XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-1131MicroShift Enhancements 2024 for Industrial, Retail and Public Sector edge customers
    • 0% To Do, 0% In Progress, 100% Done
    • S
    • 0
    • Program Call
    • Customers need to configure ingress

      Feature Overview (aka. Goal Summary)

      MicroShift Ingress Router is currently always on, running on all IPs on fixed ports. Customers are requesting more flexibility in configuring ingress.

      Goals (aka. expected user outcomes)

      • Expose configuration options for more router configruation options like enable/disabling it, having it listen on certain IPs only etc (see requirements below)

      Requirements (aka. Acceptance Criteria):

      1. Allow disabling of router. There are use cases in which MicroShift is "egress" only (e.g. Industrial IoT solutions where pods connect only to southbound shopfloor systems and northbound cloud systems, no inbound services at all). In case the router is disabled in the config, no pods should be started (to save on resources), and all firewall ports for the router (80, 443) must be closed (also in firewalld/iptables) for improved security posture (minimize attack surface)
      2. being able to configure which ports the router is listening on
      3. being able to configure which IP/Adresses (and thus: nics) the router is listening on. There are use cases e.g. in the industrial space where the router should be reachable only on internal shopfloor networks, but not on northbound public networks. Or Vice Versa. Or Both.
      4. Ports being open/closed should be advertised/document in the audit log.

      Use Cases (Optional):

      See above requirements section for example use cases.

      Out of Scope

      n/a

       

      Background

      1. https://issues.redhat.com/browse/USHIFT-639
      2. https://issues.redhat.com/browse/USHIFT-1806 
      3. https://docs.google.com/document/d/1sXjyK-DTE6UzTDJ9ldQze8FIU5Q4Alnk3AQaESODsVQ/edit?usp=sharing
      4. https://issues.redhat.com/browse/OCPBUGS-25391 

      Customer Considerations

      Requested by multiple EAP customers

      Documentation Considerations

      • Configuration option needs to be documented in the "configuring" book
      • Maybe we want a "Configure the router" in the "networking" book

      Interoperability Considerations

      None

       

              dfroehli42rh Daniel Fröhlich
              dfroehli42rh Daniel Fröhlich
              Pablo Acevedo Montserrat Pablo Acevedo Montserrat
              Shudi Li Shudi Li
              Matthew Werner Matthew Werner
              Doug Hellmann Doug Hellmann
              Pablo Acevedo Montserrat Pablo Acevedo Montserrat
              Daniel Fröhlich Daniel Fröhlich
              Jon Thomas Jon Thomas
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: