Cloud Service Providers deploying Hosted Control Planes (HyperShift) on OpenStack require strict network isolation between customer environments. The default approach exposes the kube-apiserver endpoint via a Floating IP attached to an Octavia Load Balancer, which may not meet security and isolation requirements.

This EPIC aims to enable customers to specify their own OpenStack networks for their HostedClusters, ensuring that:

• Customers cannot access another customer's HostedCluster API endpoints.
• HostedClusters can be deployed into pre-existing OpenStack networks (BYON).
• The kube-apiserver endpoint can be placed on a user-specified network instead of a shared external network.
• Routing between the management cluster and the HostedCluster's network is well-defined.

High level plan

Better document and test BYON support in HyperShift on OpenStack.

• For now, customers would have to render a HostedCluster spec and add BYON bits. We need to document that process.
• We don't test that scenario, we need to write a new e2e tests for it in Hypershift.

Enable kube-apiserver exposure through a user-specified network.

• Allow customers to specify which network should host the kube-apiserver Load Balancer.
• Expose a mechanism (e.g., Service Annotations) to configure Octavia Load Balancer behavior.
• Determine if the exposed network must be external or if alternative internal routing mechanisms are viable.

Define network connectivity between the Management Cluster and HostedCluster.

• Investigate and validate how routing should work between:
  • The Management Cluster (where kube-apiserver runs)
  • The customer-specified OpenStack network
• Ensure API traffic can flow securely and predictably.

This task might be too big and should maybe be its own EPIC.