openshift-docs/modules/rosa-create-objects.adoc

// Module included in the following assemblies:
//
// * rosa_cli/rosa-manage-objects-cli.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-create-objects_{context}"]
= Create objects
//Adding the following condition fpr pruning purposes. Once pruning complete, note should be removed from HCP docs and flag can be manually added to each create command (where applicable).
ifdef::openshift-rosa-hcp[]
[NOTE]
====
To create a {product-title} cluster, include the '--hosted-cp' flag where necessary.
====
endif::openshift-rosa-hcp[]
This section describes the `create` commands for clusters and resources.

[id="rosa-create-account-roles_{context}"]
== create account-roles

Create the required account-wide role and policy resources for your cluster.

.Syntax
[source,terminal]
----
$ rosa create account-roles [flags]
----

.Flags
[cols="30,70"]
|===
|Option |Definition

|--debug
|Enable debug mode.

|-i, --interactive
|Enable interactive mode.

|-m, --mode string
a|How to perform the operation. Valid options are:

`auto`:: Resource changes will be automatically applied using the current AWS account.
`manual`:: Commands necessary to modify AWS resources will be output to be run manually.

|--path string
|The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies.

|--permissions-boundary string
|The ARN of the policy that is used to set the permissions boundary for the account roles.

|--prefix string
|User-defined prefix for all generated AWS resources. The default is `ManagedOpenShift`.

|--profile string
|Use a specific AWS profile from your credential file.

|-y, --yes
|Automatically answer yes to confirm operations.

|===

[id="rosa-create-admin_{context}"]
== create admin

Create a cluster administrator with an automatically generated password that can log in to a cluster.

.Syntax
[source,terminal]
----
$ rosa create admin --cluster=<cluster_name>|<cluster_id>
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

a|--cluster <cluster_name>\|<cluster_id>
|Required. The name or ID (string) of the cluster to add to the identity provider (IDP).
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile string
|Specifies an AWS profile from your credentials file.
|===

.Example
Create a cluster administrator that can log in to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create admin --cluster=mycluster
----
ifdef::openshift-rosa-hcp[]
[id="rosa-create-break-glass-credential_{context}"]
== create break glass credential

Create a break glass credential for a {product-title} cluster with external authentication enabled.

.Syntax
[source,terminal]
----
$ rosa create break-glass-credential --cluster=<cluster_name> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

|--cluster <cluster_name>\|<cluster_id>
|Required. The name or ID of the cluster to which the break glass credential will be added.

|--expiration
|Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours.

|--username
|Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile (string) from your credentials file.

|--region
|Specifies an AWS region, overriding the `AWS_REGION` environment variable.

|--yes
|Automatically answers `yes` to confirm the operation.
|===

.Examples
Add a break glass credential to a cluster named `mycluster`.

.Syntax
[source,terminal]
----
$ rosa create break-glass-credential --cluster=mycluster
----

Add a break glass credential to a cluster named `mycluster` using the interactive mode.

.Syntax
[source,terminal]
----
$ rosa create break-glass-credential --cluster=mycluster -i
----
endif::openshift-rosa-hcp[]
[id="rosa-create-cluster-command_{context}"]
== create cluster

Create a new cluster.

.Syntax
[source,terminal]
----
$ rosa create cluster --cluster-name=<cluster_name> [arguments]
----
//Note to writers: The create cluster command specifically uses --cluster-name because a cluster ID does not exist yet. All other commands use --cluster because either the name or the ID can be used.

.Arguments
[cols="30,70"]
|===
|Option |Definition

|--additional-compute-security-group-ids <sec_group_id>
|The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements for _Security groups_ under _Additional resources_.

|--additional-infra-security-group-ids <sec_group_id>
|The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements for _Security groups_ under _Additional resources_.

|--additional-control-plane-security-group-ids <sec_group_id>
|The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for _Security groups_ under _Additional resources_.
ifdef::openshift-rosa-hcp[]
|--additional-allowed-principals <arn>
|A comma-separated list of additional allowed principal ARNs to be added to the hosted control plane's VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted.
endif::openshift-rosa-hcp[]
a|--cluster-name <cluster_name>
|Required. The name of the cluster. When used with the `create cluster` command, this argument is used to set the cluster name and can hold up to 54 characters. The value for this argument must be unique within your organization.

|--compute-machine-type <instance_type>
|The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, see _AWS Instance types_ in _ROSA service definition_.

|--controlplane-iam-role <arn>
|The ARN of the IAM role to attach to control plane instances.

|--create-cluster-admin
|Optional. As part of cluster creation, create a local administrator user (`cluster-admin`) for your cluster. This automatically configures an htpasswd identity provider for the `cluster-admin` user. Optionally, use the `--cluster-admin-user` and `--cluster-admin-password` options to specify the username and password for the administrator user. Omitting these options automatically generates the credentials and displays their values as terminal output.

|--cluster-admin-user
|Optional. Specifies the user name of the cluster administrator user created when used in conjunction with the `--create-cluster-admin` option.

|--cluster-admin-password
|Optional. Specifies the password of the cluster administrator user created when used in conjunction with the `--create-cluster-admin` option.

|--disable-scp-checks
|Indicates whether cloud permission checks are disabled when attempting to install a cluster.

|--dry-run
|Simulates creating the cluster.

|--domain-prefix
|Optional: When used with the `create cluster` command, this argument sets the subdomain for your cluster on `*.openshiftapps.com`. The value for this argument must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation.
If the argument is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.

|--ec2-metadata-http-tokens string
|Configures the use of IMDSv2 for EC2 instances. Valid values are `optional` (default) or `required`.

|--enable-autoscaling
|Enables autoscaling of compute nodes. By default, autoscaling is set to `2` nodes. To set non-default node limits, use this argument with the `--min-replicas` and `--max-replicas` arguments.

|--etcd-encryption
|Enables encryption of ETCD key-values on Red Hat OpenShift Service on AWS (classical architecture) clusters.

|--etcd-encryption-kms-arn
|Enables encryption of ETCD storage using the customer-managed key managed in AWS Key Management Service.

|--external-id <arn_string>
|An optional unique identifier that might be required when you assume a role in another account.

|--host-prefix <subnet>
|The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to `23`, then each node is assigned a `/23` subnet out of the given CIDR.

|--machine-cidr <address_block>
a|Block of IP addresses (ipNet) used by {product-title} while installing the cluster, for example, `10.0.0.0/16`.

[IMPORTANT]
====
OVN-Kubernetes, the default network provider in {product-title} 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
====

|--max-replicas <number_of_nodes>
|Specifies the maximum number of compute nodes when enabling autoscaling. Default: `2`

|--min-replicas <number_of_nodes>
|Specifies the minimum number of compute nodes when enabling autoscaling. Default: `2`

ifdef::openshift-rosa[]
//this is being deprecated and will eventually be removed entirely.
|--multi-az
|Deploys to multiple data centers.
endif::openshift-rosa[]

|--no-cni
|Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation.

|--operator-roles-prefix <string>
|Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one.

|--pod-cidr <address_block>
a|Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example, `10.128.0.0/14`.

[IMPORTANT]
====
OVN-Kubernetes, the default network provider in {product-title} 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
====

|--private
|Restricts primary API endpoint and application routes to direct, private connectivity.
//To be added when available for HCP only.
//ifdef::openshift-rosa-hcp[]
//To allow public subnets on a private API cluster, you can use both the `--private` and `--private-ingress=false` arguments.
//endif::openshift-rosa-hcp[]

ifdef::openshift-rosa[]
|--private-link
|Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The `--subnet-ids` argument is required when using `--private-link`.
endif::openshift-rosa[]

|--region <region_name>
|The name of the AWS region where your worker pool will be located, for example, `us-east-1`. This argument overrides the `AWS_REGION` environment variable.

|--replicas n
|The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default: `2` for single-zone clusters; `3` for multi-zone clusters.

|--role-arn <arn>
|The ARN of the installer role that {cluster-manager} uses to create the cluster. This is required if you have not already created account roles.

|--service-cidr <address_block>
a|Block of IP addresses (ipNet) for services, for example, `172.30.0.0/16`.

[IMPORTANT]
====
OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
====

ifdef::openshift-rosa[]
a|--sts \| --non-sts
|Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster.
endif::openshift-rosa[]

ifdef::openshift-rosa-hcp[]
|--sts
|Specifies the use of AWS Security Token Service (STS) credentials to deploy your cluster.
endif::openshift-rosa-hcp[]

ifdef::openshift-rosa[]
|--subnet-ids <aws_subnet_id>
|The AWS subnet IDs that are used when installing the cluster, for example, `subnet-01abc234d5678ef9a`. Subnet IDs must be in pairs with one private subnet ID and one public subnet ID per availability zone. Subnets are comma-delimited, for example, `--subnet-ids=subnet-1,subnet-2`. Leave the value empty for installer-provisioned subnet IDs.

When using `--private-link`, the `--subnet-ids` argument is required and only one private subnet is allowed per zone.
endif::openshift-rosa[]

ifdef::openshift-rosa-hcp[]
|--subnet-ids <aws_subnet_id>
|The AWS subnet IDs that are used when installing the cluster, for example, `subnet-01abc234d5678ef9a`. Subnet IDs must be in pairs with one private subnet ID and one public subnet ID per availability zone. Subnets are comma-delimited, for example, `--subnet-ids=subnet-1,subnet-2`. Leave the value empty for installer-provisioned subnet IDs.

When using `--private` for "private API", the `--subnet-ids` argument is required and only one private subnet is allowed per zone.

//To be added when available
//To allow public subnets on a private API cluster, you can use both the `--private` and `--private-ingress=false` arguments.
endif::openshift-rosa-hcp[]

|--support-role-arn string
|The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support.

|--tags
a|Tags that are used on resources created by {product-title} in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar".
[IMPORTANT]
====
{product-title} only supports custom tags to Red{nbsp}Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited.
Tags that are added by Red{nbsp}Hat are required for clusters to stay in compliance with Red{nbsp}Hat production service level agreements (SLAs). These tags must not be removed.

{product-title} does not support adding additional tags outside of {product-title} cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
====

|--version string
|The version of {product-title} that will be used to install the cluster or cluster resources. For `cluster` use an `X.Y.Z` format, for example, `4.19.0`. For `account-role` use an `X.Y` format, for example, `4.19`.

|--worker-iam-role string
|The ARN of the IAM role that will be attached to compute instances.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile (string) from your credentials file.
|===

.Examples
Create a cluster named `mycluster`.

[source,terminal]
----
$ rosa create cluster --cluster-name=mycluster
----
//Note to writers: The create cluster command specifically uses --cluster-name because a cluster ID does not exist yet. All other commands use --cluster because either the name or the ID can be used.

Create a cluster with a specific AWS region.

[source,terminal]
----
$ rosa create cluster --cluster-name=mycluster --region=us-east-2
----

Create a cluster with autoscaling enabled on the default worker machine pool.

[source,terminal]
----
$ rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5
----
ifdef::openshift-rosa-hcp[]
[id="rosa-create-external-auth-provider_{context}"]
== create external-auth-provider

Add an external identity provider instead of the {OCP-short} OAuth2 server.


.Syntax
[source,terminal]
----
$ rosa create external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

|--claim-mapping-groups-claim <string>
|Required. Describes rules on how to transform information from an ID token into a cluster identity.

|--claim-validation-rule <strings>
|Rules that are applied to validate token claims to authenticate users. The input will be in a `<claim>:<required_value>` format. To have multiple claim validation rules, you can separate the values by `,`. For example, `<claim>:<required_value>,<claim>:<required_value>`.

|--claim-mapping-username-claim <string>
|The name of the claim that should be used to construct user names for the cluster identity.

a|--cluster <cluster_name>\|<cluster_id>
|Required. The name or ID of the cluster to which the IDP will be added.

|--console-client-id <string>
|The identifier of the OIDC client from the OIDC provider for the {cluster-manager-url} web console.

|--console-client-secret <string>
|The secret that is associated with the console application registration.

|--issuer-audiences <strings>
|An array of audiences to check the incoming tokens against. Valid tokens must include at least one of these values in their audience claim.

|--issuer-ca-file <string>
|The path to the PEM-encoded certificate file to use when making requests to the server.

|--issuer-url <string>
|The serving URL of the token issuer.

|--name <string>
|A name that is used to refer to the external authentication provider.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile string from your credentials file.
|===

.Examples
Add a Microsoft Entra ID identity provider to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create external-auth-provider --cluster=mycluster --name <provider_name> --issuer-audiences <audience_id> --issuer-url <issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claim groups
----
endif::openshift-rosa-hcp[]
[id="rosa-create-idp_{context}"]
== create idp

Add an identity provider (IDP) to define how users log in to a cluster.

.Syntax
[source,terminal]
----
$ rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

a|--cluster <cluster_name>\|<cluster_id>
|Required. The name or ID of the cluster to which the IDP will be added.

|--ca <path_to_file>
|The path to the PEM-encoded certificate file to use when making requests to the server, for example, `/usr/share/cert.pem`.

|--client-id
|The client ID (string) from the registered application.

|--client-secret
|The client secret (string) from the registered application.

|--mapping-method
|Specifies how new identities (string) are mapped to users when they log in. Default: `claim`

|--name
|The name (string) for the identity provider.

|--type
|The type (string) of identity provider. Options: `github`, `gitlab`, `google`, `ldap`, `openid`
|===

.GitHub arguments
[cols="30,70"]
|===
|Option |Definition

|--hostname
|The optional domain (string) that are used with a hosted instance of GitHub Enterprise.

|--organizations
|Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in.

|--teams
|Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is `<org>/<team>`.
|===

.GitLab arguments
[cols="30,70"]
|===
|Option |Definition

|--host-url
|The host URL (string) of a GitLab provider. Default: `https://gitlab.com`
|===

.Google arguments
[cols="30,70"]
|===
|Option |Definition

|--hosted-domain
|Restricts users to a Google Apps domain (string).
|===

.LDAP arguments
[cols="30,70"]
|===
|Option |Definition

|--bind-dn
|The domain name (string) to bind with during the search phase.

|--bind-password
|The password (string) to bind with during the search phase.

|--email-attributes
|The list (string) of attributes whose values should be used as the email address.

|--id-attributes
|The list (string) of attributes whose values should be used as the user ID. Default: `dn`

|--insecure
|Does not make TLS connections to the server.

|--name-attributes
|The list (string) of attributes whose values should be used as the display name. Default: `cn`

|--url
|An RFC 2255 URL (string) which specifies the LDAP search parameters that are used.

|--username-attributes
|The list (string) of attributes whose values should be used as the preferred username. Default: `uid`
|===

.OpenID arguments
[cols="30,70"]
|===
|Option |Definition

|--email-claims
|The list (string) of claims that are used as the email address.

|--extra-scopes
|The list (string) of scopes to request, in addition to the `openid` scope, during the authorization token request.

|--issuer-url
|The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment.

|--name-claims
|The list (string) of claims that are used as the display name.

|--username-claims
|The list (string) of claims that are used as the preferred username when provisioning a user.

|--groups-claims
|The list (string) of claims that are used as the groups names.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile (string) from your credentials file.
|===

.Examples
Add a GitHub identity provider to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create idp --type=github --cluster=mycluster
----

Add an identity provider following interactive prompts.

[source,terminal]
----
$ rosa create idp --cluster=mycluster --interactive
----

[id="rosa-create-ingress_{context}"]
== create ingress

Add an ingress endpoint to enable API access to the cluster.

.Syntax
[source,terminal]
----
$ rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

a|--cluster <cluster_name>\|<cluster_id>
|Required: The name or ID of the cluster to which the ingress will be added.

|--label-match
|The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.

|--private
|Restricts application route to direct, private connectivity.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile (string) from your credentials file.
|===

.Examples
Add an internal ingress to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create ingress --private --cluster=mycluster
----

Add a public ingress to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create ingress --cluster=mycluster
----

Add an ingress with a route selector label match.

[source,terminal]
----
$ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz
----

[id="rosa-create-kubeletconfig_{context}"]
== create kubeletconfig

Create a custom `KubeletConfig` object to allow custom configuration of nodes in a
ifdef::temp-ifdef[]
cluster.
endif::[]
ifdef::temp-ifdef[]
machine pool.
endif::[]

.Syntax
[source,terminal]
----
$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
----

.Flags
[cols="30,70"]
|===
|Option |Definition

|--pod-pids-limit <number>
a|Required. The maximum number of PIDs for each node in the
ifdef::temp-ifdef[]
cluster.
endif::[]
ifdef::temp-ifdef[]
machine pool associated with the `KubeletConfig` object.
endif::[]

a|-c, --cluster <cluster_name>\|<cluster_id>
|Required. The name or ID of the cluster in which to create the `KubeletConfig` object.

|--name
a|
ifdef::temp-ifdef[]
Optional.
endif::[]
ifdef::temp-ifdef[]
Required.
endif::[]
Specifies a name for the `KubeletConfig` object.

|-i, --interactive
|Enable interactive mode.

|-h, --help
|Shows help for this command.
|===

For more information about setting the PID limit for the cluster, see _Configuring PID limits_.

[id="rosa-create-machinepool_{context}"]
== create machinepool

Add a machine pool to an existing cluster.

ifdef::openshift-rosa-hcp[]
[TIP]
====
Machine pool is also referred to as node pool on {product-title} clusters.
====
endif::openshift-rosa-hcp[]

.Syntax
[source,terminal]
----
$ rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

// Note for writers: This command works the same way as rosa create --additional-compute-security-group-ids but all subsequent machinepools are compute only so we don't specify compute here yet; consistency across commands to come in OCM-3111.
|--additional-security-group-ids <sec_group_id>
|The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements for _Security groups_ under _Additional resources_.

a|--cluster <cluster_name>\|<cluster_id>
|Required: The name or ID of the cluster to which the machine pool will be added.

|--disk-size
|Set the disk volume size for the machine pool, in Gib or TiB. The default is 300 GiB.
ifdef::openshift-rosa[]
For {product-title} clusters version 4.13 or earlier, the minimum disk size is 128 GiB, and the maximum is 1 TiB. For cluster version 4.14 and later, the minimum is 128 GiB, and the maximum is 16 TiB.
endif::openshift-rosa[]
ifdef::openshift-rosa-hcp[]
For {product-title} clusters, the minimum disk size is 75 GiB, and the maximum is 16,384 GiB.
endif::openshift-rosa-hcp[]
|--enable-autoscaling
|Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the `--min-replicas` and `--max-replicas` arguments. To disable autoscaling, use `--enable-autoscaling=false` with the `--replicas` argument.

|--instance-type
|The instance type (string) that should be used. Default: `m5.xlarge`


ifdef::openshift-rosa-hcp[]
a|--kubelet-configs <kubeletconfig_name>
|The names of any `KubeletConfig` objects to apply to nodes in a machine pool.
endif::openshift-rosa-hcp[]

|--labels
|The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis.

|--max-replicas
|Specifies the maximum number of compute nodes when enabling autoscaling.

|--min-replicas
|Specifies the minimum number of compute nodes when enabling autoscaling.

ifdef::openshift-rosa-hcp[]
|--max-surge
a| The `max-surge` parameter defines the number of new nodes that can be provisioned in excess of the desired number of replicas for the machine pool, as configured using the `--replicas` parameter, or as determined by the autoscaler when autoscaling is enabled. This can be an absolute number (for example, `2`) or a percentage of the machine pool size (for example, `20%`), but must use the same unit as the `max-unavailable` parameter.

The default value is `1`, meaning that the maximum number of nodes in the machine pool during an upgrade is 1 plus the desired number of replicas for the machine pool. In this situation, one excess node can be provisioned before existing nodes need to be made unavailable. The number of nodes that can be provisioned simultaneously during an upgrade is `max-surge` plus `max-unavailable`.

|--max-unavailable
a|The `max-unavailable` parameter defines the number of nodes that can be made unavailable in a machine pool during an upgrade, before new nodes are provisioned. This can be an absolute number (for example, `2`) or a percentage of the current replica count in the machine pool (for example, `20%`), but must use the same unit as the `max-surge` parameter.

The default value is `0`, meaning that no outdated nodes are removed before new nodes are provisioned. The valid range for this value is from `0` to the current machine pool size, or from `0%` to `100%`. The total number of nodes that can be upgraded simultaneously during an upgrade is `max-surge` plus `max-unavailable`.

endif::openshift-rosa-hcp[]

|--name
|Required: The name (string) for the machine pool.

|--replicas
|Required when autoscaling is not configured. The number (integer) of machines for this machine pool.

|--tags
|Apply user defined tags to all resources created by {product-title} in AWS. Tags are comma separated, for example: `'key value, foo bar'`.

|--taints
|Taints for the machine pool. This string value should be formatted as a comma-separated list of `key=value:ScheduleType`. This list will overwrite any modifications made to Node taints on an ongoing basis.

|--autorepair
|AutoRepair setting for the machine pool represented as the boolean `true` or `false`.
|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile
|Specifies an AWS profile (string) from your credentials file.
|===

.Examples
Interactively add a machine pool to a cluster named `mycluster`.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --interactive
----

Add a machine pool that is named `mp-1` to a cluster with autoscaling enabled.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1
----

Add a machine pool that is named `mp-1` with 3 replicas of `m5.xlarge` to a cluster.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1
----

Add a machine pool (`mp-1`) to a {product-title} cluster, configuring 6 replicas and the following upgrade behavior:

* Allow up to 2 excess nodes to be provisioned during an upgrade.
* Ensure that no more than 3 nodes are unavailable during an upgrade.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --replicas=6 --name=mp-1 --max-surge=2 --max-unavailable=3
----

Add a machine pool with labels to a cluster.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1
----

Add a machine pool with tags to a cluster.

[source,terminal]
----
$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1
----
ifdef::openshift-rosa-hcp[]
[id="rosa-create-network_{context}"]
== create network

Create a network that creates any necessary AWS resources through AWS CloudFormation templates. This helper command is intended to help create and configure a VPC for use with {product-title}. This command also supports {egress-zero} clusters.

[IMPORTANT]
====
Running this command creates resources within your AWS account.
====

[NOTE]
====
For custom or advanced configurations, it is highly recommended to use the AWS CLI directly using the `aws cloudformation` command or create a new custom template with the required configurations. If you use a custom CloudFormation template with the ROSA CLI, the minimum required version is 1.2.47 or later.
====

.Syntax
[source,terminal]
----
$ rosa create network [flags]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

|<template-name>
|Allows you to use a custom template. Templates must be in the template folder, structured as `templates/<template-name>/cloudformation.yaml`. If no template name is provided, the command uses the default template. For binary builds, this template directory must be referenced manually after it is downloaded.

|===

.Default CloudFormation template
[source,yaml]
----
include::https://raw.githubusercontent.com/openshift/rosa/refs/heads/master/cmd/create/network/templates/rosa-quickstart-default-vpc/cloudformation.yaml[]
----

.Flags
[cols="30,70"]
|===
|Option |Definition

|--template-dir
|Allows you to specify the path to the template directory. Overrides the `OCM_TEMPLATE_DIR` environment variable. Required if not running the command inside the template directory.

|--param Name
|Define the name of your network. A required parameter when using a custom template file.

|--param Region
|Define the region of your network. A required parameter when using a custom template file.

|--param <various>
|Available parameters depend on the template. Use `--help` when in the template directory to find available parameters.
// TODO OSDOCS-11830 Suggest adding more parameters here, at least some related to setting up multiple AZs

|--mode=manual
|Provides AWS commands to create the network stack.

|===

.Example
Create a basic network with regular arguments and flags.

[source,terminal]
----
$ rosa create network rosa-quickstart-default-vpc --param Tags=key1=value1,key2=value2 --param Name=example-stack --param Region=us-west-2
----

* The full list of parameters is available in the default template.
+
.Example template
+
[source,yaml]
----
Parameters:
  AvailabilityZoneCount:
    Type: Number
    Description: "Number of Availability Zones to use"
    Default: 1
    MinValue: 1
    MaxValue: 3
  Region:
    Type: String
    Description: "AWS Region"
    Default: "us-west-2"
  Name:
    Type: String
    Description: "Name prefix for resources"
  VpcCidr:
    Type: String
    Description: CIDR block for the VPC
    Default: '10.0.0.0/16'
----
endif::openshift-rosa-hcp[]
[id="rosa-create-ocm-role_{context}"]
== create ocm-role

Create the required ocm-role resources for your cluster.

.Syntax
[source,terminal]
----
$ rosa create ocm-role [flags]
----

.Flags
[cols="30,70"]
|===
|Option |Definition

|--admin
|Enable admin capabilities for the role.

|--debug
|Enable debug mode.

|-i, --interactive
|Enable interactive mode.

|-m, --mode string
a|How to perform the operation. Valid options are:

* `auto`: Resource changes will be automatically applied using the current AWS account
* `manual`: Commands necessary to modify AWS resources will be output to be run manually

|--path string
|The ARN path for the OCM role and policies.

|--permissions-boundary string
|The ARN of the policy that is used to set the permissions boundary for the OCM role.

|--prefix string
|User-defined prefix for all generated AWS resources. The default is `ManagedOpenShift`.

|--profile string
|Use a specific AWS profile from your credential file.

|-y, --yes
|Automatically answer yes to confirm operation.

|===

For more information about the OCM role created with the `rosa create ocm-role` command, see _Account-wide IAM role and policy reference_.

[id="rosa-create-user-role_{context}"]
== create user-role

Create the required user-role resources for your cluster.

.Syntax
[source,terminal]
----
$ rosa create user-role [flags]
----

.Flags
[cols="30,70"]
|===
|Option |Definition

|--debug
|Enable debug mode.

|-i, --interactive
|Enable interactive mode.

|-m, --mode string
a|How to perform the operation. Valid options are:

* `auto`: Resource changes will be automatically applied using the current AWS account
* `manual`: Commands necessary to modify AWS resources will be output to be run manually

|--path string
|The ARN path for the user role and policies.

|--permissions-boundary string
|The ARN of the policy that is used to set the permissions boundary for the user role.

|--prefix string
|User-defined prefix for all generated AWS resources The default is `ManagedOpenShift`.

|--profile string
|Use a specific AWS profile from your credential file.

|-y, --yes
|Automatically answer yes to confirm operation.

|===

For more information about the user role created with the `rosa create user-role` command, see _Understanding AWS account association_.

[id="rosa-create-iamserviceaccount_{context}"]
== create iamserviceaccount

Create an AWS Identity and Access Management (IAM) role that can be assumed by a {product-title} service account using OpenID Connect (OIDC) identity federation.

.Syntax
[source,terminal]
----
$ rosa create iamserviceaccount --cluster=<cluster_name> | <cluster_id> --name=<service_account_name> [arguments]
----

.Arguments
[cols="30,70"]
|===
|Option |Definition

a|--cluster <cluster_name>\|<cluster_id>
|Required. The name or ID of the cluster for which to create the IAM service account role.

|--name <service_account_name>
|Required. The name of the {product-title} service account. This flag can be used multiple times to create a role for multiple service accounts.

|--namespace <namespace_name>
|The {product-title} namespace for the service account. Default: `default`

|--role-name <role_name>
|The name of the IAM role to create. If not specified, a name will be auto-generated using the pattern `{cluster-name}-{namespace}-{service-account-name}-role`.

|--attach-policy-arn <policy_arn>
|The ARN of an IAM policy to attach to the role. This flag can be used multiple times to attach multiple policies.

|--inline-policy <policy_document>
|An inline policy document in JSON format or a file path prefixed with `file://` (for example, `file://policy.json`).

|--permissions-boundary <boundary_arn>
|The ARN of an IAM policy to use as a permissions boundary for the role.

|--path <iam_path>
|The IAM path for the role. Default: `/`

a|-m, --mode string
a|How to perform the operation. Valid options are:

`auto`:: Resource changes will be automatically applied using the current AWS account.
`manual`:: Commands necessary to modify AWS resources will be output to be run manually.

|===

.Optional arguments inherited from parent commands
[cols="30,70"]
|===
|Option |Definition

|--help
|Shows help for this command.

|--debug
|Enables debug mode.

|--interactive
|Enables interactive mode.

|--profile string
|Specifies an AWS profile from your credentials file.

|--yes
|Automatically answers `yes` to confirm the operation.

|===

.Examples
Create an IAM role for a service account named `my-app` in the `default` namespace with S3 read-only access.

[source,terminal]
----
$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
----

Create an IAM role with a custom name and multiple policies.

[source,terminal]
----
$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --namespace=production --role-name=my-custom-role --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --attach-policy-arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
----

Create an IAM role with an inline policy from a file.

[source,terminal]
----
$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --inline-policy=file://my-policy.json
----