Menu Close

13.5.4. Restricting the API server to private

After you deploy a cluster to Amazon Web Services (AWS) or Microsoft Azure, you can reconfigure the API server to use only the private zone.

Prerequisites

  • Install the OpenShift CLI (oc).
  • Have access to the web console as a user with admin privileges.

Procedure

  1. In the web portal or console for AWS or Azure, take the following actions:

    1. Locate and delete appropriate load balancer component.

      • For AWS, delete the external load balancer. The API DNS entry in the private zone already points to the internal load balancer, which uses an identical configuration, so you do not need to modify the internal load balancer.
      • For Azure, delete the api-internal rule for the load balancer.
    2. Delete the api.$clustername.$yourdomain DNS entry in the public zone.
  2. From your terminal, list the cluster machines:

    $ oc get machine -n openshift-machine-api

    Example output

    NAME                            STATE     TYPE        REGION      ZONE         AGE
    lk4pj-master-0                  running   m4.xlarge   us-east-1   us-east-1a   17m
    lk4pj-master-1                  running   m4.xlarge   us-east-1   us-east-1b   17m
    lk4pj-master-2                  running   m4.xlarge   us-east-1   us-east-1a   17m
    lk4pj-worker-us-east-1a-5fzfj   running   m4.xlarge   us-east-1   us-east-1a   15m
    lk4pj-worker-us-east-1a-vbghs   running   m4.xlarge   us-east-1   us-east-1a   15m
    lk4pj-worker-us-east-1b-zgpzg   running   m4.xlarge   us-east-1   us-east-1b   15m

    You modify the control plane machines, which contain master in the name, in the following step.

  3. Remove the external load balancer from each control plane machine.

    1. Edit a control plane Machine object to remove the reference to the external load balancer.

      $ oc edit machines -n openshift-machine-api <master_name> 1
      1
      Specify the name of the control plane, or master, Machine object to modify.
    2. Remove the lines that describe the external load balancer, which are marked in the following example, and save and exit the object specification:

      ...
      spec:
        providerSpec:
          value:
          ...
            loadBalancers:
            - name: lk4pj-ext 1
              type: network 2
            - name: lk4pj-int
              type: network
      1 2
      Delete this line.
    3. Repeat this process for each of the machines that contains master in the name.