VRRP
×
vSphere installation requirements
Before you begin an installation using installer-provisioned infrastructure, be sure that your vSphere environment meets the following installation requirements.
VMware vSphere infrastructure requirements
You must install an OpenShift Container Platform cluster on one of the following versions of a VMware vSphere instance that meets the requirements for the components that you use:
-
Version 7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later
-
Version 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later
Both of these releases support Container Storage Interface (CSI) migration, which is enabled by default on OpenShift Container Platform 4.15.
You can host the VMware vSphere infrastructure on-premise or on a VMware Cloud Verified provider that meets the requirements outlined in the following tables:
| Virtual environment product | Required version |
|---|---|
VMware virtual hardware |
15 or later |
vSphere ESXi hosts |
7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later |
vCenter host |
7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later |
|
You must ensure that the time on your ESXi hosts is synchronized before you install OpenShift Container Platform. See Edit Time Configuration for a Host in the VMware documentation. |
| Component | Minimum supported versions | Description |
|---|---|---|
Hypervisor |
vSphere 7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; vSphere 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later with virtual hardware version 15 |
This hypervisor version is the minimum version that Red Hat Enterprise Linux CoreOS (RHCOS) supports. For more information about supported hardware on the latest version of Red Hat Enterprise Linux (RHEL) that is compatible with RHCOS, see Hardware on the Red Hat Customer Portal. |
Optional: Networking (NSX-T) |
vSphere 7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; vSphere 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later |
For more information about the compatibility of NSX and OpenShift Container Platform, see the Release Notes section of VMware’s NSX container plugin documentation. |
CPU micro-architecture |
x86-64-v2 or higher |
OpenShift 4.13 and later are based on RHEL 9.2 host operating system which raised the microarchitecture requirements to x86-64-v2. See the RHEL Microarchitecture requirements documentation. You can verify compatibility by following the procedures outlined in this KCS article. |
|
To ensure the best performance conditions for your cluster workloads that operate on Oracle® Cloud Infrastructure (OCI) and on the Oracle® Cloud VMware Solution (OCVS) service, ensure volume performance units (VPUs) for your block volume are sized for your workloads. The following list provides some guidance in selecting the VPUs needed for specific performance needs:
Consider allocating additional VPUs to give enough capacity for updates and scaling activities. See Block Volume Performance Levels (Oracle documentation). |
Network connectivity requirements
You must configure the network connectivity between machines to allow OpenShift Container Platform cluster components to communicate.
Review the following details about the required network ports.
| Protocol | Port | Description |
|---|---|---|
N/A |
Required for keepalived |
|
ICMP |
N/A |
Network reachability tests |
TCP |
|
Metrics |
|
Host level services, including the node exporter on ports |
|
|
The default ports that Kubernetes reserves |
|
|
openshift-sdn |
|
UDP |
|
virtual extensible LAN (VXLAN) |
|
Geneve |
|
|
Host level services, including the node exporter on ports |
|
|
IPsec IKE packets |
|
|
IPsec NAT-T packets |
|
TCP/UDP |
|
Kubernetes node port |
ESP |
N/A |
IPsec Encapsulating Security Payload (ESP) |
| Protocol | Port | Description |
|---|---|---|
TCP |
|
Kubernetes API |
| Protocol | Port | Description |
|---|---|---|
TCP |
|
etcd server and peer ports |
VMware vSphere CSI Driver Operator requirements
To install the vSphere Container Storage Interface (CSI) Driver Operator, the following requirements must be met:
-
VMware vSphere version: 7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later
-
vCenter version: 7.0 Update 2 or later, or VMware Cloud Foundation 4.3 or later; 8.0 Update 1 or later, or VMware Cloud Foundation 5.0 or later
-
Virtual machines of hardware version 15 or later
-
No third-party vSphere CSI driver already installed in the cluster
If a third-party vSphere CSI driver is present in the cluster, OpenShift Container Platform does not overwrite it. The presence of a third-party vSphere CSI driver prevents OpenShift Container Platform from updating to OpenShift Container Platform 4.13 or later.
|
The VMware vSphere CSI Driver Operator is supported only on clusters deployed with |
You can create a custom role for the Container Storage Interface (CSI) driver, the vSphere CSI Driver Operator, and the vSphere Problem Detector Operator. The custom role can include privilege sets that assign a minimum set of permissions to each vSphere object. This means that the CSI driver, the vSphere CSI Driver Operator, and the vSphere Problem Detector Operator can establish a basic interaction with these objects.
|
Installing an OpenShift Container Platform cluster in a vCenter is tested against a full list of privileges as described in the "Required vCenter account privileges" section. By adhering to the full list of privileges, you can reduce the possibility of unexpected and unsupported behaviors that might occur when creating a custom role with a set of restricted privileges. |
Additional resources
-
To remove a third-party vSphere CSI driver, see Removing a third-party vSphere CSI Driver.
-
To update the hardware version for your vSphere nodes, see Updating hardware on nodes running in vSphere.
vCenter requirements
Before you install an OpenShift Container Platform cluster on your vCenter that uses infrastructure that the installer provisions, you must prepare your environment.
Required vCenter account privileges
To install an OpenShift Container Platform cluster in a vCenter, the installation program requires access to an account with privileges to read and create the required resources. Using an account that has global administrative privileges is the simplest way to access all of the necessary permissions.
If you cannot use an account with global administrative privileges, you must create roles to grant the privileges necessary for OpenShift Container Platform cluster installation. While most of the privileges are always required, some are required only if you plan for the installation program to provision a folder to contain the OpenShift Container Platform cluster on your vCenter instance, which is the default behavior. You must create or amend vSphere roles for the specified objects to grant the required privileges.
An additional role is required if the installation program is to create a vSphere virtual machine folder.
Roles and privileges required for installation in vSphere API
| vSphere object for role | When required | Required privileges in vSphere API |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If VMs will be created in the cluster root |
|
vSphere vCenter Resource Pool |
If an existing resource pool is provided |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Roles and privileges required for installation in vCenter graphical user interface (GUI)
| vSphere object for role | When required | Required privileges in vCenter GUI |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If VMs will be created in the cluster root |
|
vSphere vCenter Resource Pool |
If an existing resource pool is provided |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Additionally, the user requires some ReadOnly permissions, and some of the roles require permission to propogate the permissions to child objects. These settings vary depending on whether or not you install the cluster into an existing folder.
Required permissions and propagation settings
| vSphere object | When required | Propagate to children | Permissions required |
|---|---|---|---|
vSphere vCenter |
Always |
False |
Listed required privileges |
vSphere vCenter Datacenter |
Existing folder |
False |
|
Installation program creates the folder |
True |
Listed required privileges |
|
vSphere vCenter Cluster |
Existing resource pool |
False |
|
VMs in cluster root |
True |
Listed required privileges |
|
vSphere vCenter Datastore |
Always |
False |
Listed required privileges |
vSphere Switch |
Always |
False |
|
vSphere Port Group |
Always |
False |
Listed required privileges |
vSphere vCenter Virtual Machine Folder |
Existing folder |
True |
Listed required privileges |
vSphere vCenter Resource Pool |
Existing resource pool |
True |
Listed required privileges |
For more information about creating an account with only the required privileges, see vSphere Permissions and User Management Tasks in the vSphere documentation.
Minimum required vCenter account privileges
After you create a custom role and assign privileges to it, you can create permissions by selecting specific vSphere objects and then assigning the custom role to a user or group for each object.
Before you create permissions or request for the creation of permissions for a vSphere object, determine what minimum permissions apply to the vSphere object. By doing this task, you can ensure a basic interaction exists between a vSphere object and OpenShift Container Platform architecture.
|
If you create a custom role and you do not assign privileges to it, the vSphere Server by default assigns a |
Consider creating a custom role when an account with global administrative privileges does not meet your needs.
|
Accounts that are not configured with the required privileges are unsupported. Installing an OpenShift Container Platform cluster in a vCenter is tested against a full list of privileges as described in the "Required vCenter account privileges" section. By adhering to the full list of privileges, you can reduce the possibility of unexpected behaviors that might occur when creating a custom role with a restricted set of privileges. |
The following tables list the minimum permissions for a vSphere object that interacts with specific OpenShift Container Platform architecture.
Minimum permissions on installer-provisioned infrastructure
| vSphere object for role | When required | Required privileges |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If you intend to create VMs in the cluster root |
|
vSphere vCenter Resource Pool |
If you provide an existing resource pool in the |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Minimum permissions for post-installation management of components
| vSphere object for role | When required | Required privileges |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If you intend to create VMs in the cluster root |
|
vSphere vCenter Resource Pool |
If you provide an existing resource pool in the |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Minimum permissions for the storage components
| vSphere object for role | When required | Required privileges |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If you intend to create VMs in the cluster root |
|
vSphere vCenter Resource Pool |
If you provide an existing resource pool in the |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Minimum permissions for the Machine API
| vSphere object for role | When required | Required privileges |
|---|---|---|
vSphere vCenter |
Always |
|
vSphere vCenter Cluster |
If you intend to create VMs in the cluster root |
|
vSphere vCenter Resource Pool |
If you provide an existing resource pool in the |
|
vSphere Datastore |
Always |
|
vSphere Port Group |
Always |
|
Virtual Machine Folder |
Always |
|
vSphere vCenter Datacenter |
If the installation program creates the virtual machine folder. For user-provisioned infrastructure, |
|
Using OpenShift Container Platform with vMotion
If you intend on using vMotion in your vSphere environment, consider the following before installing an OpenShift Container Platform cluster.
-
Using Storage vMotion can cause issues and is not supported.
-
Using VMware compute vMotion to migrate the workloads for both OpenShift Container Platform compute machines and control plane machines is generally supported, where generally implies that you meet all VMware best practices for vMotion.
To help ensure the uptime of your compute and control plane nodes, ensure that you follow the VMware best practices for vMotion, and use VMware anti-affinity rules to improve the availability of OpenShift Container Platform during maintenance or hardware issues.
For more information about vMotion and anti-affinity rules, see the VMware vSphere documentation for vMotion networking requirements and VM anti-affinity rules.
-
If you are using VMware vSphere volumes in your pods, migrating a VM across datastores, either manually or through Storage vMotion, causes invalid references within OpenShift Container Platform persistent volume (PV) objects that can result in data loss.
-
OpenShift Container Platform does not support selective migration of VMDKs across datastores, using datastore clusters for VM provisioning or for dynamic or static provisioning of PVs, or using a datastore that is part of a datastore cluster for dynamic or static provisioning of PVs.
You can specify the path of any datastore that exists in a datastore cluster. By default, Storage Distributed Resource Scheduler (SDRS), which uses Storage vMotion, is automatically enabled for a datastore cluster. Red Hat does not support Storage vMotion, so you must disable Storage DRS to avoid data loss issues for your OpenShift Container Platform cluster.
If you must specify VMs across multiple datastores, use a
datastoreobject to specify a failure domain in your cluster’sinstall-config.yamlconfiguration file. For more information, see "VMware vSphere region and zone enablement".
Cluster resources
When you deploy an OpenShift Container Platform cluster that uses installer-provisioned infrastructure, the installation program must be able to create several resources in your vCenter instance.
A standard OpenShift Container Platform installation creates the following vCenter resources:
-
1 Folder
-
1 Tag category
-
1 Tag
-
Virtual machines:
-
1 template
-
1 temporary bootstrap node
-
3 control plane nodes
-
3 compute machines
-
Although these resources use 856 GB of storage, the bootstrap node is destroyed during the cluster installation process. A minimum of 800 GB of storage is required to use a standard cluster.
If you deploy more compute machines, the OpenShift Container Platform cluster will use more storage.
Cluster limits
Available resources vary between clusters. The number of possible clusters within a vCenter is limited primarily by available storage space and any limitations on the number of required resources. Be sure to consider both limitations to the vCenter resources that the cluster creates and the resources that you require to deploy a cluster, such as IP addresses and networks.
Networking requirements
You can use Dynamic Host Configuration Protocol (DHCP) for the network and configure the DHCP server to set persistent IP addresses to machines in your cluster. In the DHCP lease, you must configure the DHCP to use the default gateway.
|
You do not need to use the DHCP for the network if you want to provision nodes with static IP addresses. |
If you are installing to a restricted environment, the VM in your restricted network must have access to vCenter so that it can provision and manage nodes, persistent volume claims (PVCs), and other resources.
|
Ensure that each OpenShift Container Platform node in the cluster has access to a Network Time Protocol (NTP) server that is discoverable by DHCP. Installation is possible without an NTP server. However, asynchronous server clocks can cause errors, which the NTP server prevents. |
Additionally, you must create the following networking resources before you install the OpenShift Container Platform cluster:
Required IP Addresses
For a network that uses DHCP, an installer-provisioned vSphere installation requires two static IP addresses:
-
The API address is used to access the cluster API.
-
The Ingress address is used for cluster ingress traffic.
You must provide these IP addresses to the installation program when you install the OpenShift Container Platform cluster.
DNS records
You must create DNS records for two static IP addresses in the appropriate DNS server for the vCenter instance that hosts your OpenShift Container Platform cluster. In each record, <cluster_name> is the cluster name and <base_domain> is the cluster base domain that you specify when you install the cluster. A complete DNS record takes the form: <component>.<cluster_name>.<base_domain>..
| Component | Record | Description |
|---|---|---|
API VIP |
|
This DNS A/AAAA or CNAME (Canonical Name) record must point to the load balancer for the control plane machines. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster. |
Ingress VIP |
|
A wildcard DNS A/AAAA or CNAME record that points to the load balancer that targets the machines that run the Ingress router pods, which are the worker nodes by default. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster. |
Static IP addresses for vSphere nodes
You can provision bootstrap, control plane, and compute nodes to be configured with static IP addresses in environments where Dynamic Host Configuration Protocol (DHCP) does not exist. To configure this environment, you must provide values to the platform.vsphere.hosts.role parameter in the install-config.yaml file.
|
Static IP addresses for vSphere nodes is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope. |
By default, the installation program is configured to use the DHCP for the network, but this network has limited configurable capabilities.
After you define one or more machine pools in your install-config.yaml file, you can define network definitions for nodes on your network. Ensure that the number of network definitions matches the number of machine pools that you configured for your cluster.
Example network configuration that specifies different roles
# ...
platform:
vsphere:
hosts:
- role: bootstrap (1)
networkDevice:
ipAddrs:
- 192.168.204.10/24 (2)
gateway: 192.168.204.1 (3)
nameservers: (4)
- 192.168.204.1
- role: control-plane
networkDevice:
ipAddrs:
- 192.168.204.11/24
gateway: 192.168.204.1
nameservers:
- 192.168.204.1
- role: control-plane
networkDevice:
ipAddrs:
- 192.168.204.12/24
gateway: 192.168.204.1
nameservers:
- 192.168.204.1
- role: control-plane
networkDevice:
ipAddrs:
- 192.168.204.13/24
gateway: 192.168.204.1
nameservers:
- 192.168.204.1
- role: compute
networkDevice:
ipAddrs:
- 192.168.204.14/24
gateway: 192.168.204.1
nameservers:
- 192.168.204.1
# ...| 1 | Valid network definition values include bootstrap, control-plane, and compute. You must list at least one bootstrap network definition in your install-config.yaml configuration file. |
||
| 2 | Lists IPv4, IPv6, or both IP addresses that the installation program passes to the network interface. The machine API controller assigns all configured IP addresses to the default network interface. | ||
| 3 | The default gateway for the network interface. | ||
| 4 | Lists up to 3 DNS nameservers.
|
After you deployed your cluster to run nodes with static IP addresses, you can scale a machine to use one of these static IP addresses. Additionally, you can use a machine set to configure a machine to use one of the configured static IP addresses.