In {product-title} {product-version}, you can install a cluster on Google Cloud Platform (GCP) in a restricted network by creating an internal mirror of the installation release content on an existing Google Virtual Private Cloud (VPC).
|
Important
|
You can install an {product-title} cluster by using mirrored installation release content, but your cluster will require internet access to use the GCP APIs. |
-
You reviewed details about the {product-title} installation and update processes.
-
You read the documentation on selecting a cluster installation method and preparing it for users.
-
You configured a GCP project to host the cluster.
-
You mirrored the images for a disconnected installation to your registry and obtained the
imageContentSourcesdata for your version of {product-title}.ImportantBecause the installation media is on the mirror host, you can use that computer to complete all installation steps.
-
You have an existing VPC in GCP. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VPC. You must use a user-provisioned VPC that satisfies one of the following requirements:
-
Contains the mirror registry
-
Has firewall rules or a peering connection to access the mirror registry hosted elsewhere
-
-
If you use a firewall, you configured it to allow the sites that your cluster requires access to. While you might need to grant access to more sites, you must grant access to
*.googleapis.comandaccounts.google.com.
By default, administrator secrets are stored in the kube-system project. If you configured the credentialsMode parameter in the install-config.yaml file to Manual, you must use one of the following alternatives:
-
To manage long-term cloud credentials manually, follow the procedure in Manually creating long-term credentials.
-
To implement short-term credentials that are managed outside the cluster for individual components, follow the procedures in Configuring a GCP cluster to use short-term credentials.
To install a cluster that is configured to use GCP Workload Identity, you must configure the CCO utility and create the required GCP resources for your cluster.
-
See About remote health monitoring for more information about the Telemetry service
-
Configure image streams for the Cluster Samples Operator and the
must-gathertool. -
Learn how to use Operator Lifecycle Manager in disconnected environments.
-
If the mirror registry that you used to install your cluster has a trusted CA, add it to the cluster by configuring additional trust stores.
-
If necessary, you can opt out of remote health reporting.
-
If necessary, see Registering your disconnected cluster