Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select a subscription type. For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.

      Note

      The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.

   2. Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own.
   3. Click Next.
4. Select Run on Amazon Web Services.
5. After selecting your cloud provider, review and complete the listed Prerequisites. Select the checkbox to acknowledge that you have read and completed all of the prerequisites.

6. Provide your AWS account details:

   1. Enter your AWS account ID.

   2. Enter your AWS access key ID and AWS secret access key for your AWS IAM user account.

      Note

      Revoking these credentials in AWS results in a loss of access to any cluster created with these credentials.

   3. Optional: You can select Bypass AWS service control policy (SCP) checks to disable the SCP checks.

      Note

      Some AWS SCPs can cause the installation to fail, even if you have the required permissions. Disabling the SCP checks allows an installation to proceed. The SCP is still enforced even if the checks are bypassed.

7. Click Next to validate your cloud provider account and go to the Cluster details page.

8. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.
   5. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

   6. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   7. Optional: Select Encrypt persistent volumes with customer keys if you want to provide your own AWS Key Management Service (KMS) key Amazon Resource Name (ARN). The key is used for encrypting all control plane, infrastructure, worker node root volumes, and persistent volumes in your cluster.

      Important

      Only persistent volumes (PVs) created from the default storage class are encrypted with this specific key.

      PVs created by using any other storage class are still encrypted, but the PVs are not encrypted with this key unless the storage class is specifically configured to use this key.

   8. Click Next.

9. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

   Note

   After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

10. Choose your preference for the Instance Metadata Service (IMDS) type, either using both IMDSv1 and IMDSv2 types or requiring your EC2 instances to use only IMDSv2. You can access instance metadata from a running instance in two ways:

    • Instance Metadata Service Version 1 (IMDSv1) - a request/response method

    • Instance Metadata Service Version 2 (IMDSv2) - a session-oriented method

      Important

      The Instance Metadata Service settings cannot be changed after your cluster is created.

      Note

      IMDSv2 uses session-oriented requests. With session-oriented requests, you create a session token that defines the session duration, which can range from a minimum of one second to a maximum of six hours. During the specified duration, you can use the same session token for subsequent requests. After the specified duration expires, you must create a new session token to use for future requests.

      For more information regarding IMDS, see Instance metadata and user data in the AWS documentation.

11. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.

12. On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.

    Important

    If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.

13. Optional: To install the cluster in an existing AWS Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.

    2. If you are installing into an existing VPC and opted to use private API endpoints, you can select Use a PrivateLink. This option enables connections to the cluster by Red Hat Site Reliability Engineering (SRE) using only AWS PrivateLink endpoints.

       Note

       The Use a PrivateLink option cannot be changed after a cluster is created.

    3. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
14. Click Next.

15. If you opted to install the cluster in an existing AWS VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.

    Note

    You must ensure that your VPC is configured with a public and a private subnet for each availability zone that you want the cluster installed into. If you opted to use PrivateLink, only private subnets are required.

    1. Optional: Expand Additional security groups and select additional custom security groups to apply to nodes in the machine pools that are created by default. You must have already created the security groups and associated them with the VPC that you selected for this cluster. You cannot add or edit security groups to the default machine pools after you create the cluster.

       By default, the security groups you specify are added for all node types. Clear the Apply the same security groups to all node types checkbox to apply different security groups for each node type.

       For more information, see the requirements for Security groups under Additional resources.

16. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

       • Specify a valid HTTP proxy URL.
       • Specify a valid HTTPS proxy URL.

       • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle.

         If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.

         Note

         If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.

    2. Click Next.

    For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.

17. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Note

    If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

18. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

19. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

    Verification

    • You can monitor the progress of the installation in the Overview page for your cluster. You can view the installation logs on the same page. Your cluster is ready when the Status in the Details section of the page is listed as Ready.

Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select the Annual subscription type. Only the Annual subscription type is available when you deploy a cluster using a Red Hat cloud account.

      For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.

      Note

      You must have the required resource quota for the Annual subscription type to be available. For more information, contact your sales representative or Red Hat support.

   2. Select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
   3. Click Next.
4. Select Run on Amazon Web Services and click Next.

5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.
   5. Select a Persistent storage capacity for the cluster. For more information, see the Storage section in the OpenShift Dedicated service definition.
   6. Specify the number of Load balancers that you require for your cluster. For more information, see the Load balancers section in the OpenShift Dedicated service definition.
   7. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

   8. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   9. Click Next.

6. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

   Note

   After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a machine pool. For clusters that use the CCS model, you can add machine pools after installation that use a different instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

7. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
8. In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.
9. Click Next.

10. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

    If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider.

11. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

12. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. On the Create an OpenShift cluster page, select Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select a subscription type. For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.

      Note

      The subscription types that are available to you depend on your OpenShift Dedicated subscriptions and resource quotas. For more information, contact your sales representative or Red Hat support.

   2. Select the Customer Cloud Subscription infrastructure type to deploy OpenShift Dedicated in an existing cloud provider account that you own.
   3. Click Next.
4. Select Run on Google Cloud Platform.
5. After selecting your cloud provider, review and complete the listed Prerequisites. Select the checkbox to acknowledge that you have read and completed all of the prerequisites.
6. Provide your GCP service account private key in JSON format. You can either click Browse to locate and attach a JSON file or add the details in the Service account JSON field.
7. Click Next to validate your cloud provider account and go to the Cluster details page.

8. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.

   5. Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.

      Important

      To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint constraints/compute.requireShieldedVm enabled. For more information regarding GCP organizational policy constraints, see Organization policy constraints.

   6. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

9. Optional: Expand Advanced Encryption to make changes to encryption settings.

   1. Select Use Custom KMS keys to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting Use default KMS Keys.

      Important

      To use custom KMS keys, the IAM service account osd-ccs-admin must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role. For more information about granting roles on a resource, see Granting roles on a resource.

      With Use Custom KMS keys selected:

      1. Select a key ring location from the Key ring location drop-down menu.
      2. Select a key ring from the Key ring drop-down menu.
      3. Select a key name from the Key name drop-down menu.
      4. Provide the KMS Service Account.

   2. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   3. Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
   4. Click Next.

10. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

    Note

    After your cluster is created, you can change the number of compute nodes in your cluster, but you cannot change the compute node instance type in a machine pool. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

11. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.

12. On the Network configuration page, select Public or Private to use either public or private API endpoints and application routes for your cluster.

    Important

    If you are using private API endpoints, you cannot access your cluster until you update the network settings in your cloud provider account.

13. Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.
    2. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
14. Click Next.

15. Optional: To install the cluster into a GCP Shared VPC:

    Important

    To install a cluster into a Shared VPC, you must use OpenShift Dedicated version 4.13.15 or above. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see Enable a host project.

    1. Select Install into GCP Shared VPC.

    2. Specify the Host project ID. If the specified host project ID is incorrect, cluster creation fails.

       Important

       Once you complete the steps within the cluster configuration wizard and click Create Cluster, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. For information about Shared VPC permissions, see Provision Shared VPC.

16. If you opted to install the cluster in an existing GCP VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.

    Note

    If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project.

17. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

       • Specify a valid HTTP proxy URL.
       • Specify a valid HTTPS proxy URL.

       • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle.

         If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.

         Note

         If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.

    2. Click Next.

    For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.

18. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Note

    If you are installing into a VPC, the Machine CIDR range must match the VPC subnets.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

19. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

20. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

    Note

    If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.

Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select the On-Demand subscription type.
   2. From the drop-down menu, select Google Cloud Marketplace.
   3. Select the Customer Cloud Subscription infrastructure type.
   4. Click Next.

4. On the Cloud provider page, read the provided prerequisites and the Google terms and conditions. Add your service account key.

   1. Click the Review Google Terms and Agreements link.
   2. To continue creating the cluster, click the checkbox indicating that you agree to the Google terms and agreements.

   3. Add your service account key.

      Note

      For more information about service account keys, click the information icon located next to Service account key.

   4. Click Next to validate your cloud provider account and go to the Cluster details page.

5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.

   5. Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.

      Important

      To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint constraints/compute.requireShieldedVm enabled. For more information regarding GCP organizational policy constraints, see Organization policy constraints.

   6. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

6. Optional: Expand Advanced Encryption to make changes to encryption settings.

   1. Select Use Custom KMS keys to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting Use default KMS Keys.

      Important

      To use custom KMS keys, the IAM service account osd-ccs-admin must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role. For more information about granting roles on a resource, see Granting roles on a resource.

      With Use Custom KMS keys selected:

      1. Select a key ring location from the Key ring location drop-down menu.
      2. Select a key ring from the Key ring drop-down menu.
      3. Select a key name from the Key name drop-down menu.
      4. Provide the KMS Service Account.

   2. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   3. Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
7. Click Next.

8. On the Machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

   Note

   After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a created machine pool. You can add machine pools after installation that use a customized instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

9. Optional: Expand Add node labels to add labels to your nodes. Click Add additional label to add more node labels.
10. Click Next.
11. In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.

12. Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.
    2. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
13. Click Next.

14. Optional: To install the cluster into a GCP Shared VPC:

    Important

    To install a cluster into a Shared VPC, you must use OpenShift Dedicated version 4.13.15 or above. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see Enable a host project.

    1. Select Install into GCP Shared VPC.

    2. Specify the Host project ID. If the specified host project ID is incorrect, cluster creation fails.

       Important

       Once you complete the steps within the cluster configuration wizard and click Create Cluster, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. For information about Shared VPC permissions, see Provision Shared VPC.

15. If you opted to install the cluster in an existing GCP VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.

    Note

    If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project.

16. Click Next.

17. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

       • Specify a valid HTTP proxy URL.
       • Specify a valid HTTPS proxy URL.

       • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle.

         If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.

         Note

         If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.

    2. Click Next.

    For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.

18. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

    If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider.

19. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

20. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select the Annual subscription type. Only the Annual subscription type is available when you deploy a cluster using a Red Hat cloud account.

      For information about OpenShift Dedicated subscription options, see Cluster subscriptions and registration in the OpenShift Cluster Manager documentation.

      Note

      You must have the required resource quota for the Annual subscription type to be available. For more information, contact your sales representative or Red Hat support.

   2. Select the Red Hat cloud account infrastructure type to deploy OpenShift Dedicated in a cloud provider account that is owned by Red Hat.
   3. Click Next.
4. Select Run on Google Cloud Platform and click Next.

5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.

   5. Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.

      Important

      To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint constraints/compute.requireShieldedVm enabled. For more information regarding GCP organizational policy constraints, see Organization policy constraints.

   6. Select a Persistent storage capacity for the cluster. For more information, see the Storage section in the OpenShift Dedicated service definition.
   7. Specify the number of Load balancers that you require for your cluster. For more information, see the Load balancers section in the OpenShift Dedicated service definition.
   8. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

   9. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you will incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   10. Click Next.

6. On the Default machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

   Note

   After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a machine pool. For clusters that use the CCS model, you can add machine pools after installation that use a different instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

7. Optional: Expand Edit node labels to add labels to your nodes. Click Add label to add more node labels and select Next.
8. In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.
9. Click Next.

10. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

    If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider.

11. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

12. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Procedure

1. Log in to OpenShift Cluster Manager and click Create cluster.
2. In the Cloud tab, click Create cluster in the Red Hat OpenShift Dedicated row.

3. Under Billing model, configure the subscription type and infrastructure type:

   1. Select the On-Demand subscription type.
   2. From the drop-down menu, select Red Hat Marketplace.
   3. Click Next.

4. On the Cloud provider page:

   1. Select Google Cloud as your cloud provider.
   2. Click the checkbox indicating that you have read and completed all the prerequisites necessary to continue creating your cluster.

   3. Add your service account key.

      Note

      For more information about service account keys, click the information icon located next to Service account key.

   4. Click Next to validate your cloud provider account and go to the Cluster details page.

5. On the Cluster details page, provide a name for your cluster and specify the cluster details:

   1. Add a Cluster name.
   2. Select a cluster version from the Version drop-down menu.
   3. Select a cloud provider region from the Region drop-down menu.
   4. Select a Single zone or Multi-zone configuration.

   5. Optional: Select Enable Secure Boot for Shielded VMs to use Shielded VMs when installing your cluster. For more information, see Shielded VMs.

      Important

      To successfully create a cluster, you must select Enable Secure Boot support for Shielded VMs if your organization has the policy constraint constraints/compute.requireShieldedVm enabled. For more information regarding GCP organizational policy constraints, see Organization policy constraints.

   6. Leave Enable user workload monitoring selected to monitor your own projects in isolation from Red Hat Site Reliability Engineer (SRE) platform metrics. This option is enabled by default.

6. Optional: Expand Advanced Encryption to make changes to encryption settings.

   1. Select Use Custom KMS keys to use custom KMS keys. If you prefer not to use custom KMS keys, leave the default setting Use default KMS Keys.

      Important

      To use custom KMS keys, the IAM service account osd-ccs-admin must be granted the Cloud KMS CryptoKey Encrypter/Decrypter role. For more information about granting roles on a resource, see Granting roles on a resource.

      With Use Custom KMS keys selected:

      1. Select a key ring location from the Key ring location drop-down menu.
      2. Select a key ring from the Key ring drop-down menu.
      3. Select a key name from the Key name drop-down menu.
      4. Provide the KMS Service Account.

   2. Optional: Select Enable additional etcd encryption if you require etcd key value encryption. With this option, the etcd key values are encrypted, but not the keys. This option is in addition to the control plane storage encryption that encrypts the etcd volumes in OpenShift Dedicated clusters by default.

      Note

      By enabling etcd encryption for the key values in etcd, you incur a performance overhead of approximately 20%. The overhead is a result of introducing this second layer of encryption, in addition to the default control plane storage encryption that encrypts the etcd volumes. Consider enabling etcd encryption only if you specifically require it for your use case.

   3. Optional: Select Enable FIPS cryptography if you require your cluster to be FIPS validated.
7. Click Next.

8. On the Machine pool page, select a Compute node instance type and a Compute node count. The number and types of nodes that are available depend on your OpenShift Dedicated subscription. If you are using multiple availability zones, the compute node count is per zone.

   Note

   After your cluster is created, you can change the number of compute nodes, but you cannot change the compute node instance type in a created machine pool. You can add machine pools after installation that use a customized instance type. The number and types of nodes available to you depend on your OpenShift Dedicated subscription.

9. Optional: Expand Add node labels to add labels to your nodes. Click Add additional label to add more node labels.
10. Click Next.
11. In the Cluster privacy dialog, select Public or Private to use either public or private API endpoints and application routes for your cluster.

12. Optional: To install the cluster in an existing GCP Virtual Private Cloud (VPC):

    1. Select Install into an existing VPC.
    2. If you are installing into an existing VPC and you want to enable an HTTP or HTTPS proxy for your cluster, select Configure a cluster-wide proxy.
13. Click Next.

14. Optional: To install the cluster into a GCP Shared VPC:

    Important

    To install a cluster into a Shared VPC, you must use OpenShift Dedicated version 4.13.15 or above. Additionally, the VPC owner of the host project must enable a project as a host project in their Google Cloud console. For more information, see Enable a host project.

    1. Select Install into GCP Shared VPC.

    2. Specify the Host project ID. If the specified host project ID is incorrect, cluster creation fails.

       Important

       Once you complete the steps within the cluster configuration wizard and click Create Cluster, the cluster will go into the "Installation Waiting" state. At this point, you must contact the VPC owner of the host project, who must assign the dynamically-generated service account the following roles: Computer Network Administrator, Compute Security Administrator, and DNS Administrator. The VPC owner of the host project has 30 days to grant the listed permissions before the cluster creation fails. For information about Shared VPC permissions, see Provision Shared VPC.

15. If you opted to install the cluster in an existing GCP VPC, provide your Virtual Private Cloud (VPC) subnet settings and select Next. You must have created the Cloud network address translation (NAT) and a Cloud router. See the "Additional resources" section for information about Cloud NATs and Google VPCs.

    Note

    If you are installing a cluster into a Shared VPC, the VPC name and subnets are shared from the host project.

16. Click Next.

17. If you opted to configure a cluster-wide proxy, provide your proxy configuration details on the Cluster-wide proxy page:

    1. Enter a value in at least one of the following fields:

       • Specify a valid HTTP proxy URL.
       • Specify a valid HTTPS proxy URL.

       • In the Additional trust bundle field, provide a PEM encoded X.509 certificate bundle. The bundle is added to the trusted certificate store for the cluster nodes. An additional trust bundle file is required unless the identity certificate for the proxy is signed by an authority from the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle.

         If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional certificate authorities (CAs), you must provide the MITM CA certificate.

         Note

         If you upload an additional trust bundle file without specifying an HTTP or HTTPS proxy URL, the bundle is set on the cluster but is not configured to be used with the proxy.

    2. Click Next.

    For more information about configuring a proxy with OpenShift Dedicated, see Configuring a cluster-wide proxy.

18. In the CIDR ranges dialog, configure custom classless inter-domain routing (CIDR) ranges or use the defaults that are provided.

    Important

    CIDR configurations cannot be changed later. Confirm your selections with your network administrator before proceeding.

    If the cluster privacy is set to Private, you cannot access your cluster until you configure private connections in your cloud provider.

19. On the Cluster update strategy page, configure your update preferences:

    1. Choose a cluster update method:

       • Select Individual updates if you want to schedule each update individually. This is the default option.

       • Select Recurring updates to update your cluster on your preferred day and start time, when updates are available.

         Note

         You can review the end-of-life dates in the update lifecycle documentation for OpenShift Dedicated. For more information, see OpenShift Dedicated update life cycle.

    2. Provide administrator approval based on your cluster update method:

       • Individual updates: If you select an update version that requires approval, provide an administrator’s acknowledgment and click Approve and continue.

       • Recurring updates: If you selected recurring updates for your cluster, provide an administrator’s acknowledgment and click Approve and continue. OpenShift Cluster Manager does not start scheduled y-stream updates for minor versions without receiving an administrator’s acknowledgment.

         For information about administrator acknowledgment, see Administrator acknowledgment when upgrading to OpenShift 4.9.

    3. If you opted for recurring updates, select a preferred day of the week and upgrade start time in UTC from the drop-down menus.
    4. Optional: You can set a grace period for Node draining during cluster upgrades. A 1 hour grace period is set by default.

    5. Click Next.

       Note

       In the event of critical security concerns that significantly impact the security or stability of a cluster, Red Hat Site Reliability Engineering (SRE) might schedule automatic updates to the latest z-stream version that is not impacted. The updates are applied within 48 hours after customer notifications are provided. For a description of the critical impact security rating, see Understanding Red Hat security ratings.

20. Review the summary of your selections and click Create cluster to start the cluster installation. The installation takes approximately 30-40 minutes to complete.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select the cluster that you need to configure identity providers for.
2. Click the Access control tab.

3. Click Add identity provider.

   Note

   You can also click the Add Oauth configuration link in the warning message displayed after cluster creation to configure your identity providers.

4. Select GitHub from the drop-down menu.

5. Enter a unique name for the identity provider. This name cannot be changed later.

   • An OAuth callback URL is automatically generated in the provided field. You will use this to register the GitHub application.

     https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>

     For example:

     https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/github

6. Register an application on GitHub.
7. Return to OpenShift Dedicated and select a mapping method from the drop-down menu. Claim is recommended in most cases.
8. Enter the Client ID and Client secret provided by GitHub.
9. Enter a hostname. A hostname must be entered when using a hosted instance of GitHub Enterprise.
10. Optional: You can use a certificate authority (CA) file to validate server certificates for the configured GitHub Enterprise URL. Click Browse to locate and attach a CA file to the identity provider.
11. Select Use organizations or Use teams to restrict access to a particular GitHub organization or a GitHub team.
12. Enter the name of the organization or team you would like to restrict access to. Click Add more to specify multiple organizations or teams that users can be a member of.
13. Click Confirm.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select the cluster that you need to configure identity providers for.
2. Click the Access control tab.

3. Click Add identity provider.

   Note

   You can also click the Add Oauth configuration link in the warning message displayed after cluster creation to configure your identity providers.

4. Select GitLab from the drop-down menu.

5. Enter a unique name for the identity provider. This name cannot be changed later.

   • An OAuth callback URL is automatically generated in the provided field. You will provide this URL to GitLab.

     https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>

     For example:

     https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/gitlab

6. Add a new application in GitLab.
7. Return to OpenShift Dedicated and select a mapping method from the drop-down menu. Claim is recommended in most cases.
8. Enter the Client ID and Client secret provided by GitLab.
9. Enter the URL of your GitLab provider.
10. Optional: You can use a certificate authority (CA) file to validate server certificates for the configured GitLab URL. Click Browse to locate and attach a CA file to the identity provider.
11. Click Confirm.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select the cluster that you need to configure identity providers for.
2. Click the Access control tab.

3. Click Add identity provider.

   Note

   You can also click the Add Oauth configuration link in the warning message displayed after cluster creation to configure your identity providers.

4. Select Google from the drop-down menu.

5. Enter a unique name for the identity provider. This name cannot be changed later.

   • An OAuth callback URL is automatically generated in the provided field. You will provide this URL to Google.

     https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>

     For example:

     https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/google

6. Configure a Google identity provider using Google’s OpenID Connect integration.
7. Return to OpenShift Dedicated and select a mapping method from the drop-down menu. Claim is recommended in most cases.
8. Enter the Client ID of a registered Google project and the Client secret issued by Google.
9. Enter a hosted domain to restrict users to a Google Apps domain.
10. Click Confirm.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select the cluster that you need to configure identity providers for.
2. Click the Access control tab.

3. Click Add identity provider.

   Note

   You can also click the Add Oauth configuration link in the warning message displayed after cluster creation to configure your identity providers.

4. Select LDAP from the drop-down menu.
5. Enter a unique name for the identity provider. This name cannot be changed later.
6. Select a mapping method from the drop-down menu. Claim is recommended in most cases.
7. Enter a LDAP URL to specify the LDAP search parameters to use.
8. Optional: Enter a Bind DN and Bind password.

9. Enter the attributes that will map LDAP attributes to identities.

   • Enter an ID attribute whose value should be used as the user ID. Click Add more to add multiple ID attributes.
   • Optional: Enter a Preferred username attribute whose value should be used as the display name. Click Add more to add multiple preferred username attributes.
   • Optional: Enter an Email attribute whose value should be used as the email address. Click Add more to add multiple email attributes.
10. Optional: Click Show advanced Options to add a certificate authority (CA) file to your LDAP identity provider to validate server certificates for the configured URL. Click Browse to locate and attach a CA file to the identity provider.

11. Optional: Under the advanced options, you can choose to make the LDAP provider Insecure. If you select this option, a CA file cannot be used.

    Important

    If you are using an insecure LDAP connection (ldap:// or port 389), then you must check the Insecure option in the configuration wizard.

12. Click Confirm.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select the cluster that you need to configure identity providers for.
2. Click the Access control tab.

3. Click Add identity provider.

   Note

   You can also click the Add Oauth configuration link in the warning message displayed after cluster creation to configure your identity providers.

4. Select OpenID from the drop-down menu.

5. Enter a unique name for the identity provider. This name cannot be changed later.

   • An OAuth callback URL is automatically generated in the provided field.

     https://oauth-openshift.apps.<cluster_name>.<cluster_domain>/oauth2callback/<idp_provider_name>

     For example:

     https://oauth-openshift.apps.openshift-cluster.example.com/oauth2callback/openid

6. Register a new OpenID Connect client in the OpenID identity provider by following the steps to create an authorization request.
7. Return to OpenShift Dedicated and select a mapping method from the drop-down menu. Claim is recommended in most cases.
8. Enter a Client ID and Client secret provided from OpenID.
9. Enter an Issuer URL. This is the URL that the OpenID provider asserts as the Issuer Identifier. It must use the https scheme with no URL query parameters or fragments.
10. Enter an Email attribute whose value should be used as the email address. Click Add more to add multiple email attributes.
11. Enter a Name attribute whose value should be used as the preferred username. Click Add more to add multiple preferred usernames.
12. Enter a Preferred username attribute whose value should be used as the display name. Click Add more to add multiple display names.
13. Optional: Click Show advanced Options to add a certificate authority (CA) file to your OpenID identity provider.
14. Optional: Under the advanced options, you can add Additional scopes. By default, the OpenID scope is requested.
15. Click Confirm.

Procedure

1. From OpenShift Cluster Manager, navigate to the Clusters page and select your cluster.
2. Select Access control → Identity providers.
3. Click Add identity provider.
4. Select HTPasswd from the Identity Provider drop-down menu.
5. Add a unique name in the Name field for the identity provider.

6. Use the suggested username and password for the static user, or create your own.

   Note

   The credentials defined in this step are not visible after you select Add in the following step. If you lose the credentials, you must recreate the identity provider and define the credentials again.

7. Select Add to create the htpasswd identity provider and the single, static user.

8. Grant the static user permission to manage the cluster:

   1. Under Access control → Cluster Roles and Access, select Add user.
   2. Enter the User ID of the static user that you created in the preceding step.

   3. Select a Group.

      • If you are installing OpenShift Dedicated using the Customer Cloud Subscription (CCS) infrastructure type, choose either the dedicated-admins or cluster-admins group. Users in the dedicated-admins group have standard administrative privileges for OpenShift Dedicated. Users in the cluster-admins group have full administrative access to the cluster.
      • If you are installing OpenShift Dedicated using the Red Hat cloud account infrastructure type, the dedicated-admins group is automatically selected.
   4. Select Add user to grant the administration privileges to the user.

Procedure

1. From OpenShift Cluster Manager, click on the cluster you want to access.
2. Click Open Console.
3. Click on your identity provider and provide your credentials to log into the cluster.
4. Click Open console to open the web console for your cluster.
5. Click on your identity provider and provide your credentials to log in to the cluster. Complete any authorization requests that are presented by your provider.

Procedure

1. Navigate to OpenShift Cluster Manager and select your cluster.
2. Click the Access control tab.
3. In the Cluster Roles and Access tab, select next to a user and click Delete.

Procedure

1. Navigate to github.com and log in to your GitHub account.

2. Remove the user from your GitHub organization or team:

   • If your identity provider configuration uses a GitHub organization, follow the steps in Removing a member from your organization in the GitHub documentation.
   • If your identity provider configuration uses a team within a GitHub organization, follow the steps in Removing organization members from a team in the GitHub documentation.

Procedure

1. From OpenShift Cluster Manager, click on the cluster you want to delete.
2. Select Delete cluster from the Actions drop-down menu.

3. Type the name of the cluster highlighted in bold, then click Delete. Cluster deletion occurs automatically.

   Note

   If you delete a cluster that was installed into a GCP Shared VPC, inform the VPC owner of the host project to remove the IAM policy roles granted to the service account that was referenced during cluster creation.