1. Proposed title of this feature request
Ingress Node Firewall for edge

2. What is the nature and description of the request?

Currently Ingress Node Firewall can apply rules as soon as the control plane of OCP is up. However, this is not sufficient for edge use cases. In edge use cases a cluster is often deployed in an untrusted location, and in order to manage such cluster remotely a tunnel needs to be established at boot time to the cluster.

Ingress Node Firewall,  the firewall rules are applied once the OCP control plane and INF is up and running. This requirement make this feature not sufficient for this use case. Currently, the only solution available to achieve this use case is nftables, which is not performance efficient. 

3. Why does the customer need this? (List the business requirements here)

OpenShift deployments which are in an edge use case, are often in an untrusted  locations. Management of these cluster by user is performed via a VPN, for instance an IPSec tunnel.

This feature is expected to be use to ensure secure access to and from the OpenShift cluster.

4. List any affected packages or components.
This affects to the current functionality of Ingress Node Firewall operator.