Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

openstack privileges documented #4214

Merged
merged 1 commit into from
Oct 8, 2020
Merged

openstack privileges documented #4214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions docs/user/openstack/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ In addition, it covers the installation with the default CNI (OpenShiftSDN), as

## Reference Documents

- [Privileges](privileges.md)
- [Known Issues and Workarounds](known-issues.md)
- [Using the OSP 4 installer with Kuryr](kuryr.md)
- [Troubleshooting your cluster](troubleshooting.md)
Expand Down Expand Up @@ -71,6 +72,8 @@ You may need to increase the security group related quotas from their default va
openstack quota set --secgroups 8 --secgroup-rules 100 <project>`
```

Once you configure the quota for your project, please ensure that the user for the installer has the proper [privileges](privileges.md).

### Master Nodes

The default deployment stands up 3 master nodes, which is the minimum amount required for a cluster. For each master node you stand up, you will need 1 instance, and 1 port available in your quota. They should be assigned a flavor with at least 16 GB RAM, 4 vCPUs, and 25 GB Disk. It is theoretically possible to run with a smaller flavor, but be aware that if it takes too long to stand up services, or certain essential services crash, the installer could time out, leading to a failed install.
Expand Down
11 changes: 11 additions & 0 deletions docs/user/openstack/privileges.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Required Privileges

In order to succesfully deploy an OpenShift cluster on OpenStack, the user passed to the installer needs a particular set of permissions in a given project. Our recommendation is to create a user in the project that you intend to install your cluster onto with the role *member*. In the event that you want to customize the permissions for a more restricted install, the following use cases can accomodate them.

## Bring Your Own Networks

Using the [bring your own networks feature](https://github.com/openshift/installer/blob/master/docs/user/openstack/customization.md#custom-subnets) will allow you to use already prepared networking infrastructure. As long as you are not using Kuryr, using this feature enables the user to not need permission to create/delete networks, subnets, routers, and router interfaces. However, it will still need to be able to read them, tag them, and create/read/modify/delete ports on a given network and subnet. Note that if you are using Kuryr, you will still need the full set of permissions of the *member* role.

## Floating IP Free Installs

By leaving the `externalNetwork`, `ingressFloatingIP`, and `appsFloatingIP` fields empty, you can run the installer without creating, deleting, or modifying any floating IPs. Running the installer this way does not require you to have any Floating IP Privileges. Once again, this does not apply for Kuryr, and if you are using it you will need the full set of permissions of a typical *member* role.