Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Unresolved
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: openshift-dedicated
Labels:
- ingress
- loadbalancers

Target Version:
None
Activity Type:
Product / Portfolio Work
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request:
Application Load Balancers for OCP and OSD on GCP

2. What is the nature and description of the request?

Our current architecture for OpenShift clusters utilizes Network Load Balancers (Level 4) as the primary ingress point in front of our internal ingress controllers (Haproxy/Level 7 LBs). While functional and ideal for both Private or Disconnected Clusters, this Layer 4 LB introduces significant security limitations when the cluster is exposed publicly. Key challenges include the inability to integrate modern application-layer security tools like Web Application Firewalls (WAFs).

3. Why does the customer need this? (List the business requirements here)

The adoption of ALBs will offer to customers with internet facing Openshift clusters, enhanced Security Posture: ALBs enable native integration with Web Application Firewalls (Cloud Armor on GCP), providing a critical layer of defense against common web exploits (e.g., SQL injection, cross-site scripting) before malicious traffic reaches the ingress controllers inside the Openshift cluster and thus internal applications. This fundamentally strengthens our security posture and reduces business risk.

We would like to have something similar to what we offer on AWS: Load Balancer Operator to orchestrate the deployment and configuration of AWS application/Level 7 load balancer with additional security features (AWS WAF) so customers can deploy the operator and provision ALBs when they deploy internet facing Openshift clusters.

https://docs.redhat.com/en/documentation/red_hat_openshift_service_on_aws/4/html/tutorials/cloud-experts-using-alb-and-waf#deploy-aws-load-balancer-operator_cloud-experts-using-alb-and-waf

https://github.com/openshift/enhancements/blob/master/enhancements/ingress/aws-load-balancer-operator.md

OSD documentation mention the use of application LBs for ingress traffic and cloud armor for DDOS attacks protection:
https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#load-balancers_osd-service-definition

https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/introduction_to_openshift_dedicated/policies-and-service-definition#network-security_osd-service-definition

But when deploying an OSD cluster, the LBs used are network/Level4 load balancers as shown in the screenshot attached (osd-lbs)

4. List any affected packages or components.
Openshift Dedicated on GCP