Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1618

Ensure IPSec on Hosted Clusters (HCP) is in Parity with Standalone OCP

XMLWordPrintable

    • Proactive Architecture
    • False
    • Hide

      None

      Show
      None
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • 7
    • 0

      Feature Overview (aka. Goal Summary)

      Ensure that IPsec encryption works with Hosted Clusters. This is to have traffic between nodes encrypted in transit, meeting compliance requirements.

       

      https://docs.openshift.com/container-platform/4.16/networking/network_security/configuring-ipsec-ovn.html

      Goals (aka. expected user outcomes)

      Customers, primarily cluster administrators of OCP hosted clusters, will have the capability to enable IPsec encryption for node traffic. 

      Requirements (aka. Acceptance Criteria)

      In parity with standalone IPSec mode. 

      Deployment Considerations

      • Self-managed, managed, or both: Both
      • Classic (standalone cluster): N/A
      • Hosted control planes: Applicable
      • Multi-node, Compact (three-node), or Single node (SNO), or all: N/A
      • Connected / Restricted Network: Applicable to both connected and restricted network environments
      • Architectures: x86_x64, ARM (aarch64)
      • Operator compatibility: Ensure compatibility with existing cluster operators that manage networking and security
      • Backport needed: Evaluate for versions 4.x and above
      • UI need: Configuration option in OpenShift Console and OCM
      • Other: N/A

      Use Cases (Optional)

      A cluster administrator enables IPsec encryption for a hosted cluster, and the cluster's traffic is successfully deployed with encrypted node-to-node (East-west) traffic (also North-South) similar to standalone. 

      Customer Considerations

      • Compliance: Customers in regulated industries (e.g., healthcare, finance) will particularly benefit from this feature, as it helps meet stringent data protection requirements.
      • Cost: Customers should be aware of potential increases in resource utilization due to encryption overhead.

      Documentation Considerations

      If all goes well, standalone documentation can be re-used. Otherwise, if a new way to configure IPsec is exposed for hosted clusters, documentation will be needed. 

            ddharwar@redhat.com Deepthi Dharwar
            azaalouk Adel Zaalouk
            Deepthi Dharwar, Marc Curry
            He Liu He Liu
            Laura Hinson Laura Hinson
            Votes:
            1 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated: