Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5087

Ingress CLB on AWS with Security Group Ingress Rules Source refer to Cluster CIDR

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • Network Edge
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      Clusters deployed in private subnets have Ingress restricted to cluster CIDRs

      2. What is the nature and description of the request?

      When creating private clusters on AWS, the ELB (Classic) created has internal scheme that makes it accessible only through the Private IPs. This is accessible from the entire VPC and any additional VPCs peered with the cluster's VPC as well as from IPs or environments linked from private data centers.

      Customers need to change the source 0.0.0.0/0 referenced in the CLB's SG Ingress Rules to just the CIDRs of the private subnets where the applications run. This way the private cluster is truly private cluster with network connectivity possible only from applications within the cluster.

      Customers need to create the cluster from get-go with minimal IPs and Ports enabled. Additionally, customers that have existing clusters will need to be able to update this through OpenShift API/Operator so the changes made are carried forward with rest of the cluster operations like cluster updates etc. 

      Customers of Managed OpenShift wants to be able to do this from Cloud Console and clients like ROSA CLI and Terraform.  

      3. Why does the customer need this? (List the business requirements here)

      Network Governance: Customers on cloud need to restrict the network to min IPs and ports in order to mitigate internal threads and have multiple layers of defense.

      Additional customers asking for this are linked in comments for reference. 

      4. List any affected packages or components.

      Ingress Controller

            mcurry@redhat.com Marc Curry
            rh-ee-bchandra Balachandran Chandrasekaran
            Balachandran Chandrasekaran, Deepthi Dharwar
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: