mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
277 lines
10 KiB
Plaintext
277 lines
10 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_azure/installing-azure-user-infra.adoc
|
|
// * installing/installing_azure_stack_hub/installing-azure-stack-hub-user-infra.adoc
|
|
// * installing/installing_bare_metal/upi/installing-bare-metal.adoc
|
|
// * installing/installing_bare_metal/upi/installing-bare-metal-network-customizations.adoc
|
|
// * installing/installing_bare_metal/upi/installing-restricted-networks-bare-metal.adoc
|
|
// * installing/installing_gcp/installing-gcp-user-infra.adoc
|
|
// * installing/installing_gcp/installing-gcp-user-infra-vpc.adoc
|
|
// * installing/installing_gcp/installing-restricted-networks-gcp.adoc
|
|
// * installing/installing_platform_agnostic/installing-platform-agnostic.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-z.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-z-kvm.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-kvm.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-z-lpar.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-z-lpar.adoc
|
|
// * installing/installing_ibm_z/installing-ibm-power.adoc
|
|
// * installing/installing_ibm_z/installing-restricted-networks-ibm-power.adoc
|
|
// * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc
|
|
// * installing/installing_vsphere/upi/upi-vsphere-installation-reqs.adoc
|
|
|
|
ifeval::["{context}" == "installing-ibm-z"]
|
|
:ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-kvm"]
|
|
:ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
|
|
:ibm-z-restricted:
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-lpar"]
|
|
:ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
|
|
:ibm-z-restricted:
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-user-infra"]
|
|
:azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-user-infra"]
|
|
:azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra"]
|
|
:gcp:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
|
|
:gcp:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-gcp"]
|
|
:gcp:
|
|
:restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-azure-user-provisioned"]
|
|
:azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "upi-vsphere-installation-reqs"]
|
|
:vsphere:
|
|
endif::[]
|
|
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="installation-network-user-infra_{context}"]
|
|
= Networking requirements for user-provisioned infrastructure
|
|
|
|
[role="_abstract"]
|
|
You must configure networking for all the {op-system-first} machines in `initramfs` during boot, so that they can fetch their Ignition config files.
|
|
|
|
[IMPORTANT]
|
|
====
|
|
Ensure you enable the `disk.EnableUUID` parameter on all virtual machines in your cluster.
|
|
====
|
|
|
|
ifndef::azure,gcp[]
|
|
ifdef::ibm-z[]
|
|
During the initial boot, the machines require an HTTP or HTTPS server to
|
|
establish a network connection to download their Ignition config files.
|
|
|
|
The machines are configured with static IP addresses. No DHCP server is required. Ensure that the machines have persistent IP addresses and hostnames.
|
|
endif::ibm-z[]
|
|
ifndef::ibm-z[]
|
|
During the initial boot, the machines require an IP address configuration that is set either through a DHCP server or statically by providing the required boot options. After a network connection is established, the machines download their Ignition config files from an HTTP or HTTPS server. The Ignition config files are then used to set the exact state of each machine. The Machine Config Operator completes more changes to the machines, such as the application of new certificates or keys, after installation.
|
|
|
|
[NOTE]
|
|
====
|
|
* Consider using a DHCP server for long-term management of the cluster machines. Ensure that the DHCP server is configured to provide persistent IP addresses, DNS server information, and hostnames to the cluster machines.
|
|
|
|
* If a DHCP service is not available for your user-provisioned infrastructure, you can instead provide the IP networking configuration and the address of the DNS server to the nodes at {op-system} install time. These can be passed as boot arguments if you are installing from an ISO image. See the _Installing {op-system} and starting the {product-title} bootstrap process_ section for more information about static IP provisioning and advanced networking options.
|
|
====
|
|
endif::ibm-z[]
|
|
|
|
The Kubernetes API server must be able to resolve the node names of the cluster machines. If the API servers and worker nodes are in different zones, you can configure a default DNS search zone to allow the API server to resolve the node names. Another supported approach is to always refer to hosts by their fully-qualified domain names in both the node objects and all DNS requests.
|
|
endif::azure,gcp[]
|
|
|
|
ifndef::ibm-z,azure[]
|
|
[id="installation-host-names-dhcp-user-infra_{context}"]
|
|
== Setting the cluster node hostnames through DHCP
|
|
|
|
On {op-system-first} machines, the hostname is set through NetworkManager. By default, the machines obtain their hostname through DHCP. If the hostname is not provided by DHCP, set statically through kernel arguments, or another method, it is obtained through a reverse DNS lookup. Reverse DNS lookup occurs after the network has been initialized on a node and can take time to resolve. Other system services can start prior to this and detect the hostname as `localhost` or similar. You can avoid this by using DHCP to provide the hostname for each cluster node.
|
|
|
|
Additionally, setting the hostnames through DHCP can bypass any manual DNS record name configuration errors in environments that have a DNS split-horizon implementation.
|
|
endif::ibm-z,azure[]
|
|
|
|
[id="installation-network-connectivity-user-infra_{context}"]
|
|
== Network connectivity requirements
|
|
|
|
You must configure the network connectivity between machines to allow {product-title} cluster components to communicate. Each machine must be able to resolve the hostnames of all other machines in the cluster.
|
|
|
|
This section provides details about the ports that are required.
|
|
|
|
ifndef::restricted,origin[]
|
|
[IMPORTANT]
|
|
====
|
|
In connected {product-title} environments, all nodes are required to have internet access to pull images
|
|
for platform containers and provide telemetry data to Red Hat.
|
|
====
|
|
|
|
endif::restricted,origin[]
|
|
|
|
ifdef::ibm-z[]
|
|
[NOTE]
|
|
====
|
|
In a {op-system-base} KVM environment the host must be configured to use bridged networking in libvirt or MacVTap to connect the network to the virtual machines. The virtual machines must have access to the network, which is attached to the {op-system-base} KVM host. Virtual Networks, for example network address translation (NAT), within KVM are not a supported configuration.
|
|
====
|
|
endif::ibm-z[]
|
|
|
|
.Ports used for all-machine to all-machine communications
|
|
[cols="2a,2a,5a",options="header"]
|
|
|===
|
|
|
|
|Protocol
|
|
|Port
|
|
|Description
|
|
|
|
|ICMP
|
|
|N/A
|
|
|Network reachability tests
|
|
|
|
.4+|TCP
|
|
|`1936`
|
|
|Metrics
|
|
|
|
|`9000`-`9999`
|
|
|Host level services, including the node exporter on ports `9100`-`9101` and
|
|
the Cluster Version Operator on port `9099`.
|
|
|
|
|`10250`-`10259`
|
|
|The default ports that Kubernetes reserves
|
|
|
|
|`22623`
|
|
|The port handles traffic from the Machine Config Server and directs the traffic to the control plane machines.
|
|
.6+|UDP
|
|
|
|
|`6081`
|
|
|Geneve
|
|
|
|
|`9000`-`9999`
|
|
|Host level services, including the node exporter on ports `9100`-`9101`.
|
|
|
|
|`500`
|
|
|IPsec IKE packets
|
|
|
|
|`4500`
|
|
|IPsec NAT-T packets
|
|
|
|
|`123`
|
|
|Network Time Protocol (NTP) on UDP port `123`. If an external NTP time server is configured, you must open UDP port `123`.
|
|
|
|
|TCP/UDP
|
|
|`30000`-`32767`
|
|
|Kubernetes node port
|
|
|
|
|ESP
|
|
|N/A
|
|
|IPsec Encapsulating Security Payload (ESP)
|
|
|
|
|===
|
|
|
|
.Ports used for all-machine to control plane communications
|
|
[cols="2a,2a,5a",options="header"]
|
|
|===
|
|
|
|
|Protocol
|
|
|Port
|
|
|Description
|
|
|
|
|TCP
|
|
|`6443`
|
|
|Kubernetes API
|
|
|
|
|===
|
|
|
|
.Ports used for control plane machine to control plane machine communications
|
|
[cols="2a,2a,5a",options="header"]
|
|
|===
|
|
|
|
|Protocol
|
|
|Port
|
|
|Description
|
|
|
|
|TCP
|
|
|`2379`-`2380`
|
|
|etcd server and peer ports
|
|
|
|
|===
|
|
|
|
ifndef::azure,gcp[]
|
|
|
|
== NTP configuration for user-provisioned infrastructure
|
|
|
|
{product-title} clusters are configured to use a public Network Time Protocol (NTP) server by default. If you want to use a local enterprise NTP server, or if your cluster is being deployed in a disconnected network, you can configure the cluster to use a specific time server. For more information, see the documentation for _Configuring chrony time service_.
|
|
|
|
ifndef::ibm-z,ibm-z-restricted[]
|
|
If a DHCP server provides NTP server information, the chrony time service on the {op-system-first} machines read the information and can sync the clock with the NTP servers.
|
|
endif::ibm-z,ibm-z-restricted[]
|
|
endif::azure,gcp[]
|
|
|
|
ifeval::["{context}" == "installing-ibm-z"]
|
|
:!ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-kvm"]
|
|
:!ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z"]
|
|
:!ibm-z-restricted:
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-kvm"]
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-ibm-z-lpar"]
|
|
:!ibm-z:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-z-lpar"]
|
|
:!ibm-z-restricted:
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-ibm-power"]
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-user-infra"]
|
|
:!azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-azure-stack-hub-user-infra"]
|
|
:!azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra"]
|
|
:!gcp:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-gcp-user-infra-vpc"]
|
|
:!gcp:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-gcp"]
|
|
:!gcp:
|
|
:!restricted:
|
|
endif::[]
|
|
ifeval::["{context}" == "installing-restricted-networks-azure-user-provisioned"]
|
|
:!azure:
|
|
endif::[]
|
|
ifeval::["{context}" == "upi-vsphere-installation-reqs"]
|
|
:!vsphere:
|
|
endif::[]
|