문제 해결

Red Hat OpenShift Service on AWS 4

AWS의 Red Hat OpenShift Service 지원 이해

Red Hat OpenShift Documentation Team

초록

이 문서에서는 ROSA(Red Hat OpenShift Service on AWS)에 대한 지원을 얻는 방법에 대해 설명합니다.

1장. 클러스터에 연결하여 원격 상태 모니터링

1.1. 원격 상태 모니터링으로 수집된 데이터 표시

관리자는 Telemetry 및 Insights Operator에서 수집한 메트릭을 검토할 수 있습니다.

1.1.1. Telemetry로 수집한 데이터 표시

Telemetry에서 캡처한 클러스터 및 구성 요소 시계열 데이터를 볼 수 있습니다.

사전 요구 사항

  • OpenShift Container Platform CLI(oc)를 설치했습니다.
  • cluster-admin 역할 또는 cluster-monitoring-view 역할의 사용자로 클러스터에 액세스할 수 있습니다.

절차

  1. 클러스터에 로그인합니다.
  2. 다음 명령을 실행하여 클러스터의 Prometheus 서비스를 쿼리하고 Telemetry에서 캡처한 전체 시계열 데이터 세트를 반환합니다.

    $ curl -G -k -H "Authorization: Bearer $(oc whoami -t)" \
    https://$(oc get route prometheus-k8s-federate -n \
    openshift-monitoring -o jsonpath="{.spec.host}")/federate \
    --data-urlencode 'match[]={__name__=~"cluster:usage:.*"}' \
    --data-urlencode 'match[]={__name__="count:up0"}' \
    --data-urlencode 'match[]={__name__="count:up1"}' \
    --data-urlencode 'match[]={__name__="cluster_version"}' \
    --data-urlencode 'match[]={__name__="cluster_version_available_updates"}' \
    --data-urlencode 'match[]={__name__="cluster_version_capability"}' \
    --data-urlencode 'match[]={__name__="cluster_operator_up"}' \
    --data-urlencode 'match[]={__name__="cluster_operator_conditions"}' \
    --data-urlencode 'match[]={__name__="cluster_version_payload"}' \
    --data-urlencode 'match[]={__name__="cluster_installer"}' \
    --data-urlencode 'match[]={__name__="cluster_infrastructure_provider"}' \
    --data-urlencode 'match[]={__name__="cluster_feature_set"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_object_counts:sum"}' \
    --data-urlencode 'match[]={__name__="ALERTS",alertstate="firing"}' \
    --data-urlencode 'match[]={__name__="code:apiserver_request_total:rate:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:capacity_cpu_cores:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:capacity_memory_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:cpu_usage_cores:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:memory_usage_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="openshift:cpu_usage_cores:sum"}' \
    --data-urlencode 'match[]={__name__="openshift:memory_usage_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="workload:cpu_usage_cores:sum"}' \
    --data-urlencode 'match[]={__name__="workload:memory_usage_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:virt_platform_nodes:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:node_instance_type_count:sum"}' \
    --data-urlencode 'match[]={__name__="cnv:vmi_status_running:count"}' \
    --data-urlencode 'match[]={__name__="cluster:vmi_request_cpu_cores:sum"}' \
    --data-urlencode 'match[]={__name__="node_role_os_version_machine:cpu_capacity_cores:sum"}' \
    --data-urlencode 'match[]={__name__="node_role_os_version_machine:cpu_capacity_sockets:sum"}' \
    --data-urlencode 'match[]={__name__="subscription_sync_total"}' \
    --data-urlencode 'match[]={__name__="olm_resolution_duration_seconds"}' \
    --data-urlencode 'match[]={__name__="csv_succeeded"}' \
    --data-urlencode 'match[]={__name__="csv_abnormal"}' \
    --data-urlencode 'match[]={__name__="cluster:kube_persistentvolumeclaim_resource_requests_storage_bytes:provisioner:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:kubelet_volume_stats_used_bytes:provisioner:sum"}' \
    --data-urlencode 'match[]={__name__="ceph_cluster_total_bytes"}' \
    --data-urlencode 'match[]={__name__="ceph_cluster_total_used_raw_bytes"}' \
    --data-urlencode 'match[]={__name__="ceph_health_status"}' \
    --data-urlencode 'match[]={__name__="odf_system_raw_capacity_total_bytes"}' \
    --data-urlencode 'match[]={__name__="odf_system_raw_capacity_used_bytes"}' \
    --data-urlencode 'match[]={__name__="odf_system_health_status"}' \
    --data-urlencode 'match[]={__name__="job:ceph_osd_metadata:count"}' \
    --data-urlencode 'match[]={__name__="job:kube_pv:count"}' \
    --data-urlencode 'match[]={__name__="job:odf_system_pvs:count"}' \
    --data-urlencode 'match[]={__name__="job:ceph_pools_iops:total"}' \
    --data-urlencode 'match[]={__name__="job:ceph_pools_iops_bytes:total"}' \
    --data-urlencode 'match[]={__name__="job:ceph_versions_running:count"}' \
    --data-urlencode 'match[]={__name__="job:noobaa_total_unhealthy_buckets:sum"}' \
    --data-urlencode 'match[]={__name__="job:noobaa_bucket_count:sum"}' \
    --data-urlencode 'match[]={__name__="job:noobaa_total_object_count:sum"}' \
    --data-urlencode 'match[]={__name__="odf_system_bucket_count", system_type="OCS", system_vendor="Red Hat"}' \
    --data-urlencode 'match[]={__name__="odf_system_objects_total", system_type="OCS", system_vendor="Red Hat"}' \
    --data-urlencode 'match[]={__name__="noobaa_accounts_num"}' \
    --data-urlencode 'match[]={__name__="noobaa_total_usage"}' \
    --data-urlencode 'match[]={__name__="console_url"}' \
    --data-urlencode 'match[]={__name__="cluster:ovnkube_master_egress_routing_via_host:max"}' \
    --data-urlencode 'match[]={__name__="cluster:network_attachment_definition_instances:max"}' \
    --data-urlencode 'match[]={__name__="cluster:network_attachment_definition_enabled_instance_up:max"}' \
    --data-urlencode 'match[]={__name__="cluster:ingress_controller_aws_nlb_active:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:route_metrics_controller_routes_per_shard:min"}' \
    --data-urlencode 'match[]={__name__="cluster:route_metrics_controller_routes_per_shard:max"}' \
    --data-urlencode 'match[]={__name__="cluster:route_metrics_controller_routes_per_shard:avg"}' \
    --data-urlencode 'match[]={__name__="cluster:route_metrics_controller_routes_per_shard:median"}' \
    --data-urlencode 'match[]={__name__="cluster:openshift_route_info:tls_termination:sum"}' \
    --data-urlencode 'match[]={__name__="insightsclient_request_send_total"}' \
    --data-urlencode 'match[]={__name__="cam_app_workload_migrations"}' \
    --data-urlencode 'match[]={__name__="cluster:apiserver_current_inflight_requests:sum:max_over_time:2m"}' \
    --data-urlencode 'match[]={__name__="cluster:alertmanager_integrations:max"}' \
    --data-urlencode 'match[]={__name__="cluster:telemetry_selected_series:count"}' \
    --data-urlencode 'match[]={__name__="openshift:prometheus_tsdb_head_series:sum"}' \
    --data-urlencode 'match[]={__name__="openshift:prometheus_tsdb_head_samples_appended_total:sum"}' \
    --data-urlencode 'match[]={__name__="monitoring:container_memory_working_set_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="namespace_job:scrape_series_added:topk3_sum1h"}' \
    --data-urlencode 'match[]={__name__="namespace_job:scrape_samples_post_metric_relabeling:topk3"}' \
    --data-urlencode 'match[]={__name__="monitoring:haproxy_server_http_responses_total:sum"}' \
    --data-urlencode 'match[]={__name__="rhmi_status"}' \
    --data-urlencode 'match[]={__name__="status:upgrading:version:rhoam_state:max"}' \
    --data-urlencode 'match[]={__name__="state:rhoam_critical_alerts:max"}' \
    --data-urlencode 'match[]={__name__="state:rhoam_warning_alerts:max"}' \
    --data-urlencode 'match[]={__name__="rhoam_7d_slo_percentile:max"}' \
    --data-urlencode 'match[]={__name__="rhoam_7d_slo_remaining_error_budget:max"}' \
    --data-urlencode 'match[]={__name__="cluster_legacy_scheduler_policy"}' \
    --data-urlencode 'match[]={__name__="cluster_master_schedulable"}' \
    --data-urlencode 'match[]={__name__="che_workspace_status"}' \
    --data-urlencode 'match[]={__name__="che_workspace_started_total"}' \
    --data-urlencode 'match[]={__name__="che_workspace_failure_total"}' \
    --data-urlencode 'match[]={__name__="che_workspace_start_time_seconds_sum"}' \
    --data-urlencode 'match[]={__name__="che_workspace_start_time_seconds_count"}' \
    --data-urlencode 'match[]={__name__="cco_credentials_mode"}' \
    --data-urlencode 'match[]={__name__="cluster:kube_persistentvolume_plugin_type_counts:sum"}' \
    --data-urlencode 'match[]={__name__="visual_web_terminal_sessions_total"}' \
    --data-urlencode 'match[]={__name__="acm_managed_cluster_info"}' \
    --data-urlencode 'match[]={__name__="cluster:vsphere_vcenter_info:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:vsphere_esxi_version_total:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:vsphere_node_hw_version_total:sum"}' \
    --data-urlencode 'match[]={__name__="openshift:build_by_strategy:sum"}' \
    --data-urlencode 'match[]={__name__="rhods_aggregate_availability"}' \
    --data-urlencode 'match[]={__name__="rhods_total_users"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_disk_wal_fsync_duration_seconds:histogram_quantile",quantile="0.99"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_mvcc_db_total_size_in_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_network_peer_round_trip_time_seconds:histogram_quantile",quantile="0.99"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_mvcc_db_total_size_in_use_in_bytes:sum"}' \
    --data-urlencode 'match[]={__name__="instance:etcd_disk_backend_commit_duration_seconds:histogram_quantile",quantile="0.99"}' \
    --data-urlencode 'match[]={__name__="jaeger_operator_instances_storage_types"}' \
    --data-urlencode 'match[]={__name__="jaeger_operator_instances_strategies"}' \
    --data-urlencode 'match[]={__name__="jaeger_operator_instances_agent_strategies"}' \
    --data-urlencode 'match[]={__name__="appsvcs:cores_by_product:sum"}' \
    --data-urlencode 'match[]={__name__="nto_custom_profiles:count"}' \
    --data-urlencode 'match[]={__name__="openshift_csi_share_configmap"}' \
    --data-urlencode 'match[]={__name__="openshift_csi_share_secret"}' \
    --data-urlencode 'match[]={__name__="openshift_csi_share_mount_failures_total"}' \
    --data-urlencode 'match[]={__name__="openshift_csi_share_mount_requests_total"}' \
    --data-urlencode 'match[]={__name__="cluster:velero_backup_total:max"}' \
    --data-urlencode 'match[]={__name__="cluster:velero_restore_total:max"}' \
    --data-urlencode 'match[]={__name__="eo_es_storage_info"}' \
    --data-urlencode 'match[]={__name__="eo_es_redundancy_policy_info"}' \
    --data-urlencode 'match[]={__name__="eo_es_defined_delete_namespaces_total"}' \
    --data-urlencode 'match[]={__name__="eo_es_misconfigured_memory_resources_info"}' \
    --data-urlencode 'match[]={__name__="cluster:eo_es_data_nodes_total:max"}' \
    --data-urlencode 'match[]={__name__="cluster:eo_es_documents_created_total:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:eo_es_documents_deleted_total:sum"}' \
    --data-urlencode 'match[]={__name__="pod:eo_es_shards_total:max"}' \
    --data-urlencode 'match[]={__name__="eo_es_cluster_management_state_info"}' \
    --data-urlencode 'match[]={__name__="imageregistry:imagestreamtags_count:sum"}' \
    --data-urlencode 'match[]={__name__="imageregistry:operations_count:sum"}' \
    --data-urlencode 'match[]={__name__="log_logging_info"}' \
    --data-urlencode 'match[]={__name__="log_collector_error_count_total"}' \
    --data-urlencode 'match[]={__name__="log_forwarder_pipeline_info"}' \
    --data-urlencode 'match[]={__name__="log_forwarder_input_info"}' \
    --data-urlencode 'match[]={__name__="log_forwarder_output_info"}' \
    --data-urlencode 'match[]={__name__="cluster:log_collected_bytes_total:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:log_logged_bytes_total:sum"}' \
    --data-urlencode 'match[]={__name__="cluster:kata_monitor_running_shim_count:sum"}' \
    --data-urlencode 'match[]={__name__="platform:hypershift_hostedclusters:max"}' \
    --data-urlencode 'match[]={__name__="platform:hypershift_nodepools:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_unhealthy_bucket_claims:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_buckets_claims:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_unhealthy_namespace_resources:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_namespace_resources:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_unhealthy_namespace_buckets:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_namespace_buckets:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_accounts:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_usage:max"}' \
    --data-urlencode 'match[]={__name__="namespace:noobaa_system_health_status:max"}' \
    --data-urlencode 'match[]={__name__="ocs_advanced_feature_usage"}' \
    --data-urlencode 'match[]={__name__="os_image_url_override:sum"}'

1.1.2. Insights Operator에 의해 수집된 데이터의 표시

Insights Operator가 수집한 데이터를 검토할 수 있습니다.

사전 요구 사항

  • cluster-admin 역할의 사용자로 클러스터에 액세스할 수 있어야 합니다.

절차

  1. Insights Operator에 대해 현재 실행 중인 Pod의 이름을 검색합니다.

    $ INSIGHTS_OPERATOR_POD=$(oc get pods --namespace=openshift-insights -o custom-columns=:metadata.name --no-headers  --field-selector=status.phase=Running)
  2. Insights Operator가 수집한 최근 데이터 아카이브를 복사합니다.

    $ oc cp openshift-insights/$INSIGHTS_OPERATOR_POD:/var/lib/insights-operator ./insights-data

최신 Insights Operator 아카이브는 이제 insights-data 디렉토리에서 사용할 수 있습니다.

2장. 만료된 토큰 문제 해결

2.1. 만료된 오프라인 액세스 토큰 문제 해결

rosa CLI를 사용하고 api.openshift.com 오프라인 액세스 토큰이 만료된 경우 오류 메시지가 표시됩니다. 이는 sso.redhat.com에서 토큰을 무효화할 때 발생합니다.

출력 예

Can't get tokens ....
Can't get access tokens ....

절차

  • 다음 URL에서 새 오프라인 액세스 토큰을 생성합니다. URL을 방문할 때마다 새로운 오프라인 액세스 토큰이 생성됩니다.

3장. 설치 문제 해결

3.1. 설치 문제 해결

3.1.1. 설치 또는 설치 제거 로그 검사

설치 로그를 표시하려면 다음을 수행합니다.

  • 다음 명령을 실행하여 < cluster_name& gt;을 클러스터 이름으로 교체합니다.

    $ rosa logs install --cluster=<cluster_name>
  • 로그를 조사하려면 --watch 플래그를 포함합니다.

    $ rosa logs install --cluster=<cluster_name> --watch

설치 제거 로그를 표시하려면 다음을 수행합니다.

  • 다음 명령을 실행하여 < cluster_name& gt;을 클러스터 이름으로 교체합니다.

    $ rosa logs uninstall --cluster=<cluster_name>
  • 로그를 조사하려면 --watch 플래그를 포함합니다.

    $ rosa logs uninstall --cluster=<cluster_name> --watch

3.1.2. STS 없이 클러스터에 대한 AWS 계정 권한 확인

다음 명령을 실행하여 AWS 계정에 올바른 권한이 있는지 확인합니다. 이 명령은 AWS STS(보안 토큰 서비스)를 사용하지 않는 클러스터에 대해서만 권한을 확인합니다.

$ rosa verify permissions

오류가 발생하면 AWS 계정에 SCP 가 적용되지 않는 것보다 두 번 확인하십시오. SCP를 사용해야 하는 경우 필요한 최소 SCP에 대한 자세한 내용은 고객 클라우드 서브스크립션에 대한 Red Hat 요구 사항을 참조하십시오.

3.1.3. AWS 계정 및 할당량 확인

다음 명령을 실행하여 AWS 계정에서 사용 가능한 할당량이 있는지 확인합니다.

$ rosa verify quota

AWS 할당량은 리전에 따라 변경됩니다. 올바른 AWS 리전에 대한 할당량을 확인하고 있는지 확인합니다. 할당량을 늘려야 하는 경우 AWS 콘솔 로 이동하여 실패한 서비스에 대한 할당량 증가를 요청합니다.

3.1.4. AWS 알림 이메일

클러스터를 생성할 때 AWS의 Red Hat OpenShift Service는 지원되는 모든 리전에 소규모 인스턴스를 생성합니다. 이 점검을 통해 사용 중인 AWS 계정이 지원되는 각 리전에 배포할 수 있습니다.

지원되는 모든 리전을 사용하지 않는 AWS 계정의 경우 AWS는 " your your request for accessing AWS Resources Has Been Validated"라는 이메일을 하나 이상 보낼 수 있습니다. 일반적으로 이 이메일의 발신자는 aws-verification@amazon.com 입니다.

이는 AWS의 Red Hat OpenShift Service가 AWS 계정 구성을 검증하므로 예상되는 동작입니다.

4장. IAM 역할 문제 해결

4.1. ocm-roles 및 사용자 역할 IAM 리소스 문제 해결

rosa CLI를 사용하여 클러스터를 생성하려고 할 때 오류가 발생할 수 있습니다.

샘플 출력

E: Failed to create cluster: The sts_user_role is not linked to account '1oNl'. Please create a user role and link it to the account.

이 오류는 user-role IAM 역할이 AWS 계정에 연결되어 있지 않음을 의미합니다. 이 오류의 가장 큰 원인은 Red Hat 조직의 다른 사용자가 ocm-role IAM 역할을 생성했기 때문입니다. 사용자 역할 IAM 역할을 생성해야 합니다.

참고

사용자가 Red Hat 계정에 연결된 ocm-role IAM 리소스를 설정한 후 Red Hat 조직에 클러스터를 생성하려는 모든 후속 사용자에게 클러스터를 프로비저닝하기 위한 사용자 역할 IAM 역할이 있어야 합니다.

절차

  • 다음 명령을 사용하여 ocm-role사용자 역할 IAM 역할의 상태를 평가합니다.

    $ rosa list ocm-role

    샘플 출력

    I: Fetching ocm roles
    ROLE NAME                           ROLE ARN                                          LINKED  ADMIN
    ManagedOpenShift-OCM-Role-1158  arn:aws:iam::2066:role/ManagedOpenShift-OCM-Role-1158   No      No

    $ rosa list user-role

    샘플 출력

    I: Fetching user roles
    ROLE NAME                                   ROLE ARN                                        LINKED
    ManagedOpenShift-User.osdocs-Role  arn:aws:iam::2066:role/ManagedOpenShift-User.osdocs-Role  Yes

이러한 명령의 결과를 통해 누락된 IAM 리소스를 생성하고 연결할 수 있습니다.

4.1.1. OpenShift Cluster Manager IAM 역할 생성

CLI(명령줄 인터페이스)를 사용하여 OpenShift Cluster Manager IAM 역할을 생성합니다.

사전 요구 사항

  • AWS 계정이 있습니다.
  • OpenShift Cluster Manager 조직에 Red Hat 조직 관리자 권한이 있어야 합니다.
  • AWS 계정 전체 역할을 설치하는 데 필요한 권한이 있습니다.
  • 설치 호스트에 최신 AWS(aws) 및 ROSA(rosa) CLI를 설치하고 구성했습니다.

절차

  • 기본 권한으로 ocm-role IAM 역할을 생성하려면 다음 명령을 실행합니다.

    $ rosa create ocm-role
  • admin 권한으로 ocm-role IAM 역할을 생성하려면 다음 명령을 실행합니다.

    $ rosa create ocm-role --admin

    이 명령을 사용하면 특정 특성을 지정하여 역할을 생성할 수 있습니다. 다음 예제 출력에서는 로사 CLI에서 Operator 역할 및 정책을 생성할 있는 "자동 모드"를 보여줍니다. 자세한 내용은 추가 리소스의 " account-wide 역할 생성 방법"을 참조하십시오.

출력 예

I: Creating ocm role
? Role prefix: ManagedOpenShift 1
? Enable admin capabilities for the OCM role (optional): No 2
? Permissions boundary ARN (optional):  3
? Role creation mode: auto 4
I: Creating role using 'arn:aws:iam::<ARN>:user/<UserName>'
? Create the 'ManagedOpenShift-OCM-Role-182' role? Yes 5
I: Created role 'ManagedOpenShift-OCM-Role-182' with ARN  'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182'
I: Linking OCM role
? OCM Role ARN: arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182 6
? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182' role with organization '<AWS ARN'? Yes 7
I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182' with organization account '<AWS ARN>'

1
생성된 모든 AWS 리소스의 접두사 값입니다. 이 예제에서 ManagedOpenShift 는 모든 AWS 리소스 앞에 추가합니다.
2
이 역할에 추가 관리자 권한이 필요한 경우 선택합니다.
참고

--admin 옵션을 사용한 경우 이 프롬프트가 표시되지 않습니다.

3
권한 경계를 설정하는 정책의 Amazon 리소스 이름(ARN)입니다.
4
AWS 역할을 생성하는 방법을 선택합니다. auto 를 사용하면 rosa CLI 툴이 역할 및 정책을 생성하고 연결합니다. 자동 모드에서는 AWS 역할을 생성하는 몇 가지 다른 프롬프트가 표시됩니다.
5
auto 방법은 접두사를 사용하여 특정 ocm-role 을 생성할지 여부를 요청합니다.
6
IAM 역할을 OpenShift Cluster Manager와 연결할지 확인합니다.
7
생성된 역할을 AWS 조직과 연결합니다.

4.1.2. 사용자 역할 IAM 역할 생성

CLI(명령줄 인터페이스)를 사용하여 OpenShift Cluster Manager IAM 역할을 생성할 수 있습니다.

사전 요구 사항

  • AWS 계정이 있습니다.
  • 설치 호스트에 최신 AWS(aws) 및 ROSA(rosa) CLI를 설치하고 구성했습니다.

절차

  • 기본 권한으로 ocm-role IAM 역할을 생성하려면 다음 명령을 실행합니다.

    $ rosa create user-role

    이 명령을 사용하면 특정 특성을 지정하여 역할을 생성할 수 있습니다. 다음 예제 출력에서는 로사 CLI에서 Operator 역할 및 정책을 생성할 있는 "자동 모드"를 보여줍니다. 자세한 내용은 추가 리소스의 "자동 및 수동 배포 모드 이해"를 참조하십시오.

출력 예

I: Creating User role
? Role prefix: ManagedOpenShift 1
? Permissions boundary ARN (optional): 2
? Role creation mode: auto 3
I: Creating ocm user role using 'arn:aws:iam::2066:user'
? Create the 'ManagedOpenShift-User.osdocs-Role' role? Yes 4
I: Created role 'ManagedOpenShift-User.osdocs-Role' with ARN 'arn:aws:iam::2066:role/ManagedOpenShift-User.osdocs-Role'
I: Linking User role
? User Role ARN: arn:aws:iam::2066:role/ManagedOpenShift-User.osdocs-Role
? Link the 'arn:aws:iam::2066:role/ManagedOpenShift-User.osdocs-Role' role with account '1AGE'? Yes 5
I: Successfully linked role ARN 'arn:aws:iam::2066:role/ManagedOpenShift-User.osdocs-Role' with account '1AGE'

1
생성된 모든 AWS 리소스의 접두사 값입니다. 이 예제에서 ManagedOpenShift 는 모든 AWS 리소스 앞에 추가합니다.
2
권한 경계를 설정하는 정책의 Amazon 리소스 이름(ARN)입니다.
3
AWS 역할을 생성하는 방법을 선택합니다. auto 를 사용하여 rosa CLI 툴에서 역할을 생성하고 AWS 계정에 연결합니다. 자동 모드에서는 AWS 역할을 생성하는 몇 가지 다른 프롬프트가 표시됩니다.
4
auto 방법은 접두사를 사용하여 특정 사용자 역할을 생성할지 여부를 요청합니다.
5
생성된 역할을 AWS 조직과 연결합니다.

4.1.3. AWS 계정 연결

rosa CLI를 사용하여 AWS 계정을 기존 IAM 역할에 연결할 수 있습니다.

사전 요구 사항

  • AWS 계정이 있습니다.
  • OpenShift Cluster Manager Hybrid Cloud Console 을 사용하여 클러스터 생성
  • AWS 계정 전체 역할을 설치하는 데 필요한 권한이 있습니다. 자세한 내용은 이 섹션의 "해결 리소스"를 참조하십시오.
  • 설치 호스트에 최신 AWS(aws) 및 ROSA(rosa) CLI를 설치하고 구성했습니다.
  • ocm-roleuser-role IAM 역할을 생성했지만 아직 AWS 계정에 연결되지 않았습니다. 다음 명령을 실행하여 IAM 역할이 이미 연결되어 있는지 확인할 수 있습니다.

    $ rosa list ocm-role
    $ rosa list user-role

    두 역할의 Linked 열에 Yes 가 표시되면 이미 역할을 AWS 계정에 연결한 것입니다.

절차

  1. CLI에서 ARM(Amazon Resource Name)을 사용하여 ocm-role 리소스를 Red Hat 조직에 연결합니다.

    참고

    rosa link 명령을 실행하려면 Red Hat 조직 관리자 권한이 있어야 합니다. ocm-role 리소스를 AWS 계정과 연결하면 조직의 모든 사용자에게 표시됩니다.

    $ rosa link ocm-role --role-arn <arn>

    출력 예

    I: Linking OCM role
    ? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
    I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'

  2. CLI에서 ARM(Amazon Resource Name)을 사용하여 사용자 역할 리소스를 Red Hat 사용자 계정에 연결합니다.

    $ rosa link user-role --role-arn <arn>

    출력 예

    I: Linking User role
    ? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' role with organization '<AWS ID>'? Yes
    I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' with organization account '<AWS ID>'

4.1.4. 여러 AWS 계정을 Red Hat 조직과 연결

여러 AWS 계정을 Red Hat 조직과 연결할 수 있습니다. 여러 계정을 연결하면 Red Hat 조직의 관련 AWS 계정에서 Red Hat OpenShift Service on AWS(ROSA) 클러스터를 생성할 수 있습니다.

이 기능을 사용하면 여러 AWS 프로필을 리전 바인딩 환경으로 사용하여 다양한 AWS 리전에서 클러스터를 생성할 수 있습니다.

사전 요구 사항

  • AWS 계정이 있습니다.
  • OpenShift Cluster Manager Hybrid Cloud Console 을 사용하여 클러스터 생성
  • AWS 계정 전체 역할을 설치하는 데 필요한 권한이 있습니다.
  • 설치 호스트에 최신 AWS(aws) 및 ROSA(rosa) CLI를 설치하고 구성했습니다.
  • ocm-role사용자 역할 IAM 역할을 생성했습니다.

절차

추가 AWS 계정을 연결하려면 먼저 로컬 AWS 구성에 프로필을 생성합니다. 그런 다음 추가 AWS 계정에 ocm-role, user, account 역할을 생성하여 계정을 Red Hat 조직과 연결합니다.

추가 리전에 역할을 생성하려면 rosa create 명령을 실행할 때 --profile <aws-profile > 매개변수를 지정하고 < aws_profile >을 추가 계정 프로필 이름으로 교체합니다.

  • OpenShift Cluster Manager 역할을 생성할 때 AWS 계정 프로필을 지정하려면 다음을 수행합니다.

    $ rosa create --profile <aws_profile> ocm-role
  • 사용자 역할을 생성할 때 AWS 계정 프로필을 지정하려면 다음을 수행합니다.

    $ rosa create --profile <aws_profile> user-role
  • 계정 역할을 생성할 때 AWS 계정 프로필을 지정하려면 다음을 수행합니다.

    $ rosa create --profile <aws_profile> account-roles
참고

프로필을 지정하지 않으면 기본 AWS 프로필이 사용됩니다.

5장. 클러스터 배포 문제 해결

이 문서에서는 클러스터 배포 오류를 해결하는 방법을 설명합니다.

5.1. 실패한 클러스터에 대한 정보 가져오기

클러스터 배포가 실패하면 클러스터는 "error" 상태가 됩니다.

절차

자세한 정보를 얻으려면 다음 명령을 실행합니다.

$ rosa describe cluster -c <my_cluster_name> --debug

5.2. osdCcsAdmin 오류가 있는 클러스터를 생성하지 못했습니다.

클러스터 생성 작업이 실패하면 다음 오류 메시지가 표시될 수 있습니다.

출력 예

Failed to create cluster: Unable to create cluster spec: Failed to get access keys for user 'osdCcsAdmin': NoSuchEntity: The user with name osdCcsAdmin cannot be found.

절차

이 문제를 해결하려면 다음을 수행합니다.

  1. 스택을 삭제합니다.

    $ rosa init --delete
  2. 계정을 다시 초기화하십시오.

    $ rosa init

5.3. ELB(Elastic Load Balancing) 서비스 연결 역할 생성

AWS 계정에 로드 밸런서를 생성하지 않은 경우 ELB(Elastic Load Balancing)에 대한 서비스 링크 역할이 아직 존재하지 않을 수 있습니다. 다음과 같은 오류가 발생할 수 있습니다.

Error: Error creating network Load Balancer: AccessDenied: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/ManagedOpenShift-Installer-Role/xxxxxxxxxxxxxxxxxxx is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"

절차

이 문제를 해결하려면 AWS 계정에 역할이 있는지 확인하십시오. 그렇지 않은 경우 다음 명령을 사용하여 이 역할을 생성합니다.

aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing" || aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
참고

이 명령은 계정당 한 번만 실행해야 합니다.

5.4. 삭제할 수 없는 클러스터 복구

특정 경우 클러스터를 삭제하려는 경우 OpenShift Cluster Manager Hybrid Cloud Console 에 다음 오류가 표시됩니다.

Error deleting cluster
CLUSTERS-MGMT-400: Failed to delete cluster <hash>: sts_user_role is not linked to your account. sts_ocm_role is linked to your organization <org number> which requires sts_user_role to be linked to your Red Hat account <account ID>.Please create a user role and link it to the account: User Account <account ID> is not authorized to perform STS cluster operations

Operation ID: b0572d6e-fe54-499b-8c97-46bf6890011c

CLI에서 클러스터를 삭제하려고 하면 다음 오류가 표시됩니다.

E: Failed to delete cluster <hash>: sts_user_role is not linked to your account. sts_ocm_role is linked to your organization <org_number> which requires sts_user_role to be linked to your Red Hat account <account_id>.Please create a user role and link it to the account: User Account <account ID> is not authorized to perform STS cluster operations

이 오류는 사용자 역할을 연결 해제하거나 삭제할 때 발생합니다.

절차

  1. 다음 명령을 실행하여 user-role IAM 리소스를 생성합니다.

    $ rosa create user-role
  2. 역할이 생성된 것을 확인한 후 클러스터를 삭제할 수 있습니다. 다음은 역할이 생성 및 연결되었음을 확인합니다.

    I: Successfully linked role ARN <user role ARN> with account <account ID>

6장. Red Hat OpenShift Service on AWS 관리 리소스

6.1. 개요

다음은 SRE-P(Service Reliability Engineering Platform) 팀에서 관리하거나 보호하는 모든 리소스를 다룹니다. 이렇게 하면 클러스터 불안정이 발생할 수 있으므로 고객은 이러한 리소스를 수정하지 않아야 합니다.

6.2. Hive 관리 리소스

다음 목록은 중앙 집중식 플릿 구성 관리 시스템인 OpenShift Hive에서 관리하는 AWS 리소스의 Red Hat OpenShift Service를 표시합니다. 이러한 리소스는 설치 중에 생성된 OpenShift Container Platform 리소스에 추가됩니다. OpenShift Hive는 AWS 클러스터의 모든 Red Hat OpenShift Service에서 일관성을 유지 관리하려고 합니다. OpenShift Cluster Manager와 Hive가 동기화되도록 OpenShift Cluster Manager의 Red Hat OpenShift Service에 대한 변경 사항은 OpenShift Cluster Manager를 통해 수행해야 합니다. OpenShift Cluster Manager가 해당 리소스 수정을 지원하지 않는 경우 ocm-feedback@redhat.com 에 문의하십시오.

예 6.1. Hive 관리 리소스 목록

Resources:
  ConfigMap:
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-config
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator-config
  - namespace: openshift-monitoring
    name: cluster-monitoring-config
  - namespace: openshift-monitoring
    name: managed-namespaces
  - namespace: openshift-monitoring
    name: ocp-namespaces
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter-code
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter-trusted-ca-bundle
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter-code
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter-trusted-ca-bundle
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols-code
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols-trusted-ca-bundle
  - namespace: openshift-monitoring
    name: token-refresher-trusted-ca-bundle
  - namespace: openshift-security
    name: osd-audit-policy
  - namespace: openshift-validation-webhook
    name: webhook-cert
  Endpoints:
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-metrics
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  - namespace: openshift-monitoring
    name: token-refresher
  - namespace: openshift-validation-webhook
    name: validation-webhook
  Namespace:
  - name: dedicated-admin
  - name: openshift-addon-operator
  - name: openshift-aqua
  - name: openshift-aws-vpce-operator
  - name: openshift-backplane
  - name: openshift-backplane-cee
  - name: openshift-backplane-csa
  - name: openshift-backplane-cse
  - name: openshift-backplane-csm
  - name: openshift-backplane-managed-scripts
  - name: openshift-backplane-mobb
  - name: openshift-backplane-srep
  - name: openshift-backplane-tam
  - name: openshift-build-test
  - name: openshift-cloud-ingress-operator
  - name: openshift-codeready-workspaces
  - name: openshift-custom-domains-operator
  - name: openshift-customer-monitoring
  - name: openshift-deployment-validation-operator
  - name: openshift-managed-node-metadata-operator
  - name: openshift-managed-upgrade-operator
  - name: openshift-must-gather-operator
  - name: openshift-observability-operator
  - name: openshift-ocm-agent-operator
  - name: openshift-operators-redhat
  - name: openshift-osd-metrics
  - name: openshift-rbac-permissions
  - name: openshift-route-monitor-operator
  - name: openshift-security
  - name: openshift-splunk-forwarder-operator
  - name: openshift-sre-pruning
  - name: openshift-strimzi
  - name: openshift-validation-webhook
  - name: openshift-velero
  - name: openshift-monitoring
  - name: openshift
  - name: openshift-cluster-version
  ReplicationController:
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter-1
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols-1
  Secret:
  - namespace: openshift-authentication
    name: v4-0-config-user-idp-0-file-data
  - namespace: openshift-authentication
    name: v4-0-config-user-template-error
  - namespace: openshift-authentication
    name: v4-0-config-user-template-login
  - namespace: openshift-authentication
    name: v4-0-config-user-template-provider-selection
  - namespace: openshift-config
    name: htpasswd-secret
  - namespace: openshift-config
    name: osd-oauth-templates-errors
  - namespace: openshift-config
    name: osd-oauth-templates-login
  - namespace: openshift-config
    name: osd-oauth-templates-providers
  - namespace: openshift-config
    name: sbasabat-mc-primary-cert-bundle-secret
  - namespace: openshift-config
    name: support
  - namespace: openshift-ingress
    name: sbasabat-mc-primary-cert-bundle-secret
  - namespace: openshift-kube-apiserver
    name: user-serving-cert-000
  - namespace: openshift-kube-apiserver
    name: user-serving-cert-001
  - namespace: openshift-monitoring
    name: dms-secret
  - namespace: openshift-monitoring
    name: observatorium-credentials
  - namespace: openshift-monitoring
    name: pd-secret
  - namespace: openshift-security
    name: splunk-auth
  ServiceAccount:
  - namespace: openshift-backplane-managed-scripts
    name: osd-backplane
  - namespace: openshift-backplane-srep
    name: osd-delete-ownerrefs-serviceaccounts
  - namespace: openshift-backplane
    name: osd-delete-backplane-serviceaccounts
  - namespace: openshift-build-test
    name: sre-build-test
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-custom-domains-operator
    name: custom-domains-operator
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator
  - namespace: openshift-marketplace
    name: osd-patch-subscription-source
  - namespace: openshift-monitoring
    name: configure-alertmanager-operator
  - namespace: openshift-monitoring
    name: osd-cluster-ready
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  - namespace: openshift-network-diagnostics
    name: sre-pod-network-connectivity-check-pruner
  - namespace: openshift-ocm-agent-operator
    name: ocm-agent-operator
  - namespace: openshift-rbac-permissions
    name: rbac-permissions-operator
  - namespace: openshift-splunk-forwarder-operator
    name: splunk-forwarder-operator
  - namespace: openshift-sre-pruning
    name: bz1980755
  - namespace: openshift-sre-pruning
    name: sre-pruner-sa
  - namespace: openshift-validation-webhook
    name: validation-webhook
  - namespace: openshift-velero
    name: managed-velero-operator
  - namespace: openshift-velero
    name: velero
  - namespace: openshift-backplane-srep
    name: UNIQUE_BACKPLANE_SERVICEACCOUNT_ID
  Service:
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-metrics
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  - namespace: openshift-monitoring
    name: token-refresher
  - namespace: openshift-validation-webhook
    name: validation-webhook
  AddonOperator:
  - name: addon-operator
  ValidatingWebhookConfiguration:
  - name: sre-hiveownership-validation
  - name: sre-namespace-validation
  - name: sre-pod-validation
  - name: sre-prometheusrule-validation
  - name: sre-regular-user-validation
  - name: sre-scc-validation
  - name: sre-techpreviewnoupgrade-validation
  DaemonSet:
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-security
    name: audit-exporter
  - namespace: openshift-validation-webhook
    name: validation-webhook
  Deployment:
  - namespace: openshift-monitoring
    name: token-refresher
  DeploymentConfig:
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  ClusterRoleBinding:
  - name: aqua-scanner-binding
  - name: backplane-cluster-admin
  - name: backplane-impersonate-cluster-admin
  - name: bz1980755
  - name: configure-alertmanager-operator-prom
  - name: dedicated-admins-cluster
  - name: dedicated-admins-registry-cas-cluster
  - name: openshift-backplane-managed-scripts-reader
  - name: osd-cluster-ready
  - name: osd-delete-backplane-script-resources
  - name: osd-delete-ownerrefs-serviceaccounts
  - name: osd-patch-subscription-source
  - name: osd-rebalance-infra-nodes
  - name: pcap-dedicated-admins
  - name: splunk-forwarder-operator
  - name: splunk-forwarder-operator-clusterrolebinding
  - name: sre-build-test
  - name: sre-pod-network-connectivity-check-pruner
  - name: sre-pruner-buildsdeploys-pruning
  - name: velero
  - name: webhook-validation
  ClusterRole:
  - name: backplane-cee-readers-cluster
  - name: backplane-impersonate-cluster-admin
  - name: backplane-readers-cluster
  - name: backplane-srep-admins-cluster
  - name: backplane-srep-admins-project
  - name: bz1980755
  - name: dedicated-admins-aggregate-cluster
  - name: dedicated-admins-aggregate-project
  - name: dedicated-admins-cluster
  - name: dedicated-admins-manage-operators
  - name: dedicated-admins-project
  - name: dedicated-admins-registry-cas-cluster
  - name: dedicated-readers
  - name: image-scanner
  - name: openshift-backplane-managed-scripts-reader
  - name: openshift-splunk-forwarder-operator
  - name: osd-cluster-ready
  - name: osd-custom-domains-dedicated-admin-cluster
  - name: osd-delete-backplane-script-resources
  - name: osd-delete-backplane-serviceaccounts
  - name: osd-delete-ownerrefs-serviceaccounts
  - name: osd-get-namespace
  - name: osd-netnamespaces-dedicated-admin-cluster
  - name: osd-patch-subscription-source
  - name: osd-readers-aggregate
  - name: osd-rebalance-infra-nodes
  - name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - name: pcap-dedicated-admins
  - name: splunk-forwarder-operator
  - name: sre-allow-read-machine-info
  - name: sre-build-test
  - name: sre-pruner-buildsdeploys-cr
  - name: webhook-validation-cr
  RoleBinding:
  - namespace: kube-system
    name: cloud-ingress-operator-cluster-config-v1-reader
  - namespace: kube-system
    name: managed-velero-operator-cluster-config-v1-reader
  - namespace: openshift-aqua
    name: dedicated-admins-openshift-aqua
  - namespace: openshift-backplane-managed-scripts
    name: osd-delete-backplane-script-resources
  - namespace: openshift-build-test
    name: sre-build-test
  - namespace: openshift-cloud-ingress-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-codeready-workspaces
    name: dedicated-admins-openshift-codeready-workspaces
  - namespace: openshift-config
    name: dedicated-admins-project-request
  - namespace: openshift-config
    name: dedicated-admins-registry-cas-project
  - namespace: openshift-config
    name: muo-pullsecret-reader
  - namespace: openshift-config
    name: oao-openshiftconfig-reader
  - namespace: openshift-config
    name: osd-cluster-ready
  - namespace: openshift-custom-domains-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-customer-monitoring
    name: dedicated-admins-openshift-customer-monitoring
  - namespace: openshift-customer-monitoring
    name: prometheus-k8s-openshift-customer-monitoring
  - namespace: openshift-dns
    name: dedicated-admins-openshift-dns
  - namespace: openshift-dns
    name: osd-rebalance-infra-nodes-openshift-dns
  - namespace: openshift-image-registry
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-ingress
    name: cloud-ingress-operator
  - namespace: openshift-kube-apiserver
    name: cloud-ingress-operator
  - namespace: openshift-machine-api
    name: cloud-ingress-operator
  - namespace: openshift-machine-api
    name: osd-cluster-ready
  - namespace: openshift-machine-api
    name: sre-ebs-iops-reporter-read-machine-info
  - namespace: openshift-machine-api
    name: sre-stuck-ebs-vols-read-machine-info
  - namespace: openshift-managed-node-metadata-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-marketplace
    name: dedicated-admins-openshift-marketplace
  - namespace: openshift-monitoring
    name: backplane-cee
  - namespace: openshift-monitoring
    name: muo-monitoring-reader
  - namespace: openshift-monitoring
    name: oao-monitoring-manager
  - namespace: openshift-monitoring
    name: osd-cluster-ready
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes-openshift-monitoring
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  - namespace: openshift-must-gather-operator
    name: backplane-cee-mustgather
  - namespace: openshift-must-gather-operator
    name: backplane-srep-mustgather
  - namespace: openshift-must-gather-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-network-diagnostics
    name: sre-pod-network-connectivity-check-pruner
  - namespace: openshift-network-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-ocm-agent-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-operators-redhat
    name: admin-dedicated-admins
  - namespace: openshift-operators-redhat
    name: admin-system:serviceaccounts:dedicated-admin
  - namespace: openshift-operators-redhat
    name: openshift-operators-redhat-dedicated-admins
  - namespace: openshift-operators-redhat
    name: openshift-operators-redhat:serviceaccounts:dedicated-admin
  - namespace: openshift-operators
    name: dedicated-admins-openshift-operators
  - namespace: openshift-osd-metrics
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-osd-metrics
    name: prometheus-k8s
  - namespace: openshift-rbac-permissions
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-rbac-permissions
    name: prometheus-k8s
  - namespace: openshift-route-monitor-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-security
    name: osd-rebalance-infra-nodes-openshift-security
  - namespace: openshift-splunk-forwarder-operator
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-strimzi
    name: dedicated-admins-openshift-strimzi
  - namespace: openshift-user-workload-monitoring
    name: dedicated-admins-uwm-config-create
  - namespace: openshift-user-workload-monitoring
    name: dedicated-admins-uwm-config-edit
  - namespace: openshift-user-workload-monitoring
    name: dedicated-admins-uwm-managed-am-secret
  - namespace: openshift-user-workload-monitoring
    name: osd-rebalance-infra-nodes-openshift-user-workload-monitoring
  - namespace: openshift-velero
    name: osd-rebalance-infra-nodes-openshift-pod-rebalance
  - namespace: openshift-velero
    name: prometheus-k8s
  Role:
  - namespace: kube-system
    name: cluster-config-v1-reader
  - namespace: kube-system
    name: cluster-config-v1-reader-cio
  - namespace: openshift-aqua
    name: dedicated-admins-openshift-aqua
  - namespace: openshift-backplane-managed-scripts
    name: osd-delete-backplane-script-resources
  - namespace: openshift-build-test
    name: sre-build-test
  - namespace: openshift-codeready-workspaces
    name: dedicated-admins-openshift-codeready-workspaces
  - namespace: openshift-config
    name: dedicated-admins-project-request
  - namespace: openshift-config
    name: dedicated-admins-registry-cas-project
  - namespace: openshift-config
    name: muo-pullsecret-reader
  - namespace: openshift-config
    name: oao-openshiftconfig-reader
  - namespace: openshift-config
    name: osd-cluster-ready
  - namespace: openshift-customer-monitoring
    name: dedicated-admins-openshift-customer-monitoring
  - namespace: openshift-customer-monitoring
    name: prometheus-k8s-openshift-customer-monitoring
  - namespace: openshift-dns
    name: dedicated-admins-openshift-dns
  - namespace: openshift-dns
    name: osd-rebalance-infra-nodes-openshift-dns
  - namespace: openshift-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-ingress
    name: cloud-ingress-operator
  - namespace: openshift-kube-apiserver
    name: cloud-ingress-operator
  - namespace: openshift-machine-api
    name: cloud-ingress-operator
  - namespace: openshift-machine-api
    name: osd-cluster-ready
  - namespace: openshift-marketplace
    name: dedicated-admins-openshift-marketplace
  - namespace: openshift-monitoring
    name: backplane-cee
  - namespace: openshift-monitoring
    name: muo-monitoring-reader
  - namespace: openshift-monitoring
    name: oao-monitoring-manager
  - namespace: openshift-monitoring
    name: osd-cluster-ready
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes-openshift-monitoring
  - namespace: openshift-must-gather-operator
    name: backplane-cee-mustgather
  - namespace: openshift-must-gather-operator
    name: backplane-srep-mustgather
  - namespace: openshift-network-diagnostics
    name: sre-pod-network-connectivity-check-pruner
  - namespace: openshift-operators
    name: dedicated-admins-openshift-operators
  - namespace: openshift-osd-metrics
    name: prometheus-k8s
  - namespace: openshift-rbac-permissions
    name: prometheus-k8s
  - namespace: openshift-security
    name: osd-rebalance-infra-nodes-openshift-security
  - namespace: openshift-strimzi
    name: dedicated-admins-openshift-strimzi
  - namespace: openshift-user-workload-monitoring
    name: dedicated-admins-user-workload-monitoring-create-cm
  - namespace: openshift-user-workload-monitoring
    name: dedicated-admins-user-workload-monitoring-manage-am-secret
  - namespace: openshift-user-workload-monitoring
    name: osd-rebalance-infra-nodes-openshift-user-workload-monitoring
  - namespace: openshift-velero
    name: prometheus-k8s
  CronJob:
  - namespace: openshift-backplane-managed-scripts
    name: osd-delete-backplane-script-resources
  - namespace: openshift-backplane-srep
    name: osd-delete-ownerrefs-serviceaccounts
  - namespace: openshift-backplane
    name: osd-delete-backplane-serviceaccounts
  - namespace: openshift-build-test
    name: sre-build-test
  - namespace: openshift-marketplace
    name: osd-patch-subscription-source
  - namespace: openshift-monitoring
    name: osd-rebalance-infra-nodes
  - namespace: openshift-network-diagnostics
    name: sre-pod-network-connectivity-check-pruner
  - namespace: openshift-sre-pruning
    name: builds-pruner
  - namespace: openshift-sre-pruning
    name: bz1980755
  - namespace: openshift-sre-pruning
    name: deployments-pruner
  Job:
  - namespace: openshift-monitoring
    name: osd-cluster-ready
  CredentialsRequest:
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator-credentials-aws
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator-credentials-gcp
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter-aws-credentials
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols-aws-credentials
  - namespace: openshift-velero
    name: managed-velero-operator-iam-credentials-aws
  - namespace: openshift-velero
    name: managed-velero-operator-iam-credentials-gcp
  APIScheme:
  - namespace: openshift-cloud-ingress-operator
    name: rh-api
  PublishingStrategy:
  - namespace: openshift-cloud-ingress-operator
    name: publishingstrategy
  EndpointSlice:
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-metrics-rhtwg
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter-4cw9r
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter-6tx5g
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols-gmdhs
  - namespace: openshift-monitoring
    name: token-refresher-v5cpg
  - namespace: openshift-validation-webhook
    name: validation-webhook-bl99t
  MachineHealthCheck:
  - namespace: openshift-machine-api
    name: srep-infra-healthcheck
  - namespace: openshift-machine-api
    name: srep-metal-worker-healthcheck
  - namespace: openshift-machine-api
    name: srep-worker-healthcheck
  MachineSet:
  - namespace: openshift-machine-api
    name: sbasabat-mc-qhqkn-infra-us-east-1a
  - namespace: openshift-machine-api
    name: sbasabat-mc-qhqkn-worker-us-east-1a
  ContainerRuntimeConfig:
  - name: custom-crio
  KubeletConfig:
  - name: custom-kubelet
  SubjectPermission:
  - namespace: openshift-rbac-permissions
    name: backplane-cee
  - namespace: openshift-rbac-permissions
    name: backplane-csa
  - namespace: openshift-rbac-permissions
    name: backplane-cse
  - namespace: openshift-rbac-permissions
    name: backplane-csm
  - namespace: openshift-rbac-permissions
    name: backplane-mobb
  - namespace: openshift-rbac-permissions
    name: backplane-srep
  - namespace: openshift-rbac-permissions
    name: backplane-tam
  - namespace: openshift-rbac-permissions
    name: dedicated-admin-serviceaccounts
  - namespace: openshift-rbac-permissions
    name: dedicated-admin-serviceaccounts-core-ns
  - namespace: openshift-rbac-permissions
    name: dedicated-admins
  - namespace: openshift-rbac-permissions
    name: dedicated-admins-alert-routing-edit
  - namespace: openshift-rbac-permissions
    name: dedicated-admins-core-ns
  - namespace: openshift-rbac-permissions
    name: dedicated-admins-customer-monitoring
  - namespace: openshift-rbac-permissions
    name: osd-delete-backplane-serviceaccounts
  - namespace: openshift-rbac-permissions
    name: sre-build-test
  VeleroInstall:
  - namespace: openshift-velero
    name: cluster
  PrometheusRule:
  - namespace: openshift-monitoring
    name: rhmi-sre-cluster-admins
  - namespace: openshift-monitoring
    name: rhoam-sre-cluster-admins
  - namespace: openshift-monitoring
    name: sre-alertmanager-silences-active
  - namespace: openshift-monitoring
    name: sre-alerts-stuck-builds
  - namespace: openshift-monitoring
    name: sre-alerts-stuck-volumes
  - namespace: openshift-monitoring
    name: sre-cloud-ingress-operator-offline-alerts
  - namespace: openshift-monitoring
    name: sre-configure-alertmanager-operator-offline-alerts
  - namespace: openshift-monitoring
    name: sre-control-plane-resizing-alerts
  - namespace: openshift-monitoring
    name: sre-dns-alerts
  - namespace: openshift-monitoring
    name: sre-ebs-iops-burstbalance
  - namespace: openshift-monitoring
    name: sre-elasticsearch-jobs
  - namespace: openshift-monitoring
    name: sre-elasticsearch-managed-notification-alerts
  - namespace: openshift-monitoring
    name: sre-excessive-memory
  - namespace: openshift-monitoring
    name: sre-haproxy-reload-fail
  - namespace: openshift-monitoring
    name: sre-internal-slo-recording-rules
  - namespace: openshift-monitoring
    name: sre-kubequotaexceeded
  - namespace: openshift-monitoring
    name: sre-leader-election-master-status-alerts
  - namespace: openshift-monitoring
    name: sre-managed-node-metadata-operator-alerts
  - namespace: openshift-monitoring
    name: sre-managed-notification-alerts
  - namespace: openshift-monitoring
    name: sre-managed-upgrade-operator-alerts
  - namespace: openshift-monitoring
    name: sre-managed-velero-operator-alerts
  - namespace: openshift-monitoring
    name: sre-node-unschedulable
  - namespace: openshift-monitoring
    name: sre-oauth-server
  - namespace: openshift-monitoring
    name: sre-pending-csr-alert
  - namespace: openshift-monitoring
    name: sre-proxy-managed-notification-alerts
  - namespace: openshift-monitoring
    name: sre-pruning
  - namespace: openshift-monitoring
    name: sre-pv
  - namespace: openshift-monitoring
    name: sre-router-health
  - namespace: openshift-monitoring
    name: sre-runaway-sdn-preventing-container-creation
  - namespace: openshift-monitoring
    name: sre-slo-recording-rules
  - namespace: openshift-monitoring
    name: sre-telemeter-client
  - namespace: openshift-monitoring
    name: sre-telemetry-managed-labels-recording-rules
  - namespace: openshift-monitoring
    name: sre-upgrade-send-managed-notification-alerts
  - namespace: openshift-monitoring
    name: sre-uptime-sla
  ServiceMonitor:
  - namespace: openshift-monitoring
    name: sre-dns-latency-exporter
  - namespace: openshift-monitoring
    name: sre-ebs-iops-reporter
  - namespace: openshift-monitoring
    name: sre-stuck-ebs-vols
  ClusterUrlMonitor:
  - namespace: openshift-route-monitor-operator
    name: api
  RouteMonitor:
  - namespace: openshift-route-monitor-operator
    name: console
  NetworkPolicy:
  - namespace: openshift-deployment-validation-operator
    name: allow-from-openshift-insights
  - namespace: openshift-deployment-validation-operator
    name: allow-from-openshift-olm
  - namespace: openshift-monitoring
    name: token-refresher
  ManagedNotification:
  - namespace: openshift-ocm-agent-operator
    name: sre-elasticsearch-managed-notifications
  - namespace: openshift-ocm-agent-operator
    name: sre-managed-notifications
  - namespace: openshift-ocm-agent-operator
    name: sre-proxy-managed-notifications
  - namespace: openshift-ocm-agent-operator
    name: sre-upgrade-managed-notifications
  OcmAgent:
  - namespace: openshift-ocm-agent-operator
    name: ocmagent
  CatalogSource:
  - namespace: openshift-addon-operator
    name: addon-operator-catalog
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator-registry
  - namespace: openshift-custom-domains-operator
    name: custom-domains-operator-registry
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-catalog
  - namespace: openshift-managed-node-metadata-operator
    name: managed-node-metadata-operator-registry
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator-catalog
  - namespace: openshift-monitoring
    name: configure-alertmanager-operator-registry
  - namespace: openshift-must-gather-operator
    name: must-gather-operator-registry
  - namespace: openshift-observability-operator
    name: observability-operator-catalog
  - namespace: openshift-ocm-agent-operator
    name: ocm-agent-operator-registry
  - namespace: openshift-osd-metrics
    name: osd-metrics-exporter-registry
  - namespace: openshift-rbac-permissions
    name: rbac-permissions-operator-registry
  - namespace: openshift-route-monitor-operator
    name: route-monitor-operator-registry
  - namespace: openshift-splunk-forwarder-operator
    name: splunk-forwarder-operator-catalog
  - namespace: openshift-velero
    name: managed-velero-operator-registry
  OperatorGroup:
  - namespace: openshift-addon-operator
    name: addon-operator-og
  - namespace: openshift-aqua
    name: openshift-aqua
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-codeready-workspaces
    name: openshift-codeready-workspaces
  - namespace: openshift-custom-domains-operator
    name: custom-domains-operator
  - namespace: openshift-customer-monitoring
    name: openshift-customer-monitoring
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator-og
  - namespace: openshift-managed-node-metadata-operator
    name: managed-node-metadata-operator
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator-og
  - namespace: openshift-must-gather-operator
    name: must-gather-operator
  - namespace: openshift-observability-operator
    name: observability-operator-og
  - namespace: openshift-ocm-agent-operator
    name: ocm-agent-operator-og
  - namespace: openshift-osd-metrics
    name: osd-metrics-exporter
  - namespace: openshift-rbac-permissions
    name: rbac-permissions-operator
  - namespace: openshift-route-monitor-operator
    name: route-monitor-operator
  - namespace: openshift-splunk-forwarder-operator
    name: splunk-forwarder-operator-og
  - namespace: openshift-strimzi
    name: openshift-strimzi
  - namespace: openshift-velero
    name: managed-velero-operator
  Subscription:
  - namespace: openshift-addon-operator
    name: addon-operator
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-custom-domains-operator
    name: custom-domains-operator
  - namespace: openshift-deployment-validation-operator
    name: deployment-validation-operator
  - namespace: openshift-managed-node-metadata-operator
    name: managed-node-metadata-operator
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator
  - namespace: openshift-monitoring
    name: configure-alertmanager-operator
  - namespace: openshift-must-gather-operator
    name: must-gather-operator
  - namespace: openshift-observability-operator
    name: observability-operator
  - namespace: openshift-ocm-agent-operator
    name: ocm-agent-operator
  - namespace: openshift-osd-metrics
    name: osd-metrics-exporter
  - namespace: openshift-rbac-permissions
    name: rbac-permissions-operator
  - namespace: openshift-route-monitor-operator
    name: route-monitor-operator
  - namespace: openshift-splunk-forwarder-operator
    name: openshift-splunk-forwarder-operator
  - namespace: openshift-velero
    name: managed-velero-operator
  PackageManifest:
  - namespace: openshift-splunk-forwarder-operator
    name: splunk-forwarder-operator
  - namespace: openshift-addon-operator
    name: addon-operator
  - namespace: openshift-rbac-permissions
    name: rbac-permissions-operator
  - namespace: openshift-cloud-ingress-operator
    name: cloud-ingress-operator
  - namespace: openshift-managed-node-metadata-operator
    name: managed-node-metadata-operator
  - namespace: openshift-velero
    name: managed-velero-operator
  - namespace: openshift-deployment-validation-operator
    name: managed-upgrade-operator
  - namespace: openshift-custom-domains-operator
    name: managed-node-metadata-operator
  - namespace: openshift-route-monitor-operator
    name: custom-domains-operator
  - namespace: openshift-managed-upgrade-operator
    name: managed-upgrade-operator
  - namespace: openshift-ocm-agent-operator
    name: ocm-agent-operator
  - namespace: openshift-observability-operator
    name: observability-operator
  - namespace: openshift-monitoring
    name: configure-alertmanager-operator
  - namespace: openshift-must-gather-operator
    name: deployment-validation-operator
  - namespace: openshift-osd-metrics
    name: osd-metrics-exporter
  Status:
  - {}
  Project:
  - name: dedicated-admin
  - name: openshift-addon-operator
  - name: openshift-aqua
  - name: openshift-backplane
  - name: openshift-backplane-cee
  - name: openshift-backplane-csa
  - name: openshift-backplane-cse
  - name: openshift-backplane-csm
  - name: openshift-backplane-managed-scripts
  - name: openshift-backplane-mobb
  - name: openshift-backplane-srep
  - name: openshift-backplane-tam
  - name: openshift-build-test
  - name: openshift-cloud-ingress-operator
  - name: openshift-codeready-workspaces
  - name: openshift-custom-domains-operator
  - name: openshift-customer-monitoring
  - name: openshift-deployment-validation-operator
  - name: openshift-managed-node-metadata-operator
  - name: openshift-managed-upgrade-operator
  - name: openshift-must-gather-operator
  - name: openshift-observability-operator
  - name: openshift-ocm-agent-operator
  - name: openshift-operators-redhat
  - name: openshift-osd-metrics
  - name: openshift-rbac-permissions
  - name: openshift-route-monitor-operator
  - name: openshift-security
  - name: openshift-splunk-forwarder-operator
  - name: openshift-sre-pruning
  - name: openshift-strimzi
  - name: openshift-validation-webhook
  - name: openshift-velero
  ClusterResourceQuota:
  - name: loadbalancer-quota
  - name: persistent-volume-quota
  SecurityContextConstraints:
  - name: pcap-dedicated-admins
  - name: splunkforwarder
  SplunkForwarder:
  - namespace: openshift-security
    name: splunkforwarder
  Group:
  - name: dedicated-admins
  User:
  - name: backplane-cluster-admin
  Backup:
  - namespace: openshift-velero
    name: daily-full-backup-20221123112305
  - namespace: openshift-velero
    name: daily-full-backup-20221125042537
  - namespace: openshift-velero
    name: daily-full-backup-20221126010038
  - namespace: openshift-velero
    name: daily-full-backup-20221127010039
  - namespace: openshift-velero
    name: daily-full-backup-20221128010040
  - namespace: openshift-velero
    name: daily-full-backup-20221129050847
  - namespace: openshift-velero
    name: hourly-object-backup-20221128051740
  - namespace: openshift-velero
    name: hourly-object-backup-20221128061740
  - namespace: openshift-velero
    name: hourly-object-backup-20221128071740
  - namespace: openshift-velero
    name: hourly-object-backup-20221128081740
  - namespace: openshift-velero
    name: hourly-object-backup-20221128091740
  - namespace: openshift-velero
    name: hourly-object-backup-20221129050852
  - namespace: openshift-velero
    name: hourly-object-backup-20221129051747
  - namespace: openshift-velero
    name: weekly-full-backup-20221116184315
  - namespace: openshift-velero
    name: weekly-full-backup-20221121033854
  - namespace: openshift-velero
    name: weekly-full-backup-20221128020040
  Schedule:
  - namespace: openshift-velero
    name: daily-full-backup
  - namespace: openshift-velero
    name: hourly-object-backup
  - namespace: openshift-velero
    name: weekly-full-backup

6.3. Red Hat OpenShift Service on AWS 애드온 네임스페이스

AWS의 Red Hat OpenShift Service는 클러스터 설치 후 설치할 수 있는 서비스입니다. 이러한 추가 서비스에는 Red Hat OpenShift Dev Spaces, Red Hat OpenShift API Management, Cluster Logging Operator가 포함됩니다. 다음 네임스페이스 내의 리소스에 대한 모든 변경 사항은 업그레이드 중에 애드온으로 덮어쓸 수 있으므로 애드온 기능에 대해 지원되지 않는 구성이 발생할 수 있습니다.

예 6.2. 애드온 관리 네임스페이스 목록

addon-namespaces:
  ocs-converged-dev: openshift-storage
  managed-api-service-internal: redhat-rhoami-operator
  codeready-workspaces-operator: codeready-workspaces-operator
  managed-odh: redhat-ods-operator
  codeready-workspaces-operator-qe: codeready-workspaces-operator-qe
  integreatly-operator: redhat-rhmi-operator
  nvidia-gpu-addon: redhat-nvidia-gpu-addon
  integreatly-operator-internal: redhat-rhmi-operator
  rhosak-qe: redhat-managed-kafka-operator-qe
  rhoams: redhat-rhoam-operator
  ocs-converged: openshift-storage
  addon-operator: redhat-addon-operator
  rhosak: redhat-managed-kafka-operator
  kas-fleetshard-operator-qe: redhat-kas-fleetshard-operator-qe
  prow-operator: prow
  cluster-logging-operator: openshift-logging
  advanced-cluster-management: redhat-open-cluster-management
  cert-manager-operator: redhat-cert-manager-operator
  dba-operator: addon-dba-operator
  reference-addon: redhat-reference-addon
  ocm-addon-test-operator: redhat-ocm-addon-test-operator
  kas-fleetshard-operator: redhat-kas-fleetshard-operator
  connectors-operator: redhat-openshift-connectors

6.4. Red Hat OpenShift Service on AWS 검증 Webhook

AWS 검증 웹 후크의 Red Hat OpenShift Service는 OpenShift SRE 팀에서 유지 관리하는 동적 승인 제어 집합입니다. 이러한 HTTP 콜백(Webhook이라고도 함)은 클러스터 안정성을 보장하기 위해 다양한 유형의 요청에 대해 호출됩니다. 다음 목록에서는 등록된 작업 및 리소스가 포함된 규칙을 포함하는 다양한 Webhook를 설명합니다. 이러한 검증 웹 후크를 우회하려고 하면 클러스터의 안정성과 지원 가능성에 영향을 미칠 수 있습니다.

예 6.3. Webhook 검증 목록

[
  {
    "webhookName": "clusterlogging-validation",
    "rules": [
      {
        "operations": [
          "CREATE",
          "UPDATE"
        ],
        "apiGroups": [
          "logging.openshift.io"
        ],
        "apiVersions": [
          "v1"
        ],
        "resources": [
          "clusterloggings"
        ],
        "scope": "Namespaced"
      }
    ],
    "documentString": "Managed OpenShift Customers may set log retention outside the allowed range of 0-7 days"
  },
  {
    "webhookName": "hiveownership-validation",
    "rules": [
      {
        "operations": [
          "UPDATE",
          "DELETE"
        ],
        "apiGroups": [
          "quota.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "clusterresourcequotas"
        ],
        "scope": "Cluster"
      }
    ],
    "webhookObjectSelector": {
      "matchLabels": {
        "hive.openshift.io/managed": "true"
      }
    },
    "documentString": "Managed OpenShift customers may not edit certain managed resources. A managed resource has a \"hive.openshift.io/managed\": \"true\" label."
  },
  {
    "webhookName": "namespace-validation",
    "rules": [
      {
        "operations": [
          "CREATE",
          "UPDATE",
          "DELETE"
        ],
        "apiGroups": [
          ""
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "namespaces"
        ],
        "scope": "Cluster"
      }
    ],
    "documentString": "Managed OpenShift Customers may not modify namespaces specified in the [openshift-monitoring/addons-namespaces openshift-monitoring/managed-namespaces openshift-monitoring/ocp-namespaces] ConfigMaps because customer workloads should be placed in customer-created namespaces. Customers may not create namespaces identified by this regular expression (^com$|^io$|^in$) because it could interfere with critical DNS resolution. Additionally, customers may not set or change the values of these Namespace labels [managed.openshift.io/storage-pv-quota-exempt managed.openshift.io/service-lb-quota-exempt]."
  },
  {
    "webhookName": "pod-validation",
    "rules": [
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "v1"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "pods"
        ],
        "scope": "Namespaced"
      }
    ],
    "documentString": "Managed OpenShift Customers may use tolerations on Pods that could cause those Pods to be scheduled on infra or master nodes."
  },
  {
    "webhookName": "regular-user-validation",
    "rules": [
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "cloudcredential.openshift.io",
          "machine.openshift.io",
          "admissionregistration.k8s.io",
          "addons.managed.openshift.io",
          "cloudingress.managed.openshift.io",
          "managed.openshift.io",
          "ocmagent.managed.openshift.io",
          "splunkforwarder.managed.openshift.io",
          "upgrade.managed.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "*/*"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "autoscaling.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "clusterautoscalers",
          "machineautoscalers"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "config.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "clusterversions",
          "clusterversions/status",
          "schedulers",
          "apiservers"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "operator.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "kubeapiservers",
          "openshiftapiservers"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          ""
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "nodes",
          "nodes/*"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "managed.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "subjectpermissions",
          "subjectpermissions/*"
        ],
        "scope": "*"
      },
      {
        "operations": [
          "*"
        ],
        "apiGroups": [
          "network.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "netnamespaces",
          "netnamespaces/*"
        ],
        "scope": "*"
      }
    ],
    "documentString": "Managed OpenShift customers may not manage any objects in the following APIgroups [network.openshift.io cloudcredential.openshift.io managed.openshift.io ocmagent.managed.openshift.io upgrade.managed.openshift.io config.openshift.io operator.openshift.io machine.openshift.io admissionregistration.k8s.io addons.managed.openshift.io cloudingress.managed.openshift.io splunkforwarder.managed.openshift.io autoscaling.openshift.io], nor may Managed OpenShift customers alter the APIServer, KubeAPIServer, OpenShiftAPIServer, ClusterVersion, Node or SubjectPermission objects."
  },
  {
    "webhookName": "scc-validation",
    "rules": [
      {
        "operations": [
          "UPDATE",
          "DELETE"
        ],
        "apiGroups": [
          "security.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "securitycontextconstraints"
        ],
        "scope": "Cluster"
      }
    ],
    "documentString": "Managed OpenShift Customers may not modify the following default SCCs: [anyuid hostaccess hostmount-anyuid hostnetwork node-exporter nonroot privileged restricted]"
  },
  {
    "webhookName": "techpreviewnoupgrade-validation",
    "rules": [
      {
        "operations": [
          "CREATE",
          "UPDATE"
        ],
        "apiGroups": [
          "config.openshift.io"
        ],
        "apiVersions": [
          "*"
        ],
        "resources": [
          "featuregates"
        ],
        "scope": "Cluster"
      }
    ],
    "documentString": "Managed OpenShift Customers may not use TechPreviewNoUpgrade FeatureGate that could prevent any future ability to do a y-stream upgrade to their clusters."
  }
]

법적 공지

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.