Skip to main content

Installing an OpenShift cluster on OpenStack

We'll be using the following guide to install a OKD Kubernetes cluster on an OpenMetal provisioned OpenStack cloud: Installing a cluster on OpenStack with customizations. For more information about configuration options please refer to the OKD documentation. The intent of this guide is to quickly validate the installation process on an OpenMetal cloud.


We'll be performing these installation steps on one of the hardware nodes provisioned for your cloud. Make sure that you have deployed a cloud and have access SSH access to the nodes. If deploying from another machine, you may need to preform additional steps.

Setup OpenStack Access

Installing OpenStack CLI

Complete the following steps to install the OpenStack CLI:.

Update quotas

Remove the following quota limits for the project you plan on using for this installation by setting the value to -1.

  • RAM: -1
  • VCPU: -1
openstack quota set --cores -1 PROJECT_NAME
openstack quota set --ram -1 PROJECT_NAME

Save Password

During the setup process of the OpenStack CLI, you should have created a clouds.yaml. Update that file by adding your password in the auth field.

vim ~/.config/openstack/clouds.yaml
auth_url: http://my-hostname:5000
username: "username"
password: "password"

Note: You can also keep secrets in a separate file:

Prepare Installation

Download OKD Installer

mkdir ~/okd/ && cd ~/okd/
curl -o openshift-install-linux.tar.gz -L
tar -xvf openshift-install-linux.tar.gz

Generate a key pair

ssh-keygen -t ed25519 -N '' -f /root/.ssh/id_okd && chmod 600 /root/.ssh/id_okd

Add the SSH private key identity to the SSH agent for your local user

eval "$(ssh-agent -s)"
ssh-add /root/.ssh/id_okd

Create floating IPs

Record the IP addresses it returns, we'll pass these IPs to the installer later.

openstack floating ip create --description "API okd test cluster" External
openstack floating ip create --description "APPS okd test cluster" External


| Field | Value |
| created_at | 2022-08-12T22:49:31Z |
| description | API okd test cluster |
| dns_domain | None |
| dns_name | None |
| fixed_ip_address | None |
| floating_ip_address | |
| floating_network_id | 4e08a887-5fa7-4cc1-b106-26ade52e3e5f |
| id | c5c9c416-5ea4-4ebe-8b02-307f6c371b06 |
| name | |
| port_details | None |
| port_id | None |
| project_id | a8df8d1113b444a694f59653b830c1df |
| qos_policy_id | None |
| revision_number | 0 |
| router_id | None |
| status | DOWN |
| subnet_id | None |
| tags | [] |
| tenant_id | a8df8d1113b444a694f59653b830c1df |
| updated_at | 2022-08-12T22:49:31Z |

DNS Configuration

Option 1

Setup DNS records. Recommended for production clusters.

  • api.<cluster_name>.<base_domain>. IN A <API_FLOATING_IP>
  • *.apps.<cluster_name>.<base_domain>. IN A <APPS_FLOATING_IP>
  • api-int.<cluster_name>.<base_domain>. IN A <API_FLOATING_IP>

Note: OKD will fail if it cannot resolve these DNS records to the floating IP addresses you selected. If the install does fail for this reason, it will tell you the host is unreachable or no route to host.

Option 2: Add hostfile mods

Add the following to /etc/hosts. Replace the floating IPs with the IPs you created above. You'll need to use this block on several servers. Only recommended for testing purposes.


Generate Installation Configs

Create Manifest Files

mkdir ~/okd/install-directory
./openshift-install --dir ~/okd/install-directory create manifests

You'll be prompted for information about the cluster. As a reference, we used the following values for each prompt.

  • Base domain will be the domain you set up DNS or the domain in your hosts file mod.
  • OKD wants a pull secret. The pull secret is used for making pull requests from private container image registries. If you have a private registry secret you can provide that. Otherwise, you can use a fake secret the OKD documentation provides: {"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}}. Copy and paste that entire string into the prompt for pull secret. It will show as a series of asterisks. OKD will fail if the pull secret is not a valid pull secret or the fake secret. If you use the fake secret, OKD will pull its container images from public repositories. OKD does cache container images, so you do not have to repull them for every run of OKD. If you use the pull secret provided, Red Hat operators will be unavailable. For more information see their documentation:
  • You must choose a flavor with at least 16 GB memory, 4 vCPUs, and 100 GB storage space. The gp1.xlarge flavor has enough resources. OKD will fail with an error about the flavor not having enough RAM or vCPUs if you pick a small flavor.
? SSH Public Key /root/.ssh/
? Platform openstack
? Cloud openstack
? ExternalNetwork External
? APIFloatingIPAddress <API floating IP address you generated earlier>
? FlavorName gp1.large
? Base Domain
? Cluster Name okd
? Pull Secret [? for help] {"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}}

Generate Install Configuration

./openshift-install create install-config --dir ~/okd/install-directory

Create Security Group

Create a security group that allows for SSH access from the host on which you are running the openshift-install application. You can get failures if the host cannot access the bootstrap node via SSH Provision floating IPs for the project that will host the OKD infrastructure.

openstack security group create okd-deploy
openstack security group rule create okd-deploy \
--protocol TCP --remote-ip YOUR_IP_ADDRESS/32 --description "Allow deployment host"

Update the Install Config

vim ~/okd/install-directory/install-config.yaml

Add security group UUID so the installer can access the cluster. Replace the UUID with the UUID of the security group you created above.

additionalSecurityGroupIDs: ["7af89a64-3cc0-444f-9273-63f309a003c2"]

Specify the IP of the floating IPs you created earlier. The API IP should already be filled in.


The complete config looks like the following example. You can customize this config to your needs.

apiVersion: v1
- architecture: amd64
hyperthreading: Enabled
name: worker
replicas: 3
architecture: amd64
hyperthreading: Enabled
name: master
additionalSecurityGroupIDs: ["7af89a64-3cc0-444f-9273-63f309a003c2"]
replicas: 3
creationTimestamp: null
name: okd
- cidr:
hostPrefix: 23
- cidr:
networkType: OVNKubernetes
cloud: openstack
type: gp1.large
externalDNS: null
externalNetwork: External
publish: External
pullSecret: '{"auths":{"fake":{"auth":"aWQ6cGFzcwo="}}}'
sshKey: |
ssh-ed25519 AAAAC3Nz...

Save a copy of the config

The installation process will delete your configuration file. Save a copy of the config before running the installer.

cp ~/okd/install-directory/install-config.yaml .

Install OKD

This process can take up to an hour. If the process fails, you'll need to delete the cluster and start again. Please see troubleshooting for more information.

./openshift-install create cluster --dir ~/okd/install-directory/ --log-level=info

If everything is successful, you should see URLs to access the API and the console. There will also be a username and password for the console. Save the username and password from the log output somewhere safe.

NOTE! If you are deploying with hosts file mods, you'll need to add the same entries to the bootstrapping VM after it's created.

watch openstack server list

Verify Installation

That's it! You've installed OKD onto your OpenStack cloud. Now you can verify that the installation was successful and deploy your own workloads.

Open Web Console

Optional - Add the hosts file mods to your local machine

Use the same entries you've added to the previous servers and add them to your local machine.

Web Console Login

Navigate to

Use the username and password that were output after you completed the installation. If you forget to save the password, the password is stored in the auth folder in the current directory in the kubeadmin-password file.

OKD Web Console on OpenMetal

Test Kubectl

Install Kubectl

curl -LO "$(curl -L -s"
install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

Load configuration

 export KUBECONFIG=/root/okd/install-directory/auth/kubeconfig

List Pods

[root@silly-quokka okd]# kubectl get pods -A
openshift-apiserver-operator openshift-apiserver-operator-5686496c75-b6ngv 1/1 Running 1 (84m ago) 88m
openshift-apiserver apiserver-55b764f57-cp7w9 2/2 Running 0 76m
openshift-apiserver apiserver-55b764f57-ktq9c 2/2 Running 0 77m
openshift-apiserver apiserver-55b764f57-tf96q 2/2 Running 0 75m
openshift-authentication-operator authentication-operator-79647548ff-9pv9j 1/1 Running 1 (84m ago) 88m
openshift-authentication oauth-openshift-75cb6567b6-6ltrr 1/1 Running 0 69m
openshift-authentication oauth-openshift-75cb6567b6-n845d 1/1 Running 0 68m
openshift-authentication oauth-openshift-75cb6567b6-qtfcf 1/1 Running 0 69m
openshift-cloud-controller-manager-operator cluster-cloud-controller-manager-operator-54f49d867f-gzjlh 2/2 Running 0 87m
openshift-cloud-credential-operator cloud-credential-operator-7c4bbc8654-c6ckq 2/2 Running 0 88m
openshift-cluster-csi-drivers manila-csi-driver-operator-b4dfc5874-frvlj 1/1 Running 0 84m
openshift-cluster-csi-drivers openstack-cinder-csi-driver-controller-6b56dfff86-f5zfb 10/10 Running 0 82m
openshift-cluster-csi-drivers openstack-cinder-csi-driver-controller-6b56dfff86-wdh98 10/10 Running 0 85m
openshift-cluster-csi-drivers openstack-cinder-csi-driver-node-7v6sj 3/3 Running 0 76m

OKD Client

Install OKD Client

To verify operation, download the OKD client from the OKD GitHub releases page:

curl -OL
tar -xvf openshift-client-linux-4.11.0-0.okd-2022-07-29-154152.tar.gz

Fetch Kubernetes resources using OKD Client

Run the following OKD client commands using the oc binary:

  • ./oc get nodes
  • ./oc get clusterversion
  • ./oc get clusteroperator
  • ./oc get pods -A


(venv) [root@silly-quokka test]# ./oc get nodes
okd-dstmh-master-0 Ready master 3h35m v1.24.0+9546431
okd-dstmh-master-1 Ready master 3h35m v1.24.0+9546431
okd-dstmh-master-2 Ready master 3h35m v1.24.0+9546431
okd-dstmh-worker-0-gbr8f Ready worker 3h24m v1.24.0+9546431
okd-dstmh-worker-0-l868x Ready worker 3h24m v1.24.0+9546431
okd-dstmh-worker-0-mjzlr Ready worker 3h24m v1.24.0+9546431


Restart OKD Installation

Delete the cluster

./openshift-install destroy cluster --dir ~/okd/install-directory/ --log-level=info

Copy the config

cp install-config.yaml ~/okd/install-directory/

Create the manifests

./openshift-install --dir ~/okd/install-directory create manifests

Start Install

./openshift-install create cluster --dir ~/okd/install-directory/ --log-level=info