::cpmso-using-aws[`api.$clustername`]
DNS entry in the public zone.
ifdef::cpmso-using-aws[]
. Remove the external load balancers by deleting the following indicated lines in the control plane machine set custom resource:
+
[source,yaml]
----
# ...
providerSpec:
value:
# ...
loadBalancers:
- name: lk4pj-ext # <1>
type: network # <2>
- name: lk4pj-int
type: network
# ...
----
<1> Delete the `name` value for the external load balancer, which ends in `-ext`.
<2> Delete the `type` value for the external load balancer.
endif::cpmso-using-aws[]
ifdef::post-install[]
. {aws-short} clusters: Remove the external load balancers:
+
[IMPORTANT]
====
You can run the following steps only for an installer-provisioned infrastructure (IPI) cluster. For a user-provisioned infrastructure (UPI) cluster, you must manually remove or disable the external load balancers.
====
** If your cluster uses a control plane machine set, delete the lines in the control plane machine set custom resource that configure your public or external load balancer:
+
[source,yaml]
----
# ...
providerSpec:
value:
# ...
loadBalancers:
- name: lk4pj-ext # <1>
type: network # <2>
- name: lk4pj-int
type: network
# ...
----
<1> Delete the `name` value for the external load balancer, which ends in `-ext`.
<2> Delete the `type` value for the external load balancer.
** If your cluster does not use a control plane machine set, you must delete the external load balancers from each control plane machine.
... From your terminal, list the cluster machines by running the following command:
+
[source,terminal]
----
$ oc get machine -n openshift-machine-api
----
+
.Example output
[source,terminal]
----
NAME STATE TYPE REGION ZONE AGE
lk4pj-master-0 running m4.xlarge us-east-1 us-east-1a 17m
lk4pj-master-1 running m4.xlarge us-east-1 us-east-1b 17m
lk4pj-master-2 running m4.xlarge us-east-1 us-east-1a 17m
lk4pj-worker-us-east-1a-5fzfj running m4.xlarge us-east-1 us-east-1a 15m
lk4pj-worker-us-east-1a-vbghs running m4.xlarge us-east-1 us-east-1a 15m
lk4pj-worker-us-east-1b-zgpzg running m4.xlarge us-east-1 us-east-1b 15m
----
+
The control plane machines contain `master` in the name.
... Remove the external load balancer from each control plane machine:
.... Edit a control plane machine object to by running the following command:
+
[source,terminal]
----
$ oc edit machines -n openshift-machine-api <control_plane_name> <1>
----
<1> Specify the name of the control plane machine object to modify.
.... Remove the lines that describe the external load balancer, which are marked in the following example:
+
[source,yaml]
----
# ...
providerSpec:
value:
# ...
loadBalancers:
- name: lk4pj-ext # <1>
type: network # <2>
- name: lk4pj-int
type: network
# ...
----
<1> Delete the `name` value for the external load balancer, which ends in `-ext`.
<2> Delete the `type` value for the external load balancer.
.... Save your changes and exit the object specification.
.... Repeat this process for each of the control plane machines.
endif::post-install[]
ifeval::["{context}" == "configuring-private-cluster"]
:!post-install:
endif::[]
ifeval::["{context}" == "cpmso-using-aws"]
:!cpmso-using-aws:
endif::[]
ifeval::["{context}" == "cpmso-using-azure"]
:!cpmso-using-azure:
endif::[]
View Git Blame Copy Permalink