Installing a cluster on AWS into a Secret or Top Secret Region

In {product-title} version {product-version}, you can install a cluster on Amazon Web Services (AWS) into the following secret regions:

Secret Commercial Cloud Services (SC2S)
Commercial Cloud Services (C2S)

To configure a cluster in either region, you change parameters in the install config.yaml file before you install the cluster.

Warning

In {product-title} {product-version}, the installation program uses Cluster API instead of Terraform to provision cluster infrastructure during installations on AWS. Installing a cluster on AWS into a secret or top-secret region by using the Cluster API implementation has not been tested as of the release of {product-title} {product-version}. This document will be updated when installation into a secret region has been tested.

There is a known issue with Network Load Balancers' support for security groups in secret or top secret regions that causes installations in these regions to fail. For more information, see OCPBUGS-33311.

Prerequisites

You reviewed details about the {product-title} installation and update processes.
You read the documentation on selecting a cluster installation method and preparing it for users.

You configured an AWS account to host the cluster.

Important

If you have an AWS profile stored on your computer, it must not use a temporary session token that you generated while using a multifactor authentication device. The cluster continues to use your current AWS credentials to create AWS resources for the entire life of the cluster, so you must use long-term credentials. To generate appropriate keys, see Managing Access Keys for IAM Users in the AWS documentation. You can supply the keys when you run the installation program.

If you use a firewall, you configured it to allow the sites that your cluster requires access to.

modules/installation-aws-about-government-region.adoc

modules/installation-aws-regions-with-no-ami.adoc

modules/private-clusters-default.adoc modules/private-clusters-about-aws.adoc

modules/installation-custom-aws-vpc.adoc modules/installation-aws-security-groups.adoc

modules/installation-aws-upload-custom-rhcos-ami.adoc

modules/installation-initializing-manual.adoc

Additional resources

Installation configuration parameters for AWS

modules/installation-aws-tested-machine-types.adoc modules/installation-aws-config-yaml.adoc modules/installation-configure-proxy.adoc modules/installation-applying-aws-security-groups.adoc

Alternatives to storing administrator-level secrets in the kube-system project

By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:

To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring an AWS cluster to use short-term credentials.

modules/manually-create-identity-access-management.adoc

Configuring an AWS cluster to use short-term credentials

To install a cluster that is configured to use the AWS Security Token Service (STS), you must configure the CCO utility and create the required AWS resources for your cluster.

modules/cco-ccoctl-configuring.adoc

Creating AWS resources with the Cloud Credential Operator utility

You have the following options when creating AWS resources:

You can use the ccoctl aws create-all command to create the AWS resources automatically. This is the quickest way to create the resources. See Creating AWS resources with a single command.
If you need to review the JSON files that the ccoctl tool creates before modifying AWS resources, or if the process the ccoctl tool uses to create AWS resources automatically does not meet the requirements of your organization, you can create the AWS resources individually. See Creating AWS resources individually.