-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
None
-
-
None
-
None
-
None
-
None
-
None
1. Proposed title of this feature request
Support Egress IP for Windows Workload
2. What is the nature and description of the request?
Customers are using Egress IP for communicating with external services hosted outside of the cluster. To get more Security with Openshift Workloads and external Services outside of Openshift, customers use Egress IPs for Linux Workload.
This feature would be helpful and needed especially for customers who have a mix of Linux nodes and Windows workloads in the infrastructure. Since they have a lot of workloads deployed on windows hosts as well, customers need EgressIP support for Windows as well.
3. Why does the customer need this? (List the business requirements here)
At the moment it is only possible to allow in the firewall, the complete Openshift Worker Node(for Linux and Windows) network to access Services outside of the cluster. But this leads to security issues when allowing all the traffic at the firewall. The security team wanted to allow access to limited IP's(Egress IP's) in the firewall to facilitate communication between the application and external services. For e.g.:
Namespace A with Application A needs access to Postgres A outside the cluster.
In the FW we will define following:
SRC: Egress IP of Application A
DST: Postgres A
PORT: TCP / Postgres Port
Namespace B with Application B needs access to MySQL B outside the cluster.
In the FW we will define following:
SRC: Egress IP of Application b
DST: MySQL B
PORT: TCP / MYSQL Port
4. List any affected packages or components.
WMCO Operator, Windows Nodes, Windows Workloads
5. What is the business impact that you are facing? How many customers are affected by this?
It has a big security impact because at the moment it is only possible to allow the complete Openshift Worker Node network in the firewall for Windows workloads.