Create a managed cluster

This section describes how to create an OpenStack-based managed cluster using the Mirantis Container Cloud web UI of the OpenStack-based management cluster.

To create an OpenStack-based managed cluster:

  1. If you deploy Container Cloud on top of MOSK Victoria with Tungsten Fabric and use the default security group for newly created load balancers, add the following rules for the Kubernetes API server endpoint, Container Cloud application endpoint, and for the MKE web UI and API using the OpenStack CLI:

    • direction='ingress'

    • ethertype='IPv4'

    • protocol='tcp'

    • remote_ip_prefix=''

    • port_range_max and port_range_min:

      • '443' for Kubernetes API and Container Cloud application endpoints

      • '6443' for MKE web UI and API

  2. Log in to the Container Cloud web UI with the m:kaas:namespace@operator or m:kaas:namespace@writer permissions.

  3. Switch to the required non-default project using the Switch Project action icon located on top of the main left-side navigation panel.

    To create a project, refer to Create a project for managed clusters.

  4. Optional. In the SSH Keys tab, click Add SSH Key to upload the public SSH key(s) for VMs creation.

  5. In the Credentials tab:

    1. Click Add Credential to add your OpenStack credentials. You can either upload your OpenStack clouds.yaml configuration file or fill in the fields manually.

    2. Verify that the new credentials status is Ready. If the status is Error, hover over the status to determine the reason of the issue.

  6. Optional. Enable proxy access to the cluster.

    In the Proxies tab, configure proxy:

    1. Click Add Proxy.

    2. In the Add New Proxy wizard, fill out the form with the following parameters:

      Proxy configuration



      Proxy Name

      Name of the proxy server to use during cluster creation.


      From the drop-down list, select the required region.

      HTTP Proxy

      Add the HTTP proxy server domain name in the following format:

      • - for anonymous access

      • - for restricted access

      HTTPS Proxy

      Add the HTTPS proxy server domain name in the same format as for HTTP Proxy.

      No Proxy

      Comma-separated list of IP addresses or domain names.

      For implementation details, see Proxy and cache support.

    3. If your proxy requires a trusted CA certificate, select the CA Certificate check box and paste a CA certificate for a MITM proxy to the corresponding field or upload a certificate using Upload Certificate.

    For the list of Mirantis resources and IP addresses to be accessible from the Container Cloud clusters, see Requirements for an OpenStack-based cluster.

  7. In the Clusters tab, click Create Cluster and fill out the form with the following parameters as required:

    1. Add Cluster name.

    2. Configure general provider settings and the Kubernetes parameters:

      Provider and Kubernetes configuration




      General Settings


      Select OpenStack.

      Provider Credential

      From the drop-down list, select the OpenStack credentials name that you have previously created.

      Release Version

      The Container Cloud version.


      Optional. From the drop-down list, select the proxy server name that you have previously created.

      SSH Keys

      From the drop-down list, select the SSH key name(s) that you have previously added for SSH access to VMs.

      Container Registry

      From the drop-down list, select the Docker registry name that you have previously added using the Container Registries tab. For details, see Define a custom CA certificate for a private Docker registry.


      External Network

      Type of the external network in the OpenStack cloud provider.

      DNS Name Servers

      Comma-separated list of the DNS hosts IPs for the OpenStack VMs configuration.

      Configure Bastion

      Optional. Configuration parameters for the Bastion node:

      • Flavor

      • Image

      • Availability Zone

      • Server Metadata

      For the parameters description, see Add a machine.

      Select Boot From Volume to boot the Bastion node from a block storage volume and select the required amount of storage (80 GB is enough).


      Node CIDR

      The Kubernetes nodes CIDR block. For example,

      Services CIDR Blocks

      The Kubernetes Services CIDR block. For example,

      Pods CIDR Blocks

      The Kubernetes Pods CIDR block. For example,


      The network subnet size of Kubernetes pods influences the number of nodes that can be deployed in the cluster. The default subnet size /18 is enough to create a cluster with up to 256 nodes. Each node uses the /26 address blocks (64 addresses), at least one address block is allocated per node. These addresses are used by the Kubernetes pods with hostNetwork: false. The cluster size may be limited further when some nodes use more than one address block.

      Optional General Settings

      Enable Secure Overlay

      Optional. Available since 2.21.0 as Technology Preview. Enables encryption for the Kubernetes workloads network. For more details, see MKE documentation: Kubernetes network encryption.

      • When the option is enabled, Calico networking is configured to use IP-in-IP overlay and BGP routing.

      • When the option is disabled, Calico networking is configured to use VXLAN overlay (no BGP).

    3. Configure StackLight:


      Parameter name



      Enable Monitoring

      Selected by default. Deselect to skip StackLight deployment. You can also enable, disable, or configure StackLight parameters after deploying a managed cluster. For details, see Change a cluster configuration or Configure StackLight.

      Enable Logging

      Select to deploy the StackLight logging stack.

      For details about the logging components, see Deployment architecture.


      The logging mechanism performance depends on the cluster log load. In case of a high load, you may need to increase the default resource requests and limits for fluentdLogs. For details, see StackLight configuration parameters: Resource limits.

      HA Mode

      Select to enable StackLight monitoring in the HA mode. For the differences between HA and non-HA modes, see Deployment architecture.

      StackLight Default Logs Severity Level

      Log severity (verbosity) level for all StackLight components. The default value for this parameter is Default component log level that respects original defaults of each StackLight component. For details about severity levels, see Log verbosity.

      StackLight Component Logs Severity Level

      The severity level of logs for a specific StackLight component that overrides the value of the StackLight Default Logs Severity Level parameter. For details about severity levels, see Log verbosity.

      Expand the drop-down menu for a specific component to display its list of available log levels.


      Logstash Retention Time

      Available if you select Enable Logging. Specifies the logstash-* index retention time.

      Events Retention Time

      Available if you select Enable Logging. Specifies the kubernetes_events-* index retention time.

      Notifications Retention

      Available if you select Enable Logging. Specifies the notification-* index retention time and is used for Mirantis OpenStack for Kubernetes.

      Persistent Volume Claim Size

      Available if you select Enable Logging. The OpenSearch persistent volume claim size.

      Collected Logs Severity Level

      Available if you select Enable Logging. The minimum severity of all Container Cloud components logs collected in OpenSearch. For details about severity levels, see Logging.


      Retention Time

      The Prometheus database retention period.

      Retention Size

      The Prometheus database retention size.

      Persistent Volume Claim Size

      The Prometheus persistent volume claim size.

      Enable Watchdog Alert

      Select to enable the Watchdog alert that fires as long as the entire alerting pipeline is functional.

      Custom Alerts

      Specify alerting rules for new custom alerts or upload a YAML file in the following exemplary format:

      - alert: HighErrorRate
        expr: job:request_latency_seconds:mean5m{job="myjob"} > 0.5
        for: 10m
          severity: page
          summary: High request latency

      For details, see Official Prometheus documentation: Alerting rules. For the list of the predefined StackLight alerts, see Operations Guide: Available StackLight alerts.

      StackLight Email Alerts

      Enable Email Alerts

      Select to enable the StackLight email alerts.

      Send Resolved

      Select to enable notifications about resolved StackLight alerts.

      Require TLS

      Select to enable transmitting emails through TLS.

      Email alerts configuration for StackLight

      Fill out the following email alerts parameters as required:

      • To - the email address to send notifications to.

      • From - the sender address.

      • SmartHost - the SMTP host through which the emails are sent.

      • Authentication username - the SMTP user name.

      • Authentication password - the SMTP password.

      • Authentication identity - the SMTP identity.

      • Authentication secret - the SMTP secret.

      StackLight Slack Alerts

      Enable Slack alerts

      Select to enable the StackLight Slack alerts.

      Send Resolved

      Select to enable notifications about resolved StackLight alerts.

      Slack alerts configuration for StackLight

      Fill out the following Slack alerts parameters as required:

      • API URL - The Slack webhook URL.

      • Channel - The channel to send notifications to, for example, #channel-for-alerts.

      StackLight optional settings

      Enable Reference Application

      Available since Container Cloud 2.22.0. Enables Reference Application that is a small microservice application that enables workload monitoring on non-MOSK managed clusters.


      For the feature support on MOSK deployments, refer to MOSK documentation: Deploy RefApp using automation tools.

      Disabled by default. You can also enable this option after deployment from the Configure cluster menu.

  8. Click Create.

    To monitor the cluster readiness, hover over the status icon of a specific cluster in the Status column of the Clusters page.

    Once the orange blinking status icon becomes green and Ready, the cluster deployment or update is complete.

    You can monitor live deployment status of the following cluster components:




    For the OpenStack-based management or regional clusters, the Bastion node IP address status that confirms the Bastion node creation


    Installation or upgrade status of all Helm releases


    Readiness of the node in a Kubernetes cluster, as reported by kubelet


    Readiness of all requested Kubernetes objects


    Equality of the requested nodes number in the cluster to the number of nodes having the Ready LCM status


    Readiness of the cluster OIDC configuration


    Health of all StackLight-related objects in a Kubernetes cluster


    Readiness of all nodes in a Docker Swarm cluster


    Readiness of the Kubernetes API load balancer


    Readiness of all machines in the underlying infrastructure (virtual or bare metal, depending on the provider type)

    For the history of a cluster deployment or update, refer to Inspect the history of a cluster and machine deployment or update.

  9. Proceed with Add a machine.