Before you install identity configuration management for Kubernetes technology preview, review the following system configuration requirements and settings: * Supported operating systems and platforms * Sizing recommendations * Security requirements * Network configuration * Backup and restore recommendation
Note: There is no console for the Technology Preview version of this product.
Supported operating systems and platforms for hub clusters and managed clusters
The identity configuration management tech preview requires the multicluster engine for Kubernetes 2.0.x or Red Hat Advanced Cluster Management for Kubernetes 2.4.x or 2.5.x.
Both the hub and managed clusters must be running OpenShift Container Platform at the levels supported by your chosen multicluster solution, multicluster engine or Advanced Cluster Management. Red Hat OpenShift Managed cloud services are not supported for this technology preview.
Note: Only OpenShift Container Platform 4.10, 4.9 or 4.8.12 and higher is supported for the hub. For 4.8, a minimum of 4.8.12 is required due to Bugzilla 1969902.
Sizing recommendations
If you are using multicluster engine, you will need a minimum of 1 node with 8 CPU, 32Gb of memory, and 100Gb disk.
If you are using Advanced Cluster Management, follow the RHACM sizing requirements.
Security requirements
Securing OAuth requests to the OpenID Connect identity provider
The identity configuration management operator instantiates one or more OpenID Connect identity providers under the covers to enable fleet-wide authentication. OAuth requests from the managed clusters to these identity providers must be secured using valid, signed certificates. This can be accomplished by replacing the default ingress certificate on the hub cluster or by providing a certicate in an AuthRealm custom resource.
Network configuration
Configure your network settings to allow the connections in the following sections. These network configurations are in addition to those required by multicluster engine and Advanced Cluster Management.
Hub cluster networking requirements
For the hub cluster networking requirements, see the following table:
Direction | Connection | Port (if specified) |
---|---|---|
Outbound |
GitHub or GitHub Enterprise API. This is only required if you are using GitHub as an identity provider. |
|
Outbound |
LDAP server (Example: OpenLDAP or Azure Active Directory managed domain). This is only required if you are using LDAP as an identity provider. |
|
Inbound |
The OpenID Connect issuer from the managed cluster. |
443 |
Managed cluster networking requirements
For the managed cluster networking requirements, see the following table:
Direction | Connection | Port (if specified) |
---|---|---|
Outbound |
OpenID Connect issuer running on the hub cluster |
443 |
Backup and restore recommendation
Red Hat Advanced Cluster Management for Kubernetes 2.5.x added backup and restore capabilities. However these capabilities are not enabled for identity configuration management for Kubernetes technology preview. The recommended approach for backup and restore is using a GitOps based architecture where the identity configuration can be reapplied in the case of a restore scenario.