1. Proposed title of this feature request

Secured egress traffic

2. What is the nature and description of the request?

Note: This RFE is for OVN

Traffic originating from Pods to an external destination is SNATted using the Node IP. In deployments where the cluster resides in untrusted networks (e.g. Enterprise MEC, Private 5G), the customers/partners want to have the option to encrypt any outbound traffic generated within the node (either from the platform or from Pods in the node) so it goes encrypted over the untrusted network to a remote trusted gateway where it can finally reach a trusted network.

3. Why does the customer need this? (List the business requirements here)

Customer/partner providing services from a cluster on an untrusted public or 3rd party network. Today they have ways to control and secure ingress traffic with custom ingress controllers or services running on NodePorts or ExternalIPs, but there are limited to no options to secure/encrypt the egress traffic initiated from the Node or a Pod in the node.

The logical communication is as follows:

[compact cluster] ---> (encrypted egress traffic nodes & Pods) ---> [trusted remote gw] --> (trusted network)

4. List any affected packages or components.

OVN and OCP node traffic