You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In {product-title} version {product-version}, you can install a cluster on Microsoft Azure in a restricted network by creating an internal mirror of the installation release content on an existing Azure Virtual Network (VNet).
10
+
11
+
[IMPORTANT]
12
+
====
13
+
You can install an {product-title} cluster by using mirrored installation release content, but your cluster requires internet access to use the Azure APIs.
* You reviewed details about the xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update] processes.
20
+
* You read the documentation on xref:../../installing/installing-preparing.adoc#installing-preparing[selecting a cluster installation method and preparing it for users].
21
+
* You xref:../../installing/installing_azure/installing-azure-account.adoc#installing-azure-account[configured an Azure account] to host the cluster and determined the tested and validated region to deploy the cluster.
22
+
* You xref:../../installing/disconnected_install/installing-mirroring-installation-images.adoc#installation-about-mirror-registry_installing-mirroring-installation-images[mirrored the images for a disconnected installation] to your registry and obtained the `imageContentSources` data for your version of {product-title}.
23
+
+
24
+
[IMPORTANT]
25
+
====
26
+
Because the installation media is on the mirror host, you can use that computer to complete all installation steps.
27
+
====
28
+
* You have an existing VNet in Azure. While installing a cluster in a restricted network that uses installer-provisioned infrastructure, you cannot use the installer-provisioned VNet. You must use a user-provisioned VNet that satisfies one of the following requirements:
29
+
** The VNet contains the mirror registry
30
+
** The VNet has firewall rules or a peering connection to access the mirror registry hosted elsewhere
31
+
* If you use a firewall, you xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configured it to allow the sites] that your cluster requires access to.
32
+
* If the cloud identity and access management (IAM) APIs are not accessible in your environment, or if you do not want to store an administrator-level credential secret in the kube-system namespace, you can xref:../../installing/installing_azure/manually-creating-iam-azure.adoc#manually-creating-iam-azure[manually create and maintain IAM credentials].
33
+
* If you use customer-managed encryption keys, you xref:../../installing/installing_azure/enabling-user-managed-encryption-azure.adoc#enabling-user-managed-encryption-azure[prepared your Azure environment for encryption].
* See xref:../../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] for more information about the Telemetry service
73
+
74
+
== Next steps
75
+
76
+
* xref:../../post_installation_configuration/cluster-tasks.adoc#available_cluster_customizations[Customize your cluster].
77
+
* If necessary, you can
78
+
xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].
@@ -103,16 +108,34 @@ The network security group rules must be in place before you install the cluster
103
108
|Allows internal communication to the machine config server for provisioning machines
104
109
|x
105
110
|
111
+
112
+
ifdef::restricted[]
113
+
|`*`
114
+
a|Allows connections to Azure APIs. You must set a Destination Service Tag to `AzureCloud`. ^[1]^
115
+
|x
116
+
|x
117
+
118
+
|`*`
119
+
a|Denies connections to the internet. You must set a Destination Service Tag to `Internet`. ^[1]^
120
+
|x
121
+
|x
122
+
endif::restricted[]
106
123
|===
124
+
[.small]
125
+
--
126
+
1. If you are using Azure Firewall to restrict the internet access, then xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[you can configure Azure Firewall to allow the Azure APIs]. A network security group rule is not needed.
127
+
--
107
128
108
129
include::snippets/mcs-endpoint-limitation.adoc[]
109
130
110
131
Because cluster components do not modify the user-provided network security groups, which the Kubernetes controllers update, a pseudo-network security group is created for the Kubernetes controller to modify without impacting the rest of the environment.
111
132
133
+
[role="_additional-resources"]
112
134
.Additional resources
113
135
114
136
* xref:../../networking/openshift_sdn/about-openshift-sdn.adoc#about-openshift-sdn[About the OpenShift SDN network plugin]
115
137
138
+
* xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[Configuring your firewall]
@@ -195,18 +220,21 @@ If you disable simultaneous multithreading, ensure that your capacity planning a
195
220
<7> The cluster network plugin to install. The supported values are `OVNKubernetes` and `OpenShiftSDN`. The default value is `OVNKubernetes`.
196
221
<8> Specify the name of the resource group that contains the DNS zone for your base domain.
197
222
<9> Specify the name of an already existing resource group to install your cluster to. If undefined, a new resource group is created for the cluster.
198
-
ifdef::vnet,private,gov[]
223
+
ifdef::vnet,private,gov,restricted[]
199
224
<10> If you use an existing VNet, specify the name of the resource group that contains it.
200
225
<11> If you use an existing VNet, specify its name.
201
226
<12> If you use an existing VNet, specify the name of the subnet to host the control plane machines.
202
227
<13> If you use an existing VNet, specify the name of the subnet to host the compute machines.
203
-
endif::vnet,private,gov[]
228
+
endif::vnet,private,gov,restricted[]
204
229
ifdef::private,gov[]
205
230
<14> You can customize your own outbound routing. Configuring user-defined routing prevents exposing external endpoints in your cluster. User-defined routing for egress requires deploying your cluster to an existing VNet.
206
231
endif::private,gov[]
207
232
ifdef::gov[]
208
233
<15> Specify the name of the Azure cloud environment to deploy your cluster to. Set `AzureUSGovernmentCloud` to deploy to a Microsoft Azure Government (MAG) region. The default value is `AzurePublicCloud`.
209
234
endif::gov[]
235
+
ifdef::restricted[]
236
+
<14> When using Azure Firewall to restrict Internet access, you must configure outbound routing to send traffic through the Firewall. Configuring user-defined routing prevents exposing external endpoints in your cluster.
237
+
endif::restricted[]
210
238
ifdef::vnet[]
211
239
ifndef::openshift-origin[]
212
240
<14> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
@@ -268,6 +296,11 @@ endif::vnet,private,gov[]
268
296
====
269
297
For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
270
298
====
299
+
ifdef::restricted[]
300
+
<17> Provide the contents of the certificate file that you used for your mirror registry.
301
+
<18> Provide the `imageContentSources` section from the output of the command to mirror the repository.
302
+
<19> How to publish the user-facing endpoints of your cluster. When using Azure Firewall to restrict Internet access, set `publish` to `Internal` to deploy a private cluster. The user-facing endpoints then cannot be accessed from the internet. The default value is `External`.
303
+
endif::restricted[]
271
304
ifdef::private[]
272
305
ifndef::openshift-origin[]
273
306
<17> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
0 commit comments