Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2069

Network Policies for OpenShift Autoscaling Components

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • 0% To Do, 100% In Progress, 0% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • M
    • None
    • None
    • None
    • None
    • None
    • None

      Feature Overview (aka. Goal Summary)  

      An elevator pitch (value statement) that describes the Feature in a clear, concise way.  Complete during New status.

      Implement Network Policies specific to OpenShift components the Autoscaling team is responsible for, to restrict traffic to only that which is explicitly allowed or required.

      Goals (aka. expected user outcomes)

      The observable functionality that the user now has as a result of receiving this feature. Include the anticipated primary user type/persona and which existing features, if any, will be expanded. Complete during New status.

      This is one team's part in a larger cross-product effort to improve security.

      Purview: The Autoscaling team is primarily responsible for Cluster Autoscaler, Karpenter, and Pod Autoscalers (e.g. Custom Metrics Autoscaler, Horizontal Pod Autoscaler, Vertical Pod Autoscaler).

      1. Identify affected components within this team's purview
      2. Characterize the allowed and required traffic to those components
      3. Specify Network Policy to limit traffic to those components
      4. Implement the Network Policy in the targeted OpenShift release

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

      Implementing network policies in Openshift components restricting ingress as well as egress communications

      Note: AdminNetworkingPolicy should be considered, but is not required, to set the traffic policy.

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both  
      Classic (standalone cluster)  
      Hosted control planes  
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM)  
      Other (please specify)  

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.

      <your text here>

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      • How might Admin Network Policy be an advantage over "normal" Kubernetes Network Policy, when it is available?
      • Does the control plane threat assessment document capture the components of this team's purview accurately, or does it need to be updated?

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.

      • Components not specifically identified within the threat assessment document, or outside of this team's purview.

      Background

      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.

      Without network policies, any pod within the Openshift cluster can communicate freely with other pods, regardless of their intended level of access. Attackers or compromised pods can exploit this lack of restriction to move laterally within the cluster and potentially compromise critical components. In the absence of network policies, pods may have unrestricted communication with external networks, this can result in unintended data leakage, where sensitive information is transmitted to unauthorized destinations.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.

      <your text here>

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs.  If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

      <your text here>

      Interoperability Considerations

      Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

      <your text here>

              rh-ee-smodeel Subin M
              julim Ju Lim
              None
              Joel Smith, John Kyros, Ju Lim, Max Cao, Michael McCune, Neelesh Agrawal, Russell Teague
              Michael McCune Michael McCune
              Russell Teague Russell Teague
              Matthew Werner Matthew Werner
              Eric Rich Eric Rich
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: