Skip to main contentIBM Cloud Pak Playbook

Prerequisites - OpenShift 4

Prerequisites

OpenShift 4 Compute Requirements:

MachineOperating SystemvCPURAMStorage
BootstrapRHCOS416 GB120 GB
Control PlaneRHCOS416 GB120 GB
ComputeRHCOS or RHEL 7.628 GB120 GB

OpenShift 4 Network Requirements

DHCP

Required for VMs to obtain initial ignition config from bootstrap host

DNS

The following DNS entries are required to be in place prior to deployment:

ComponentRecordDescription
Kubernetes APIapi.<cluster_name>.<base_domain>This DNS record must point to the load balancer for the control plane machines. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.
Kubernetes APIapi-int.<cluster_name>.<base_domain>This DNS record must point to the load balancer for the control plane machines. This record must be resolvable from all the nodes within the cluster.
Routes*.apps.<cluster_name>.<base_domain>A wildcard DNS record that points to the load balancer that targets the machines that run the Ingress router pods, which are the worker nodes by default. This record must be resolvable by both clients external to the cluster and from all the nodes within the cluster.
etcdetcd-<index>.<cluster_name>.<base_domain>OpenShift Container Platform requires DNS records for each etcd instance to point to the control plane machines that host the instances. The etcd instances are differentiated by <index> values, which start with 0 and end with n-1, where n is the number of control plane machines in the cluster. The DNS record must resolve to an unicast IPv4 address for the control plane machine, and the records must be resolvable from all the nodes in the cluster.
etcd_etcd-server-ssl._tcp.<cluster_name>.<base_domain>For each control plane machine, OpenShift Container Platform also requires a SRV DNS record for etcd server on that machine with priority 0, weight 10 and port 2380. A cluster that uses three control plane machines requires the following records:
_etcd-server-ssl._tcp.<cluster_name>.<base_domain> 86400 IN SRV 0 10 2380 etcd-0.<cluster_name>.<base_domain>.
_etcd-server-ssl._tcp.<cluster_name>.<base_domain> 86400 IN SRV 0 10 2380 etcd-1.<cluster_name>.<base_domain>.
_etcd-server-ssl._tcp.<cluster_name>.<base_domain> 86400 IN SRV 0 10 2380 etcd-2.<cluster_name>.<base_domain>.

Firewall (From all machines to all machines)

ProtocolPortDescription
TCP2379-2380etcd server, peer, and metrics ports
TCP6443Kubernetes API
TCP9000-9999Host level services, including the node exporter on ports 9100-9101 and the Cluster Version Operator on port 9099.
TCP10249-10259The default ports that Kubernetes reserves
TCP10256openshift-sdn
UDP4789VXLAN and GENEVE
UDP6081VXLAN and GENEVE
UDP9000-9999Host level services, including the node exporter on ports 9100-9101.
UDP30000-32767Kubernetes NodePort

Firewall (LoadBalancer)

PortMachinesInternalExternalDescription
6443Bootstrap and control plane. You remove the bootstrap machine from the load balancer after the bootstrap machine initializes the cluster control plane.xxKubernetes API server
22623Bootstrap and control plane. You remove the bootstrap machine from the load balancer after the bootstrap machine initializes the cluster control plane.xMachine Config server
443The machines that run the Ingress router pods, compute, or worker, by default.xxHTTPS traffic
80The machines that run the Ingress router pods, compute, or worker by default.xxHTTP traffic