Introduction to Red Hat OpenShift Service on AWS (ROSA)
You can create a Red Hat OpenShift on AWS (ROSA) cluster in two ways:
By using command-line tools
By using the Red Hat Hybrid Cloud Console
This method uses command-line interface (CLI) tools that you must install on an internet-enabled workstation:
- The Amazon Web Services CLI (
aws) You use the
awscommand to log in to your Amazon Web Services (AWS) account and to select the AWS Region in which you plan to create your cluster.- The ROSA CLI (
rosa) You use the
rosacommand to log in to your Red Hat account and to prepare AWS Identity and Access Management (IAM) roles and resources. You also use that command to initiate the cluster creation from the terminal and to manage your cluster after creation.
Both command-line tools are available for Linux, macOS, and Microsoft Windows systems.
The Hybrid Cloud Console is a web application that Red Hat hosts on the internet, and that offers a collection of services. One service, the Red Hat OpenShift Cluster Manager, provides a web interface to create and manage your clusters.
However, the OpenShift Cluster Manager cannot perform all the needed steps to create a ROSA cluster from its web interface.
For a few tasks, it directs you to the rosa command.
The current course does not explain this creation method. Instead, the course presents creating ROSA clusters by using the command-line tools.
When the ROSA cluster creation process creates your cluster, it creates AWS resources in your AWS account. For example, it creates Amazon Elastic Compute Cloud (EC2) instances for the OpenShift cluster nodes, and Amazon Elastic Block Store (EBS) volumes for OpenShift persistent volumes.
After creation, some OpenShift operators also create and manage AWS resources. For example, when the cluster load increases, the cluster autoscaler instructs the OpenShift Machine API Operator to create a compute node. The OpenShift Machine API Operator uses the AWS API to deploy an additional EC2 instance for that new compute node.
ROSA supports two modes to grant access to AWS resources:
By using an IAM user with administrator access to the AWS account. In this mode, the user has full permissions to create and manage any AWS resources in the account.
Red Hat discourages the use of this method, because it grants some unnecessary privileges to OpenShift. Also, the OpenShift Cluster Manager web service does not work in that mode.
By using the AWS Security Token Service (STS). In this mode, STS provides restricted and temporary accesses to AWS resources. For that purpose, the ROSA cluster creation process creates IAM roles and policies that grant only the necessary rights to the OpenShift cluster operators.
Red Hat recommends that you use STS for ROSA.
When you use the default options, the ROSA cluster creation process creates an OpenShift cluster that is accessible from the internet.
The ROSA cluster creation process creates an internet-facing Amazon Elastic Load Balancing (ELB) resource to route the customer traffic to the applications that are running on OpenShift.
For API access, which the oc and kubectl commands use, for example, the ROSA cluster creation process creates another ELB load balancer to dispatch the OpenShift API traffic to the control plane nodes.
The Red Hat Site Reliability Engineering (SRE) experts also use these public access points for managing your cluster.
Alternatively, you can create a PrivateLink private cluster, which is not accessible from the internet by default.
For PrivateLink clusters, you can create an AWS Direct Connect network connection to provide access to the cluster from within your organization.
For the SRE experts to manage the cluster, the ROSA cluster creation process creates an AWS Virtual Private Cloud (VPC) endpoint service that connects the SRE AWS account to the private network. That network traffic uses the AWS infrastructure and does not go through the internet.
By default, the rosa command creates the cluster by using default values.
You can run the command in interactive mode for more control over the creation options.
In that mode, you can customize a few items. For example, you can customize the following items:
The OpenShift version
The AWS Region
Whether to use multiple AWS availability zones for higher resilience
Whether to create a PrivateLink cluster
The EC2 instance type for the OpenShift nodes
Whether to use autoscaling so that OpenShift automatically instantiates new compute nodes as the load increases
The number of OpenShift compute nodes (two by default)
The private network addresses
Before you can create your first ROSA cluster, you need an AWS account with an IAM user. Because you subscribe to ROSA through the AWS Marketplace, your IAM user must have AWS Marketplace permissions. If you do not have these permissions, then contact your AWS account administrator to grant you access. Review the documentation in the reference section for more details about how to troubleshoot ROSA enablement errors.
Your AWS account must have enough AWS service quotas to create ROSA clusters.
You can use the rosa command to verify these quotas.
Review the documentation in the reference section for a list of required quotas.
You also need a Red Hat account to access the Hybrid Cloud Console. The cluster creation process links your Red Hat account with the AWS account so that you can manage your ROSA clusters from the OpenShift Cluster Manager web interface.
If you do not have an account, then navigate to https://console.redhat.com/openshift, click , and then follow the instructions to create a personal account.
To subscribe to ROSA through the AWS Marketplace, log in to the AWS Management Console at https://console.aws.amazon.com/, and then enable ROSA:
Navigate to → → .
Click to access the page.
If the checkmark is displayed, then you are already subscribed to ROSA.
Otherwise, select and then click .
The page also verifies the quotas and role prerequisites. If the service quotas do not meet the requirements, then review the Requesting a Quota Increase documentation at https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html to adjust your quotas.
Before you create a cluster, you must perform some initial configuration:
Install the
awscommand on your system. The tool is available at https://aws.amazon.com/cli/.Run the
aws configurecommand to provide your IAM user credentials and to select your AWS Region. You use AWS access keys to provide your credentials. If you do not have access keys, then refer to the Managing Access Keys for IAM Users document at https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html to create them.$
aws configureAWS Access Key ID [None]:AKIAXBPATO4UQQERVA6Ij8X/hphaBCOK0J5Ry64PZBRYcT0AV9gn7TWdXxw4us-east-1<Enter>Install the
rosacommand on your system. The tool is available at https://console.redhat.com/openshift/downloads.Run the
rosa logincommand to log in to your Red Hat account. The command instructs you to generate an access token.$
rosa loginTo login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa ? Copy the token and paste it here:
A following section shows how to create a ROSA cluster on your AWS account.
References
For more information about AWS STS, refer to the Credential Modes section in the Understanding ROSA chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-understanding-credential-modes_rosa-understanding
For more information about the architecture options, refer to the Architecture Models section in the ROSA Architecture chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-architecture-models
For more information about the supported AWS Regions, refer to the Regions and Availability Zones section in the Policies and Service Definition chapter in the Red Hat OpenShift Service on AWS 4 Introduction to ROSA documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/introduction_to_rosa/index#rosa-sdpolicy-regions-az_rosa-service-definition
For more information about quotas, refer to the Required AWS Service Quotas chapter in the Red Hat OpenShift Service on AWS 4 Prepare your Environment documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/prepare_your_environment/index#rosa-sts-required-aws-service-quotas
For more information about preparing for cluster creation, refer to the Setting up the Environment section in the Red Hat OpenShift Service on AWS Quickstart Guide chapter in the Red Hat OpenShift Service on AWS 4 Getting Started documentation at https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws/4/html-single/getting_started/index#rosa-getting-started-environment-setup_rosa-quickstart-guide-ui
AWS - Getting Started with ROSA Using AWS PrivateLink
AWS - Troubleshoot ROSA Enablement Errors in the AWS ROSA Console