From 1b9bfb71c0662d9de9bfc7bae355847d45ce7950 Mon Sep 17 00:00:00 2001 From: Jeana Routh Date: Tue, 4 Mar 2025 17:05:53 -0500 Subject: [PATCH] OCPBUGS-18027: explain use of multiple AWS security groups --- modules/machineset-yaml-aws.adoc | 76 ++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 34 deletions(-) diff --git a/modules/machineset-yaml-aws.adoc b/modules/machineset-yaml-aws.adoc index 757737b0ef07..2c0d26e2ddb3 100644 --- a/modules/machineset-yaml-aws.adoc +++ b/modules/machineset-yaml-aws.adoc @@ -59,49 +59,49 @@ spec: replicas: 1 selector: matchLabels: - machine.openshift.io/cluster-api-cluster: <1> + machine.openshift.io/cluster-api-cluster: ifdef::edge[] machine.openshift.io/cluster-api-machineset: -edge- endif::edge[] ifndef::infra,edge[] - machine.openshift.io/cluster-api-machineset: -- <2> + machine.openshift.io/cluster-api-machineset: -- endif::infra,edge[] ifdef::infra[] - machine.openshift.io/cluster-api-machineset: -infra- <2> + machine.openshift.io/cluster-api-machineset: -infra- endif::infra[] template: metadata: labels: - machine.openshift.io/cluster-api-cluster: <1> + machine.openshift.io/cluster-api-cluster: ifndef::infra,edge[] machine.openshift.io/cluster-api-machine-role: <3> - machine.openshift.io/cluster-api-machine-type: <3> - machine.openshift.io/cluster-api-machineset: -- <2> + machine.openshift.io/cluster-api-machine-type: + machine.openshift.io/cluster-api-machineset: -- endif::infra,edge[] ifdef::infra[] machine.openshift.io/cluster-api-machine-role: infra <3> - machine.openshift.io/cluster-api-machine-type: infra <3> - machine.openshift.io/cluster-api-machineset: -infra- <2> + machine.openshift.io/cluster-api-machine-type: infra + machine.openshift.io/cluster-api-machineset: -infra- endif::infra[] ifdef::edge[] machine.openshift.io/cluster-api-machine-role: edge <3> - machine.openshift.io/cluster-api-machine-type: edge <3> - machine.openshift.io/cluster-api-machineset: -edge- <2> + machine.openshift.io/cluster-api-machine-type: edge + machine.openshift.io/cluster-api-machineset: -edge- endif::edge[] spec: metadata: labels: ifndef::infra,edge[] - node-role.kubernetes.io/: "" <3> + node-role.kubernetes.io/: "" endif::infra,edge[] ifdef::infra[] - node-role.kubernetes.io/infra: "" <3> + node-role.kubernetes.io/infra: "" endif::infra[] ifdef::edge[] machine.openshift.io/parent-zone-name: machine.openshift.io/zone-group: machine.openshift.io/zone-type: - node-role.kubernetes.io/edge: "" <3> + node-role.kubernetes.io/edge: "" endif::edge[] providerSpec: value: @@ -117,17 +117,21 @@ endif::edge[] name: aws-cloud-credentials deviceIndex: 0 iamInstanceProfile: - id: -worker-profile <1> + id: -worker-profile instanceType: m6i.large kind: AWSMachineProviderConfig placement: - availabilityZone: <6> - region: <7> + availabilityZone: <5> + region: <6> securityGroups: - filters: - name: tag:Name values: - - -worker-sg <1> + - -worker-sg + - filters: <7> + - name: tag:Name + values: + - subnet: ifndef::edge[] filters: @@ -136,18 +140,18 @@ ifndef::edge[] - -private- <8> endif::edge[] ifdef::edge[] - id: <8> + id: <8> publicIp: true endif::edge[] - tags: - - name: kubernetes.io/cluster/ <1> + tags: <9> + - name: kubernetes.io/cluster/ value: owned - - name: <5> - value: <5> + - name: + value: userDataSecret: name: worker-user-data ifdef::infra,edge[] - taints: <9> + taints: <10> ifdef::infra[] - key: node-role.kubernetes.io/infra endif::infra[] @@ -184,28 +188,32 @@ $ oc -n openshift-machine-api \ -o jsonpath='{.spec.template.spec.providerSpec.value.ami.id}{"\n"}' \ get machineset/-- ---- -<5> Optional: Specify custom tag data for your cluster. For example, you might add an admin contact email address by specifying a `name:value` pair of `Email:\admin-email@example.com`. -+ -[NOTE] -==== -Custom tags can also be specified during installation in the `install-config.yml` file. If the `install-config.yml` file and the machine set include a tag with the same `name` data, the value for the tag from the machine set takes priority over the value for the tag in the `install-config.yml` file. -==== - ifndef::edge[] -<6> Specify the zone, for example, `us-east-1a`. +<5> Specify the zone, for example, `us-east-1a`. endif::edge[] ifdef::edge[] -<6> Specify the zone name, for example, `us-east-1-nyc-1a`. +<5> Specify the zone name, for example, `us-east-1-nyc-1a`. endif::edge[] -<7> Specify the region, for example, `us-east-1`. +<6> Specify the region, for example, `us-east-1`. +<7> Optional: Specify one or more additional security groups using the format shown. +When you specify multiple security groups, the rules are merged and applied to the instance as described in link:https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html[{aws-short} documentation about security group rules]. +Refer to {aws-short} documentation for guidance on quotas and other limitations. ifndef::edge[] <8> Specify the infrastructure ID and zone. endif::edge[] ifdef::edge[] <8> The ID of the public subnet that you created in AWS {zone-type}. You created this public subnet ID when you finished the procedure for "Creating a subnet in an AWS zone". endif::edge[] +<9> Optional: Specify custom tag data for your cluster in addition to the existing `kubernetes.io/cluster/` tag. +For example, you might add an admin contact email address by specifying a `name:value` pair of `Email:\admin-email@example.com`. ++ +[NOTE] +==== +Custom tags can also be specified during installation in the `install-config.yml` file. +If the `install-config.yml` file and the machine set include a tag with the same `name` data, the value for the tag from the machine set takes priority over the value for the tag in the `install-config.yml` file. +==== ifdef::infra,edge[] -<9> Specify a taint to prevent user workloads from being scheduled on +<10> Specify a taint to prevent user workloads from being scheduled on ifdef::infra[`infra`] ifdef::edge[`edge`] nodes.