Uploaded image for project: 'OpenShift Installer'
  1. OpenShift Installer
  2. CORS-1496

Support user-defined network tags on GCP

XMLWordPrintable

    • Support user-defined tags for installer-created cloud infrastructure resources
    • Done

      Goal:

      As an administrator, I would like to deploy OpenShift 4 on GCP using user-defined network tags so installer-created VM resources can be whitelisted in advance due to restrictive firewall rules.

      Problem:

      Many organizations have separate cloud operations teams that only assign limited permissions to users and often have very restrictive policies around what resources can be created and communicate. Custom tagging is often used as a way to whitelist and allow the creation of new resources within the environment.

      We've seen requests come up multiple times on each of the supported cloud providers around adding support for custom tagging on Day 1, because the IPI installation process is blocked from creating new resources that haven't been previously defined (so adding these tags on Day 2 would not work since those restrictive policies would block the creation of the cluster.)

      On GCP, it's common practice to prohibit traffic from VMs that don't have the necessary network tags associated with this. Without support for custom network tags that can be whitelisted, the OpenShift cluster will never be allowed to come up.

      Why is this important:

      • Many corporate security policies that only allow predefined, known resources from being created. Without a way to define the tag for those resources, those policies block connectivity from the VM instances and prevent the cluster from even coming up. This is a blocking issue for many customer slowing adoption of OpenShift in many organizations.

      Lifecycle Information:

      • Core

      Previous Work:

      Dependencies:

      • Machine API (for assigning network tag to newly created nodes)
      • Control Plane Node recovery process (so new control plane nodes leverage custom network tags)

      Prioritized epics + deliverables (in scope / not in scope):

      • Custom network tags support on GCP to allow users to whitelist VM resources due to restrictive firewall rules preventing connectivity
      • Document how to use custom network tags when deploying OpenShift to GCP
      • Integrate into CI framework for ensuring custom tag get assigned when resources are created.

      Estimate (XS, S, M, L, XL, XXL):

       

      Customers: Several customer requests for this functionality

       

      Open questions:

       

            mstaeble Matthew Staebler (Inactive)
            kdube@redhat.com Katherine Dubé
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: