Introduction to Red Hat OpenShift Service on AWS (ROSA)
This course is now legacy content
This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on Jun 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 4.12, which is the latest version currently available.
You can create a Red Hat OpenShift on AWS (ROSA) cluster in two ways:
By using command-line tools
By using the Red Hat Hybrid Cloud Console
This method uses command-line interface (CLI) tools that you must install on an internet-enabled workstation:
- The Amazon Web Services CLI (
aws) You use the
awscommand to log in to your Amazon Web Services (AWS) account and to select the AWS region in which you plan to create your cluster.- The ROSA CLI (
rosa) You use the
rosacommand to log in to your Red Hat account and to prepare AWS Identity and Access Management (IAM) roles and resources. You also use that command to initiate the cluster creation from the terminal and to manage your cluster after creation.
Both command-line tools are available for Linux, macOS, and Microsoft Windows systems.
The Hybrid Cloud Console is a web application that Red Hat hosts on the internet. The Hybrid Cloud Console offers a collection of services. One of them, the Red Hat OpenShift Cluster Manager, provides a web interface to create and manage your clusters.
However, the OpenShift Cluster Manager cannot perform all the steps needed to create a ROSA cluster from its web interface.
For a few tasks, it directs you to the rosa command.
The current course does not detail this creation method. Instead, it presents creating ROSA clusters by using the command-line tools.
When the ROSA cluster creation process creates your cluster, it creates AWS resources in your AWS account. For example, it creates Amazon Elastic Compute Cloud (EC2) instances for the OpenShift cluster nodes and Amazon Elastic Block Store (EBS) volumes for OpenShift persistent volumes.
After creation, some OpenShift operators also create and manage AWS resources. For example, when the cluster load increases, the cluster autoscaler instructs the OpenShift Machine API Operator to create a new compute node. The OpenShift Machine API Operator uses the AWS API to deploy an additional EC2 instance for that new compute node.
ROSA supports two modes to grant access to AWS resources:
By using an IAM user that has administrator access to the AWS account. In this mode, the user has full permissions to create and manage any AWS resources in the account.
Red Hat discourages the use of this method because it grants some unnecessary privileges to OpenShift. Also, the OpenShift Cluster Manager web service does not work in that mode.
By using the AWS Security Token Service (STS). In this mode, STS provides restricted and temporary accesses to AWS resources. For that purpose, the ROSA cluster creation process creates IAM roles and policies that only grant the necessary rights to the OpenShift cluster operators.
Red Hat recommends that you use STS for ROSA.
When you use the default options, the ROSA cluster creation process creates an OpenShift cluster accessible from the internet.
The ROSA cluster creation process creates an internet-facing AWS Elastic Load Balancing (ELB) resource to route the customer traffic to the applications running on OpenShift.
For API access, which the oc and kubctl commands use for example, the ROSA cluster creation process creates another ELB load balancer to dispatch the OpenShift API traffic to the control plane nodes.
The Red Hat Site reliability engineering (SRE) experts also use these public access points for managing your cluster.
Alternatively, you can create a PrivateLink cluster, which is a private cluster that is not accessible from the internet by default.
For PrivateLink clusters, you can create an AWS Direct Connect network connection to provide access to the cluster from within your organization.
For the SRE experts to manage the cluster, the ROSA cluster creation process creates an AWS Virtual Private Cloud (VPC) endpoint service that connects the SRE AWS account to the private network. That network traffic uses the AWS infrastructure and does not go through the internet.
By default, the rosa command creates the cluster by using default values.
You can run the command in interactive mode to have more control over the creation options.
In that mode you can customize a few items, such as:
The OpenShift version
The AWS Region
Whether to use multiple AWS availability zones for higher resiliency
Whether to create a PrivateLink cluster
The EC2 instance type for the OpenShift nodes
Whether to use autoscaling so that OpenShift automatically instantiates new compute nodes as the load increases
The number of OpenShift compute nodes (two by default)
The private network addresses
Before you can create your first ROSA cluster, you need an AWS account with an IAM user. Because you subscribe to ROSA through the AWS Marketplace, your IAM user must have AWS Marketplace permissions. If you do not have these permissions, then contact your AWS account administrator to grant you access. Review the documentation in the reference section for more details on how to troubleshoot ROSA enablement errors.
Your AWS account must have sufficient AWS service quotas to create ROSA clusters.
You can use the rosa command to verify these quotas.
Review the documentation in the reference section for a list of required quotas.
You also need a Red Hat account to download the rosa CLI and to access the Hybrid Cloud Console.
The cluster creation process links your Red Hat account with the AWS account so that you can manage your ROSA clusters from the OpenShift Cluster Manager web interface.
If you do not have an account, then navigate to https://console.redhat.com/openshift, click , and then follow the instructions to create a personal account.
To subscribe to ROSA through the AWS Marketplace, log in to the AWS Management Console at https://console.aws.amazon.com/, navigate to → → , and then click .
Before you create a cluster, you must perform some initial configuration:
Install the
awscommand on your system. The tool is available at https://aws.amazon.com/cli/.Run the
aws configurecommand to provide your IAM user credentials and to select your AWS region. You use AWS access keys to provide your credentials. If you do not have access keys, then refer to the Managing Access Keys for IAM Users document at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html to create them.$
aws configureAWS Access Key ID [None]:AKIAXBPATO4UQQERVA6Ij8X/hphaBCOK0J5Ry64PZBRYcT0AV9gn7TWdXxw4us-east-1<Enter>Install the
rosacommand on your system. The tool is available at https://console.redhat.com/openshift/downloads.Run the
rosa logincommand to log in to your Red Hat account. The command instructs you to generate an access token.$
rosa loginTo login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa ? Copy the token and paste it here:
Before creating a cluster, confirm that your AWS account meets all the following requirements:
The IAM role for the ELB service exists in your AWS account. This role allows the ELB service to create and manage load balancers in your AWS account. The ROSA cluster creation process creates such load balancers.
Because the
rosacommand does not provide an option to verify that requirement, use theawscommand instead:$
aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"{ "Role": { "Path": "/aws-service-role/elasticloadbalancing.amazonaws.com/", "RoleName":"AWSServiceRoleForElasticLoadBalancing", ...output omitted... } }Your AWS account quotas have enough resources available to create a ROSA cluster. The
rosacommand performs that validation for you.$
rosa verify quotaI: Validating AWS quota... I:AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.htmlIf the command reports insufficient quotas, then review the Requesting a Quota Increase documentation at https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html to adjust your quotas.
A following section shows how to create a ROSA cluster on your AWS account.
References
For more information about AWS STS, refer to the Credential Modes section in the Understanding ROSA chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-understanding-credential-modes_rosa-understanding
For more information about the architecture options, refer to the Architecture Models section in the ROSA Architecture chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-architecture-models
For more information about the supported AWS regions, refer to the Regions and Availability Zones section in the Policies and Service Definition chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-sdpolicy-regions-az_rosa-service-definition
For more information about quotas, refer to the Required AWS Service Quotas chapter in the Red Hat OpenShift Service on AWS 4 Prepare your Environment documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/prepare_your_environment/index#rosa-sts-required-aws-service-quotas
For more information about preparing for cluster creation, refer to the Setting up the Environment section in the Red Hat OpenShift Service on AWS Quickstart Guide chapter in the Red Hat OpenShift Service on AWS 4 Getting Started documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/getting_started/index#rosa-getting-started-environment-setup_rosa-quickstart-guide-ui
AWS — Getting started with ROSA using AWS PrivateLink
AWS — Troubleshoot ROSA enablement errors in the AWS ROSA console