Expanding a cluster with on-premise bare metal nodes

    Expanding an OKD cluster deployed on AWS requires using virtual media with bare-metal nodes that meet the node requirements and for installing with virtual media. A network is not required, and if present, should be disabled.

    To expand the OKD cluster deployed on AWS with on-premise bare metal nodes, you must establish network connectivity between them. You will need to configure the networking using a virtual private network or AWS Direct Connect between the AWS VPC and your on-premise network. This allows traffic to flow between the on-premise nodes and the AWS nodes.

    Additionally, you need to ensure secure access to the Baseboard Management Controllers (BMCs) of the bare metal nodes. When expanding the cluster with the Baremetal Operator, access to the BMCs is required for remotely managing and monitoring the hardware of your on-premise nodes.

    To securely access the BMCs, you can create a separate, secure network segment or use a dedicated VPN connection specifically for BMC access. This way, you can isolate the BMC traffic from other network traffic, reducing the risk of unauthorized access or potential vulnerabilities.

    Additional resources

    Creating firewall rules for port 6183

    Port 6183 is open by default on the control plane. However, you must create a firewall rule for the VPC connection and for the on-premise network for the bare metal nodes to allow inbound and outbound traffic on that port.

    Procedure

    1. Modify the AWS VPC security group to open port 6183:

      2. In the left navigation pane, click on Security Groups.

      3. Find and select the security group associated with the OKD cluster.

      4. Click Add rule and select Custom TCP Rule as the rule type.

      5. In the Port range field, enter 6183.

      6. In the Source field, specify the CIDR block for the on-premise network or the security group ID of the peered VPC (if you have VPC peering) to allow traffic only from the desired sources.

      7. Click Save rules.

    2. Modify the AWS VPC network access control lists to open port :

      1. In the Amazon VPC console, click on Network ACLs in the left navigation pane.

      2. Find and select the network ACL associated with your OKD cluster’s VPC.

      3. In the Inbound rules tab, click Edit inbound rules.

      4. Select TCP as the protocol.

      5. In the Port range field, enter 6183.

      6. In the Source field, specify the CIDR block for the on-premise network to allow traffic only from the desired sources.

      7. Click Save to save the new rule.

      8. Repeat the same process for the Outbound rules tab to allow outbound traffic on port 6183.

    3. Modify the on-premise network to allow traffic on port :

      1. Execute the following command to identify the zone you want to modify:

      2. To open port 6183 for TCP traffic in the desired zone execute the following command:

        Replace <zone> with the appropriate zone name.

    After you have the networking configured, you can proceed with .