Menu Close

4.3.5. Deploying the cluster

You can install OpenShift Container Platform on a compatible cloud platform.


You can run the create cluster command of the installation program only once, during initial installation.


  • Configure an account with the cloud platform that hosts your cluster.
  • Obtain the OpenShift Container Platform installation program and the pull secret for your cluster.


  1. Remove any existing GCP credentials that do not use the service account key for the GCP account that you configured for your cluster and that are stored in the following locations:

    • The ~/.gcp/osServiceAccount.json file
    • The gcloud cli default credentials
  2. Run the installation program:

    $ ./openshift-install create cluster --dir=<installation_directory> \ 1
        --log-level=info 2
    For <installation_directory>, specify the directory name to store the files that the installation program creates.
    To view different installation details, specify warn, debug, or error instead of info.

    Specify an empty directory. Some installation assets, like bootstrap X.509 certificates have short expiration intervals, so you must not reuse an installation directory. If you want to reuse individual files from another cluster installation, you can copy them into your directory. However, the file names for the installation assets might change between releases. Use caution when copying installation files from an earlier OpenShift Container Platform version.

    Provide values at the prompts:

    1. Optional: Select an SSH key to use to access your cluster machines.


      For production OpenShift Container Platform clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your ssh-agent process uses.

    2. Select gcp as the platform to target.
    3. If you have not configured the service account key for your GCP account on your computer, you must obtain it from GCP and paste the contents of the file or enter the absolute path to the file.
    4. Select the project ID to provision the cluster in. The default value is specified by the service account that you configured.
    5. Select the region to deploy the cluster to.
    6. Select the base domain to deploy the cluster to. The base domain corresponds to the public DNS zone that you created for your cluster.
    7. Enter a descriptive name for your cluster. If you provide a name that is longer than 6 characters, only the first 6 characters will be used in the infrastructure ID that is generated from the cluster name.
    8. Paste the pull secret that you obtained from the Pull Secret page on the Red Hat OpenShift Cluster Manager site.

    If the cloud provider account that you configured on your host does not have sufficient permissions to deploy the cluster, the installation process stops, and the missing permissions are displayed.

    When the cluster deployment completes, directions for accessing your cluster, including a link to its web console and credentials for the kubeadmin user, display in your terminal.


    The Ignition config files that the installation program generates contain certificates that expire after 24 hours, which are then renewed at that time. If the cluster is shut down before renewing the certificates and the cluster is later restarted after the 24 hours have elapsed, the cluster automatically recovers the expired certificates. The exception is that you must manually approve the pending node-bootstrapper certificate signing requests (CSRs) to recover kubelet certificates. See the documentation for Recovering from expired control plane certificates for more information.


    You must not delete the installation program or the files that the installation program creates. Both are required to delete the cluster.

  3. Optional: You can reduce the number of permissions for the service account that you used to install the cluster.

    • If you assigned the Owner role to your service account, you can remove that role and replace it with the Viewer role.
    • If you included the Service Account Key Admin role, you can remove it.