Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1069

Make MicroShift Ingress configurable

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1131MicroShift Enhancements 2024 for Industrial, Retail and Public Sector edge customers
    • 77
    • 77% 77%
    • S
    • 0
    • 0

    Description

      Feature Overview (aka. Goal Summary)

      MicroShift Ingress Router is currently always on, running on all IPs on fixed ports. Customers are requesting more flexibility in configuring ingress.

      Goals (aka. expected user outcomes)

      • Expose configuration options for more router configruation options like enable/disabling it, having it listen on certain IPs only etc (see requirements below)

      Requirements (aka. Acceptance Criteria):

      1. Allow disabling of router. There are use cases in which MicroShift is "egress" only (e.g. Industrial IoT solutions where pods connect only to southbound shopfloor systems and northbound cloud systems, no inbound services at all). In case the router is disabled in the config, no pods should be started (to save on resources), and all firewall ports for the router (80, 443) must be closed (also in firewalld/iptables) for improved security posture (minimize attack surface)
      2. being able to configure which ports the router is listening on
      3. being able to configure which IP/Adresses (and thus: nics) the router is listening on. There are use cases e.g. in the industrial space where the router should be reachable only on internal shopfloor networks, but not on northbound public networks. Or Vice Versa. Or Both.
      4. Ports being open/closed should be advertised/document in the audit log.

      Use Cases (Optional):

      See above requirements section for example use cases.

      Out of Scope

      n/a

       

      Background

      1. https://issues.redhat.com/browse/USHIFT-639
      2. https://issues.redhat.com/browse/USHIFT-1806 
      3. https://docs.google.com/document/d/1sXjyK-DTE6UzTDJ9ldQze8FIU5Q4Alnk3AQaESODsVQ/edit?usp=sharing
      4. https://issues.redhat.com/browse/OCPBUGS-25391 

      Customer Considerations

      Requested by multiple EAP customers

      Documentation Considerations

      • Configuration option needs to be documented in the "configuring" book
      • Maybe we want a "Configure the router" in the "networking" book

      Interoperability Considerations

      None

       

      Attachments

        Issue Links

          clones

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1067 make router namespace ownership check configurable with MicroShift

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Release Pending
          links to

          Web Link design doc

          Activity

            People

              dfroehli42rh Daniel Fröhlich
              dfroehli42rh Daniel Fröhlich
              Melvin Joseph Melvin Joseph
              Matthew Werner Matthew Werner
              Doug Hellmann Doug Hellmann
              Pablo Acevedo Montserrat Pablo Acevedo Montserrat
              Daniel Fröhlich Daniel Fröhlich
              Jon Thomas Jon Thomas
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: