openstack privileges documented

openshift · Oct 7, 2020 · fa06c6e · fa06c6e
1 parent c5352b9
commit fa06c6e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/docs/user/openstack/README.md b/docs/user/openstack/README.md
@@ -38,6 +38,7 @@ In addition, it covers the installation with the default CNI (OpenShiftSDN), as
 
 ## Reference Documents
 
+- [Privileges](privileges.md)
 - [Known Issues and Workarounds](known-issues.md)
 - [Using the OSP 4 installer with Kuryr](kuryr.md)
 - [Troubleshooting your cluster](troubleshooting.md)
@@ -71,6 +72,8 @@ You may need to increase the security group related quotas from their default va
 openstack quota set --secgroups 8 --secgroup-rules 100 <project>`
 ```
 
+Once you configure the quota for your tenant, please ensure that the user for the installer has the proper [privileges](privileges.md).
+
 ### Master Nodes
 
 The default deployment stands up 3 master nodes, which is the minimum amount required for a cluster. For each master node you stand up, you will need 1 instance, and 1 port available in your quota. They should be assigned a flavor with at least 16 GB RAM, 4 vCPUs, and 25 GB Disk. It is theoretically possible to run with a smaller flavor, but be aware that if it takes too long to stand up services, or certain essential services crash, the installer could time out, leading to a failed install.

diff --git a/docs/user/openstack/privileges.md b/docs/user/openstack/privileges.md
@@ -0,0 +1,11 @@
+# Required Privileges
+
+In order to succesfully deploy an OpenShift cluster on OpenStack, the user passed to the installer needs a particular set of permissions in a given project. Our recommendation is to create a user in the project that you intend to install your cluster onto with the role *member*. In the event that you want to customize the permissions for a more restricted install, the following use cases can accomodate them.
+
+## Bring Your Own Networks
+
+Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you use already prepared networking infrastructure. This would mean that an installation using this feature will only need permissions to read Private Networks, Subnets, and Routers. The user will still need to be able to create ports and tags on these interfaces though.
+
+## Floating IP Free Installs
+
+By leaving the `externalNetwork`, `ingressFloatingIP`, and `appsFloatingIP` fields empty, you can run the installer without creating, deleting, or modifying any floating IPs. Running the installer this way does not require you to have any Floating IP Privileges.