Azure: document custom VNets & cluster isolation #2573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

openshift-merge-robot merged 1 commit into openshift:master from patrickdillon:azure-cluster-isolation-cors-1209

Oct 29, 2019

docs/user/azure/customization.md

-Original file line number
+Diff line change
@@ Expand Up / @@ -9,6 +9,10 @@ The following options are available when using Azure: @@
     * `region` (required string): The Azure region where the cluster will be created.
     * `baseDomainResourceGroupName` (required string): The resource group where the Azure DNS zone for the base domain is found.
     * `defaultMachinePlatform` (optional object): Default [Azure-specific machine pool properties](#machine-pools) which applies to [machine pools](../customization.md#machine-pools) that do not define their own Azure-specific properties.
+    * `networkResourceGroupName` (optional string): The resource group where the Azure VNet is found.
+    * `virtualNetwork` (optional string): The name of an existing VNet where the cluster infrastructure should be provisioned.
+    * `controlPlaneSubnet` (optional string): An existing subnet which should be used for the cluster control plane.
+    * `computeSubnet` (optional string): An existing subnet which should be used by cluster nodes.
     ## Machine pools
@@ Expand All / @@ -17,6 +21,15 @@ The following options are available when using Azure: @@
     * `type` (optional string): The Azure instance type.
     * `zones` (optional string slice): List of Azure availability zones that can be used (for example, `["1", "2", "3"]`).
+    ## Installing to Existing Networks & Subnetworks
+    The installer can use an existing VNet and subnets when provisioning an OpenShift cluster. If one of `networkResourceGroupName`, `virtualNetwork`, `controlPlaneSubnet`, or `computeSubnet`is specified, all must be specified [(see example below)](#existing-vnet). The installer will use these existing networks when creating infrastructure such as virtual machines, load balancers, and DNS zones.
+    ### Cluster Isolation
+    When pre-existing subnets are provided, the installer will not create a network security group (NSG) or alter an existing one attached to the subnet. This restriction means that no security rules are created. If multiple clusters are installed to the same VNet and isolation is desired, it must be enforced through an administrative task after the cluster is installed.
     ## Examples
     Some example `install-config.yaml` are shown below.
@@ Expand Down Expand Up / @@ -75,3 +88,23 @@ platform: @@
     pullSecret: '{"auths": ...}'
     sshKey: ssh-ed25519 AAAA...
     ```
+    ### Existing VNet
+    An example Azure install config to use a pre-existing VNet and subnets:
+    ```yaml
+    apiVersion: v1
+    baseDomain: example.com
+    metadata:
+      name: test-cluster
+    platform:
+      azure:
+        region: centralus
+        baseDomainResourceGroupName: os4-common
+        networkResourceGroupName: example_vnet_rg
+        virtualNetwork: example_vnet
+        controlPlaneSubnet: example_master_subnet
+        computeSubnet: example_worker_subnet
+    pullSecret: '{"auths": ...}'
+    sshKey: ssh-ed25519 AAAA...
+    ```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Azure: document custom VNets & cluster isolation #2573

Uh oh!

Diff view

Diff view

There are no files selected for viewing

abhinavdahiya Oct 28, 2019

Uh oh!

patrickdillon Oct 29, 2019

Uh oh!

Azure: document custom VNets & cluster isolation #2573

Uh oh!

Azure: document custom VNets & cluster isolation #2573

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

abhinavdahiya Oct 28, 2019

Choose a reason for hiding this comment

Uh oh!

patrickdillon Oct 29, 2019

Choose a reason for hiding this comment

Uh oh!