Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1712

IPsec Design Modernization

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 50% To Do, 50% In Progress, 0% Done
    • 0

      Feature Overview

      The OpenShift IPsec implementation will be enhanced for a growing set of enterprise use cases, and for larger scale deployments. 

      Goals

      The OpenShift IPsec implementation was originally built for purpose-driven use cases from telco NEPs, but was also be useful for a specific set of other customer use cases outside of that context.  As customer adoption grew and it was adopted by some of the largest (by number of cluster nodes) deployments in the field, it became obvious that some redesign is necessary in order to continue to deliver enterprise-grade IPsec, for both East-West and North-South traffic, and for some of our most-demanding customer deployments.  

      Key enhancements include observability and blocked traffic across paths if IPsec encryption is not functioning properly.   

      Requirements

       

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a requirement for ALL features. YES
      Release Technical Enablement Provide necessary release enablement details and documents. YES

      Questions to answer…

      •  

      Out of Scope

      • Configuration of external-to-cluster IPsec endpoints for N-S IPsec. 

      Background, and strategic fit

      The OpenShift IPsec feature is fundamental to customer deployments for ensuring that all traffic between cluster nodes (East-West) and between cluster nodes and external-to-the-cluster entities that also are configured for IPsec (North-South) is encrypted by default.  This encryption must scale to the largest of deployments. 

      Assumptions

      •  

      Customer Considerations

      • Customers require the option to use their own certificates or CA for IPsec. 
      • Customers require observability of configuration (e.g. is the IPsec tunnel up and passing traffic)
      • If the IPsec tunnel is not up or otherwise functioning, traffic across the intended-to-be-encrypted network path should be blocked. 

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content Strategy.
      • What concepts do customers need to understand to be successful in [action]?
      • How do we expect customers will use the feature? For what purpose(s)?
      • What reference material might a customer want/need to complete [action]?
      • Is there source material that can be used as reference for the Technical Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or Release Note)?

              Unassigned Unassigned
              mcurry@redhat.com Marc Curry
              Aniket Bhat, Ben Bennett, Tim Rozet
              Weibin Liang Weibin Liang
              Ashley Hardin Ashley Hardin
              Tim Rozet Tim Rozet
              Aniket Bhat Aniket Bhat
              Marc Curry Marc Curry
              Chris Fields Chris Fields
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: