diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index f1b480c0aca4..195b96881eae 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -179,10 +179,12 @@ Topics: File: installing-aws-china - Name: Installing a cluster on AWS using CloudFormation templates File: installing-aws-user-infra - - Name: Installing a cluster on AWS with worker nodes on AWS Local Zones - File: installing-aws-localzone - Name: Installing a cluster on AWS in a restricted network with user-provisioned infrastructure File: installing-restricted-networks-aws + - Name: Installing a cluster on AWS with worker nodes on AWS Local Zones + File: installing-aws-localzone + - Name: Installing a cluster on AWS with worker nodes on AWS Wavelength Zones + File: installing-aws-wavelength-zone - Name: Installing a cluster on AWS with remote workers on AWS Outposts File: installing-aws-outposts-remote-workers - Name: Installing a three-node cluster on AWS @@ -589,7 +591,7 @@ Topics: - Name: Fedora CoreOS (FCOS) image layering File: coreos-layering Distros: openshift-origin -- Name: AWS Local Zone tasks +- Name: AWS Local Zone and Wavelength Zone tasks File: aws-compute-edge-tasks Distros: openshift-enterprise --- diff --git a/installing/installing_aws/installing-aws-localzone.adoc b/installing/installing_aws/installing-aws-localzone.adoc index d8b548391d35..23048d4eee4d 100644 --- a/installing/installing_aws/installing-aws-localzone.adoc +++ b/installing/installing_aws/installing-aws-localzone.adoc @@ -3,6 +3,7 @@ = Installing a cluster on AWS with worker nodes on AWS Local Zones include::_attributes/common-attributes.adoc[] :context: installing-aws-localzone +:zone-type: Local Zones toc::[] @@ -15,54 +16,34 @@ AWS Local Zones are a type of infrastructure that place Cloud Resources close to The steps for performing an installer-provisioned infrastructure installation are provided for example purposes only. Installing a cluster in an existing VPC requires that you have knowledge of the cloud provider and the installation process of {product-title}. You can use a CloudFormation template to assist you with completing these steps or to help model your own cluster installation. Instead of using the CloudFormation template to create resources, you can decide to use other methods for generating these resources. ==== -== Prerequisites +// Prerequisites +include::modules/aws-zones-prerequisites.adoc[leveloffset=+1] -* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. -* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. -* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. -+ -[IMPORTANT] -==== -If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program. -==== -* You noted the region and supported link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/locations[AWS Local Zones locations] to create the network resources in. -* You read the link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[Features] for each AWS Local Zones location. -* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX)] in the AWS documentation. -* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. -+ -[NOTE] -==== -Be sure to also review this site list if you are configuring a proxy. -==== -* Add permission for the user who creates the cluster to modify the Local Zone group with `ec2:ModifyAvailabilityZoneGroup`. For example: -+ -.An example of a permissive IAM policy to attach to a user or role -[source,yaml] ----- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ec2:ModifyAvailabilityZoneGroup" - ], - "Effect": "Allow", - "Resource": "*" - } - ] -} ----- - -// Cluster limitations in AWS Local Zones -include::modules/cluster-limitations-local-zone.adoc[leveloffset=+1] +== About AWS Local Zones and edge compute pool + +// Cluster limitations +include::modules/cluster-limitations-aws-zone.adoc[leveloffset=+1] + +// Edge compute pools and AWS Local Zones +include::modules/edge-machine-pools-aws-local-zones.adoc[leveloffset=+2] [role="_additional-resources"] .Additional resources +* xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[Changing the MTU for the cluster network] +* xref:../../networking/changing-cluster-network-mtu.adoc#nw-ovn-ipsec-enable_configuring-ipsec-ovn[Enabling IPsec encryption] +* xref:../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] * xref:../../storage/understanding-persistent-storage.adoc#pvc-storage-class_understanding-persistent-storage[Storage classes] - * xref:../../networking/ingress-sharding.html#nw-ingress-sharding_ingress-sharding[Ingress Controller sharding] + + + + + + + + // Internet access for OpenShift Container Platform include::modules/cluster-entitlements.adoc[leveloffset=+1] @@ -100,16 +81,6 @@ include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2] include::modules/installation-generate-aws-user-infra-install-config.adoc[leveloffset=+2] // Suggest to standarize edge-pool's specific files with same prefixes, like: machine-edge-pool-[...] or compute-edge-pool-[...] (which is more compatible with install-config.yaml/compute) -// Edge compute pools and AWS Local Zones -include::modules/edge-machine-pools-aws-local-zones.adoc[leveloffset=+2] - -[role="_additional-resources"] -.Additional resources - -* xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[Changing the MTU for the cluster network] -* xref:../../networking/changing-cluster-network-mtu.adoc#nw-ovn-ipsec-enable_configuring-ipsec-ovn[Enabling IPsec encryption] -* xref:../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] - //// // Revisit the need for the link to this section based on testing outcome of 4.15 Wavelenght Zone testing work that also assesses Manual STS, Manual long-term, and Mint routes. //Supertask: Configuring an AWS cluster to use short-term credentials diff --git a/installing/installing_aws/installing-aws-wavelength-zone.adoc b/installing/installing_aws/installing-aws-wavelength-zone.adoc new file mode 100644 index 000000000000..2d7b04f987aa --- /dev/null +++ b/installing/installing_aws/installing-aws-wavelength-zone.adoc @@ -0,0 +1,243 @@ +:_mod-docs-content-type: ASSEMBLY +[id="installing-aws-wavelength-zone"] += Installing a cluster on AWS with worker nodes on AWS Wavelength Zones +include::_attributes/common-attributes.adoc[] +:context: installing-aws-wavelength-zone +:zone-type: Wavelength Zones + +toc::[] + +You can quickly install an {product-title} cluster in Amazon Web Services (AWS) Wavelength Zones by setting the zone names in the edge compute pool of the `install-config.yaml` file, or install a cluster in an existing VPC that lists Wavelength Zone subnets. + +AWS Wavelength is a type of infrastructure that AWS configured for mobile edge computing (MEC) applications. + +A wavelength zone embeds AWS compute and storage services within a communication service provider's (CSP) 5G network. By placing application servers in a wavelength zone, the application traffic from your 5G devices does not need to leave the 5G network. Without such a configure, your device's application traffic would need to follow multiple network hops to reach the target server, which leads to latency issues. For more information, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-wavelength-zones[AWS Wavelength Zones Documentation]. + +// Prerequisites +include::modules/aws-zones-prerequisites.adoc[leveloffset=+1] + +== About AWS Wavelength Zones and edge compute pool + +// Cluster limitations +include::modules/cluster-limitations-aws-zone.adoc[leveloffset=+1] + +// Edge compute pools and AWS Local Zones +include::modules/edge-machine-pools-aws-local-zones.adoc[leveloffset=+2] + + +[role="_additional-resources"] +.Additional resources + +* xref:../../networking/changing-cluster-network-mtu.adoc#mtu-value-selection_changing-cluster-network-mtu[Changing the MTU for the cluster network] +* xref:../../networking/changing-cluster-network-mtu.adoc#nw-ovn-ipsec-enable_configuring-ipsec-ovn[Enabling IPsec encryption] +* xref:../../nodes/scheduling/nodes-scheduler-taints-tolerations.adoc#nodes-scheduler-taints-tolerations-about_nodes-scheduler-taints-tolerations[Understanding taints and tolerations] +* xref:../../storage/understanding-persistent-storage.adoc#pvc-storage-class_understanding-persistent-storage[Storage classes] +* xref:../../networking/ingress-sharding.html#nw-ingress-sharding_ingress-sharding[Ingress Controller sharding] + + + + + + +// Internet access for OpenShift Container Platform +include::modules/cluster-entitlements.adoc[leveloffset=+1] + +// Obtaining an AWS Marketplace image +include::modules/installation-aws-marketplace-subscribe.adoc[leveloffset=+1] + +//Installing the OpenShift CLI by downloading the binary: Moved up to precede `ccoctl` steps, which require the use of `oc` +include::modules/cli-installing-cli.adoc[leveloffset=+1] + +== Preparing for the installation + +Before you extend nodes to local zones, you must prepare certain resources for the cluster installation environment. + +// Obtaining the installation program +include::modules/installation-obtaining-installer.adoc[leveloffset=+2] + +// Generating a key pair for cluster node SSH access +include::modules/ssh-agent-using.adoc[leveloffset=+2] + +// Creating the installation files for AWS +include::modules/installation-user-infra-generate.adoc[leveloffset=+2] + +// Minimum resource requirements for cluster installation +include::modules/installation-minimum-resource-requirements.adoc[leveloffset=+2] + +// Tested instance types for AWS +include::modules/installation-aws-tested-machine-types.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* See link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[AWS Local Zones features] in the AWS documentation for more information about AWS Local Zones and the supported instances types and services. + +// Creating the installation configuration file +include::modules/installation-generate-aws-user-infra-install-config.adoc[leveloffset=+2] +// Suggest to standarize edge-pool's specific files with same prefixes, like: machine-edge-pool-[...] or compute-edge-pool-[...] (which is more compatible with install-config.yaml/compute) + +//// +// Revisit the need for the link to this section based on testing outcome of 4.15 Wavelenght Zone testing work that also assesses Manual STS, Manual long-term, and Mint routes. +//Supertask: Configuring an AWS cluster to use short-term credentials +[id="installing-aws-with-short-term-creds_{context}"] +== Optional: Configuring an AWS cluster to use short-term credentials + +To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster. + +[NOTE] +==== +To use the AWS STS, you must configure the Cloud Credential Operator (CCO) to run in manual mode. As part of the installation process, you set `credentialsMode` parameter to `Manual` after creating the `install-config.yaml` installation configuration file. +==== + +//Task part 1: Configuring the Cloud Credential Operator utility +include::modules/cco-ccoctl-configuring.adoc[leveloffset=+2] + +//Task part 2: Creating the required AWS resources +[id="sts-mode-create-aws-resources-ccoctl_{context}"] +=== Creating AWS resources with the Cloud Credential Operator utility + +You have the following options when creating AWS resources: + +* You can use the `ccoctl aws create-all` command to create the AWS resources automatically. This is the quickest way to create the resources. See xref:../../installing/installing_aws/installing-aws-localzone.adoc#cco-ccoctl-creating-at-once_installing-aws-localzone[Creating AWS resources with a single command]. + +* If you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See xref:../../installing/installing_aws/installing-aws-localzone.adoc#cco-ccoctl-creating-individually_installing-aws-localzone[Creating AWS resources individually]. + +//Task part 2a: Creating the required AWS resources all at once +include::modules/cco-ccoctl-creating-at-once.adoc[leveloffset=+3] + +//Task part 2b: Creating the required AWS resources individually +include::modules/cco-ccoctl-creating-individually.adoc[leveloffset=+3] +//// + +// Opting in to AWS Local Zones +include::modules/installation-aws-add-local-zone-locations.adoc[leveloffset=+1] + +// Cluster installation options for an AWS Local Zone environment +include::modules/aws-cluster-installation-options-aws-lzs.adoc[leveloffset=+1] + +.Next steps + +Choose one of the following options to install an {product-title} cluster in an AWS Local Zones environment: + +* xref:../../installing/installing_aws/installing-aws-localzone.adoc#installation-cluster-quickly-extend-workers_installing-aws-localzone[Installing a cluster quickly in AWS Local Zones] +* xref:../../installing/installing_aws/installing-aws-localzone.adoc#creating-aws-local-zone-environment-existing_installing-aws-localzone[Installing a cluster in an existing VPC with defined Local Zone subnets] + +// Installing a cluster quickly in AWS Local Zones +include::modules/installation-cluster-quickly-extend-workers.adoc[leveloffset=+1] + +// Modifying an installation configuration to use AWS Local Zones +include::modules/install-creating-install-config-aws-local-zones.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* xref:../../installing/installing_aws/installing-aws-localzone.adoc#cluster-limitations-local-zone_installing-aws-localzone[Creating the installation configuration file] + +* xref:../../installing/installing_aws/installing-aws-localzone.adoc#cluster-limitations-local-zone_installing-aws-localzone[Cluster limitations in AWS Local Zones] + +.Next steps +* xref:../../installing/installing_aws/installing-aws-localzone.adoc#installation-launching-installer_installing-aws-localzone[Deploying the cluster] + +[id="creating-aws-local-zone-environment-existing_{context}"] +== Installing a cluster in an existing VPC that has Local Zone subnets + +You can install a cluster into an existing Amazon Virtual Private Cloud (VPC) on Amazon Web Services (AWS). The installation program provisions the rest of the required infrastructure, which you can further customize. To customize the installation, modify parameters in the `install-config.yaml` file before you install the cluster. + +Installing a cluster on AWS into an existing VPC requires extending workers to the edge of the Cloud Infrastructure by using AWS Local Zones. + +Local Zone subnets extend regular workers' nodes to edge networks. Each edge worker nodes runs a user workload. After you create an Amazon Web Service (AWS) Local Zone environment, and you deploy your cluster, you can use edge worker nodes to create user workloads in Local Zone subnets. + +You can use a provided CloudFormation template to create the VPC and public subnets. Additionally, you can modify a template to customize your infrastructure or use the information that they contain to create AWS objects according to your company's policies. + +[NOTE] +==== +If you want to create private subnets, you must either modify the provided CloudFormation template or create your own template. +==== + +// Creating a VPC in AWS +include::modules/installation-creating-aws-vpc-localzone.adoc[leveloffset=+2] +// Creating a subnet in AWS Local Zones +include::modules/installation-creating-aws-subnet-localzone.adoc[leveloffset=+2] +// CloudFormation template for the VPC +include::modules/installation-cloudformation-vpc-localzone.adoc[leveloffset=+2] +// AWS security groups +include::modules/installation-aws-security-groups.adoc[leveloffset=+2] +// CloududFormation template for the subnet that uses AWS Local Zones +include::modules/installation-cloudformation-subnet-localzone.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* You can view details about the CloudFormation stacks that you create by navigating to the link:https://console.aws.amazon.com/cloudformation/[AWS CloudFormation console]. + +// Modifying an installation configuration file to use AWS Local Zones subnets +include::modules/install-creating-install-config-aws-local-zones-subnets.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources + +* See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html[Configuration and credential file settings] in the AWS documentation for more information about AWS profile and credential configuration. + +//include::modules/installation-configure-proxy.adoc[leveloffset=+2] +//Put this back if QE validates it. + +// Verify removal due to automation. +// include::modules/installation-localzone-generate-k8s-manifest.adoc[leveloffset=+2] + +//// +// Revisit the need for the link to this section based on testing outcome of 4.15 Wavelenght Zone testing work that also assesses Manual STS, Manual long-term, and Mint routes. +[id="installing-aws-manual-modes_{context}"] +== Alternatives to storing administrator-level secrets in the kube-system project + +By default, administrator secrets are stored in the `kube-system` project. If you configured the `credentialsMode` parameter in the `install-config.yaml` file to `Manual`, you must use one of the following alternatives: + +* If you configured the CCO utility (`ccoctl`) to implement short-term credentials for individual components, follow the procedure in xref:../../installing/installing_aws/installing-aws-localzone.adoc#cco-ccoctl-install-creating-manifests_installing-aws-localzone[Incorporating the Cloud Credential Operator utility manifests]. + +* If you will manage cloud credentials manually, follow the procedure in xref:../../installing/installing_aws/installing-aws-localzone.adoc#manually-create-iam_installing-aws-localzone[Manually creating long-term credentials]. + +// Additional steps for the Cloud Credential Operator utility (`ccoctl`) +include::modules/cco-ccoctl-install-creating-manifests.adoc[leveloffset=+2] + +//Manually creating IAM +include::modules/manually-create-identity-access-management.adoc[leveloffset=+2] +//// + +// Deploying the cluster +include::modules/installation-launching-installer.adoc[leveloffset=+1] + +.Next steps +* xref:../../post_installation_configuration/cluster-tasks.adoc#installation-extend-edge-nodes-aws-local-zones_post-install-cluster-tasks[Creating user workloads in AWS Local Zones] + +// Logging in to the cluster by using the CLI +include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1] + +// Logging in to the cluster by using the web console +include::modules/logging-in-by-using-the-web-console.adoc[leveloffset=+1] + +[role="_additional-resources"] +.Additional resources + +* See xref:../../web_console/web-console.adoc#web-console[Accessing the web console] for more details about accessing and understanding the {product-title} web console. + +// Verifying nodes that were created with edge compute pool +include::modules/machine-edge-pool-review-nodes.adoc[leveloffset=+1] + +// Telemetry access for OpenShift Container Platform +include::modules/cluster-telemetry.adoc[leveloffset=+1] + +[role="_additional-resources"] +.Additional resources + +* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service. + +[id="installing-aws-localzone-next-steps"] +== Next steps + +* xref:../../post_installation_configuration/cluster-tasks.adoc#installation-extend-edge-nodes-aws-local-zones_post-install-cluster-tasks[Creating user workloads in AWS Local Zones]. +* xref:../../installing/validating-an-installation.adoc#validating-an-installation[Validating an installation]. +* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster]. +* If necessary, you can xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting]. +//// +// Revisit the need for the link to this section based on testing outcome of 4.15 Wavelenght Zone testing work that also assesses Manual STS, Manual long-term, and Mint routes. +* If necessary, you can xref:../../post_installation_configuration/cluster-tasks.adoc#manually-removing-cloud-creds_post-install-cluster-tasks[remove cloud provider credentials]. +//// diff --git a/modules/aws-zones-prerequisites.adoc b/modules/aws-zones-prerequisites.adoc new file mode 100644 index 000000000000..3b71e3437ca6 --- /dev/null +++ b/modules/aws-zones-prerequisites.adoc @@ -0,0 +1,88 @@ +// Module included in the following assemblies: +// +// * installing/installing-aws-localzone.adoc (Installing a cluster on AWS with worker nodes on AWS Local Zones) +// * installing/installing-aws-wavelength.adoc (Installing a cluster on AWS with worker nodes on AWS Wavelength Zones) + +ifeval::["{context}" == "installing-aws-localzone"] +:local-zone: +endif::[] +ifeval::["{context}" == "installing-aws-wavelength"] +:wavelength-zone: +endif::[] + +:_mod-docs-content-type: CONCEPT +[id="aws-zones-prerequisites_{context}"] += Prerequisites + +* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes. +* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users]. +* You xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[configured an AWS account] to host the cluster. ++ +[IMPORTANT] +==== +If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multi-factor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use key-based, long-term credentials. To generate appropriate keys, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users] in the AWS documentation. You can supply the keys when you run the installation program. +==== +* You downloaded the AWS CLI and installed it on your computer. See link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer (Linux, macOS, or UNIX)] in the AWS documentation. +* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to. +ifdef::local-zone[] +* You noted the region and supported link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/locations[AWS Local Zones locations] to create the network resources in. +* You read the link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[AWS Local Zones features] in the AWS documentation. +* You added permissions for creating network resources that support AWS Local Zones to the Identity and Access Management (IAM) user or role. ++ +.Example of an additional IAM policy that attached the `ec2:ModifyAvailabilityZoneGroup` permission to a user or role for the purposes of creating network resources that support AWS Local Zones ++ +[source,yaml] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ec2:ModifyAvailabilityZoneGroup" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} +---- +endif::local-zone[] +ifdef::wavelength-zone[] +* You noted the region and supported link:https://aws.amazon.com/wavelength/locations[AWS Wavelength Zone locations] to create the network resources in. +* You read link:https://aws.amazon.com/about-aws/global-infrastructure/localzones/features/[AWS Wavelength features] in the AWS documentation. +* You read the link:https://docs.aws.amazon.com/wavelength/latest/developerguide/wavelength-quotas.html[Quotas and considerations for Wavelength Zones] in the AWS documentation. +* You added a permission for creating network resources that support AWS Local Zones to the Identity and Access Management (IAM) user or role. ++ +.Example of an additional IAM policy that attached `ec2:ModifyAvailabilityZoneGroup`, `ec2:CreateCarrierGateway`, and `ec2:DeleteCarrierGateway` permissions to a user or role for the purposes of creating network resources that support AWS Wavelength Zones ++ +[source,yaml] +---- +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DeleteCarrierGateway", + "ec2:CreateCarrierGateway" + ], + "Resource": "*" + }, + { + "Action": [ + "ec2:ModifyAvailabilityZoneGroup" + ], + "Effect": "Allow", + "Resource": "*" + } + ] +} +---- +endif::wavelength-zone[] + +ifeval::["{context}" == "installing-aws-localzone"] +:!local-zone: +endif::[] +ifeval::["{context}" == "installing-aws-wavelength"] +:!wavelength-zone: +endif::[] diff --git a/modules/cluster-limitations-aws-zone.adoc b/modules/cluster-limitations-aws-zone.adoc new file mode 100644 index 000000000000..33abcd979906 --- /dev/null +++ b/modules/cluster-limitations-aws-zone.adoc @@ -0,0 +1,43 @@ +// Module included in the following assemblies: +// +// * installing/installing-aws-localzone.adoc (Installing a cluster on AWS with worker nodes on AWS Local Zones) +// * installing/installing-aws-wavelength.adoc (Installing a cluster on AWS with worker nodes on AWS Wavelength Zones) + +ifeval::["{context}" == "installing-aws-localzone"] +:local-zone: +endif::[] +ifeval::["{context}" == "installing-aws-wavelength"] +:wavelength-zone: +endif::[] + +:_mod-docs-content-type: CONCEPT +[id="cluster-limitations-aws-zone_{context}"] +ifdef::local-zone[] += Cluster limitations in AWS Local Zones + +Some limitations exist when you attempt to deploy a cluster with a default installation configuration in Amazon Web Services (AWS) Local Zones environment. +endif:: local-zone[] + +ifdef::wavelength-zone[] += Cluster limitations in AWS Wavelength Zones + +Some limitations exist when you attempt to deploy a cluster with a default installation configuration in Amazon Web Services (AWS) Wavelength Zones environment. +endif:: wavelength-zone[] + +The following list details limitations when deploying a cluster in this AWS environment: + +- The Maximum Transmission Unit (MTU) between an Amazon EC2 instance in a zone and an Amazon EC2 instance in the Region is `1300`. This causes the cluster-wide network MTU to change according to the network plugin that is used on the deployment. +- Network resources such as Network Load Balancer (NLB), Classic Load Balancer, and Network Address Translation (NAT) Gateways are not globally supported. +- For an {product-title} cluster on AWS, the AWS Elastic Block Storage (EBS) `gp3` type volume is the default for node volumes and the default for the storage class. This volume type is not globally available on zone locations. By default, the nodes running in zones are deployed with the `gp2` EBS volume. The `gp2-csi` `StorageClass` must be set when creating workloads on zone nodes. + +ifdef::local-zone[] +If you want the installation program to automatically create Local Zone subnets for your {product-title} cluster, specific configuration limitations apply with this method. +end::local-zone[] + +ifdef::wavelength-zone[] +If you want the installation program to automatically create Wavelength Zone subnets for your {product-title} cluster, specific configuration limitations apply with this method. +end::wavelength-zone[] + +The following configuration limitation applies when you set the installation program to automatically create subnets for your {product-title} cluster: + +- The private subnets for an AWS zone associate with the route table of the parent zone, so that each private subnet can route egress traffic to the internet. If this route table does not exist during cluster installation, the private subnet associates with the first available private route table in the Virtual Private Cloud (VPC). diff --git a/modules/cluster-limitations-local-zone.adoc b/modules/cluster-limitations-local-zone.adoc deleted file mode 100644 index 5ffaf02e8be2..000000000000 --- a/modules/cluster-limitations-local-zone.adoc +++ /dev/null @@ -1,28 +0,0 @@ -// Module included in the following assemblies: -// -// * installing/installing-aws-localzone.adoc - -:_mod-docs-content-type: CONCEPT - -[id="cluster-limitations-local-zone_{context}"] -= Cluster limitations in AWS Local Zones - -Some limitations exist when you attempt to deploy a cluster with a default installation configuration in Amazon Web Services (AWS) Local Zones. - -[IMPORTANT] -==== -The following list details limitations when deploying a cluster in AWS Local Zones: - -- The Maximum Transmission Unit (MTU) between an Amazon EC2 instance in a Local Zone and an Amazon EC2 instance in the Region is `1300`. This causes the cluster-wide network MTU to change according to the network plugin that is used on the deployment. -- Network resources such as Network Load Balancer (NLB), Classic Load Balancer, and Network Address Translation (NAT) Gateways are not globally supported in AWS Local Zones. -- For an {product-title} cluster on AWS, the AWS Elastic Block Storage (EBS) `gp3` type volume is the default for node volumes and the default for the storage class. This volume type is not globally available on Local Zone locations. By default, the nodes running in Local Zones are deployed with the `gp2` EBS volume. The `gp2-csi` `StorageClass` must be set when creating workloads on Local Zone nodes. -==== - -If you want the installation program to automatically create Local Zone subnets for your {product-title} cluster, specific configuration limitations apply with this method. - -[IMPORTANT] -==== -The following configuration limitation applies when you set the installation program to automatically create subnets for your {product-title} cluster: - -- The private subnets for an AWS Local Zone associate with the route table of the parent zone, so that each private subnet can route egress traffic to the internet. If this route table does not exist during cluster installation, the private subnet associates with the first available private route table in the Virtual Private Cloud (VPC). This approach is valid only for AWS Local Zones subnets in an {product-title} cluster. -==== diff --git a/modules/edge-machine-pools-aws-local-zones.adoc b/modules/edge-machine-pools-aws-local-zones.adoc index f11ac1c78fe9..d6e551f3862c 100644 --- a/modules/edge-machine-pools-aws-local-zones.adoc +++ b/modules/edge-machine-pools-aws-local-zones.adoc @@ -5,115 +5,64 @@ ifeval::["{context}" == "aws-compute-edge-tasks"] :edge: endif::[] +ifeval::["{context}" == "installing-aws-localzone"] +:local-zone: +endif::[] +ifeval::["{context}" == "installing-aws-wavelength"] +:wavelength-zone: +endif::[] :_mod-docs-content-type: CONCEPT [id="edge-machine-pools-aws-local-zones_{context}"] -= Edge compute pools and AWS Local Zones += Edge compute pools and AWS {zone-type} -Edge worker nodes are tainted worker nodes that run in AWS Local Zones locations. +Edge worker nodes are tainted worker nodes that run in AWS {zone-type} locations. -When deploying a cluster that uses Local Zones, consider the following points: +When deploying a cluster that uses {zone-type}, consider the following points: -* Amazon EC2 instances in the Local Zones are more expensive than Amazon EC2 instances in the Availability Zones. -* Latency between applications and end users is lower in Local Zones, and latency might vary by location. A latency impact exists for some workloads if, for example, ingress traffic is mixed between Local Zones and Availability Zones. +* Amazon EC2 instances in the {zone-type} are more expensive than Amazon EC2 instances in the Availability Zones. +* Latency between applications and end users is lower in {zone-type}, and latency might vary by location. A latency impact exists for some workloads if, for example, ingress traffic is mixed between {zone-type} and Availability Zones. [IMPORTANT] ==== -Generally, the maximum transmission unit (MTU) between an Amazon EC2 instance in a Local Zone and an Amazon EC2 instance in the Region is 1300. For more information, see link:https://docs.aws.amazon.com/local-zones/latest/ug/how-local-zones-work.html[How Local Zones work] in the AWS documentation. -The cluster network MTU must be always less than the EC2 MTU to account for the overhead. The specific overhead is determined by the network plugin, for example: +Generally, the maximum transmission unit (MTU) between an Amazon EC2 instance in a {zone-type} and an Amazon EC2 instance in the Region is 1300. The cluster network MTU must be always less than the EC2 MTU to account for the overhead. The specific overhead is determined by the network plugin, for example: - OVN-Kubernetes: `100 bytes` - OpenShift SDN: `50 bytes` -The network plugin can provide additional features, like IPsec, that also must be decreased the MTU. For additional information, see the documentation. +The network plugin can provide additional features, like IPsec, that also must be decreased the MTU. + +ifdef::local-zone[] +For more information, see link:https://docs.aws.amazon.com/local-zones/latest/ug/how-local-zones-work.html[How Local Zones work] in the AWS documentation. +endif::local-zones[] +ifdef::wavelength-zone[] +For more information, see link:https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html[How AWS Wavelength work] in the AWS documentation. +endif::wavelength-zone[] ==== -{product-title} 4.12 introduced a new compute pool, _edge_, that is designed for use in remote zones. The edge compute pool configuration is common between AWS Local Zones locations. Because of the type and size limitations of resources like EC2 and EBS on Local Zone resources, the default instance type can vary from the traditional worker pool. +{product-title} 4.12 introduced a new compute pool, _edge_, that is designed for use in remote zones. The edge compute pool configuration is common between AWS {zone-type} locations. Because of the type and size limitations of resources like EC2 and EBS on {zone-type} resources, the default instance type can vary from the traditional worker pool. -The default Elastic Block Store (EBS) for Local Zone locations is `gp2`, which differs from the regular worker pool. The instance type used for each Local Zone on edge compute pool also might differ from worker pools, depending on the instance offerings on the zone. +The default Elastic Block Store (EBS) for {zone-type} locations is `gp2`, which differs from the regular worker pool. The instance type used for each {zone-type} on edge compute pool also might differ from worker pools, depending on the instance offerings on the zone. -The edge compute pool creates new labels that developers can use to deploy applications onto AWS Local Zones nodes. The new labels are: +The edge compute pool creates new labels that developers can use to deploy applications onto AWS {zone-type} nodes. The new labels are: * `node-role.kubernetes.io/edge=''` +ifdef::local-zone[] * `machine.openshift.io/zone-type=local-zone` +endif::local-zone[] +ifdef::wavelength-zone[] +* `machine.openshift.io/zone-type=wavelength-zone` +endif::wavelength-zone[] * `machine.openshift.io/zone-group=$ZONE_GROUP_NAME` -//// -By default, the system creates the edge compute pool manifests only if users add AWS Local Zones subnet IDs to the list `platform.aws.subnets`. -//// - -By default, the machine sets for the edge compute pool defines the taint of `NoSchedule` to prevent regular workloads from spreading on Local Zone instances. Users can only run user workloads if they define tolerations in the pod specification. - -ifndef::edge[] -The following examples show `install-config.yaml` files that use the edge machine pool. - -.Configuration that uses an edge pool with a custom instance type -[source,yaml] ----- -apiVersion: v1 -baseDomain: devcluster.openshift.com -metadata: - name: ipi-localzone -compute: -- name: edge - platform: - aws: - type: m5.4xlarge -platform: - aws: - region: us-west-2 -pullSecret: '{"auths": ...}' -sshKey: ssh-ed25519 AAAA... ----- - -Instance types differ between locations. To verify availability in the Local Zone in which the cluster runs, see the AWS documentation. - -.Configuration that uses an edge pool with a custom EBS type -[source,yaml] ----- -apiVersion: v1 -baseDomain: devcluster.openshift.com -metadata: - name: ipi-localzone -compute: -- name: edge - platform: - aws: - rootVolume: - type: gp3 - size: 120 -platform: - aws: - region: us-west-2 -pullSecret: '{"auths": ...}' -sshKey: ssh-ed25519 AAAA... ----- - -EBS types differ between locations. Check the AWS documentation to verify availability in the Local Zone in which the cluster runs. - -.Configuration that uses an edge pool with custom security groups -[source,yaml] ----- -apiVersion: v1 -baseDomain: devcluster.openshift.com -metadata: - name: ipi-localzone -compute: -- name: edge - platform: - aws: - additionalSecurityGroupIDs: - - sg-1 <1> - - sg-2 -platform: - aws: - region: us-west-2 -pullSecret: '{"auths": ...}' -sshKey: ssh-ed25519 AAAA... ----- -<1> Specify the name of the security group as it appears in the Amazon EC2 console, including the `sg` prefix. -endif::edge[] +By default, the machine sets for the edge compute pool defines the taint of `NoSchedule` to prevent regular workloads from spreading on {zone-type} instances. Users can only run user workloads if they define tolerations in the pod specification. ifeval::["{context}" == "aws-compute-edge-tasks"] :!edge: endif::[] +ifeval::["{context}" == "installing-aws-localzone"] +:!local-zone: +endif::[] +ifeval::["{context}" == "installing-aws-wavelength"] +:!wavelength-zone: +endif::[] diff --git a/post_installation_configuration/aws-compute-edge-tasks.adoc b/post_installation_configuration/aws-compute-edge-tasks.adoc index 45fd4a0a68b3..f70833993623 100644 --- a/post_installation_configuration/aws-compute-edge-tasks.adoc +++ b/post_installation_configuration/aws-compute-edge-tasks.adoc @@ -1,6 +1,6 @@ :_mod-docs-content-type: ASSEMBLY [id="aws-compute-edge-tasks"] -= AWS Local Zone tasks += AWS Local Zone and Wavelength Zone tasks include::_attributes/common-attributes.adoc[] :context: aws-compute-edge-tasks