Uploaded image for project: 'OpenShift Specialist Platform Team'
  1. OpenShift Specialist Platform Team
  2. SPLAT-2437

Validate feature for TP: NLB Security Groups for self-managed OCP clusters (enforced CCCMO)

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 8
    • None
    • None
    • None

      User Story

      As a Platform Administrator deploying self-managed OCP on AWS, I want the option to enable Security Groups on the default ingress NLB so that I can restrict network access and improve security posture of my cluster.

      Description

      Implement opt-in support for enabling Security Groups on NLB for default ingress in self-managed OCP clusters, building on the foundation work from SPLAT-2137.

      Acceptance Criteria

      Installer Integration

      • [ ] Add install-config.yaml option to enable NLB Security Groups for default ingress
      • [ ] Installer validates Security Group configuration during pre-flight checks
      • [ ] Installation process provisions NLB with Security Groups when option is enabled
      • [ ] Installer creates appropriate Security Group rules for worker node subnet CIDRs
      • [ ] Installation fails gracefully with clear error if Security Groups cannot be applied

      Cluster Ingress Operator Integration

      • [ ] CIO recognizes and applies NLB Security Group configuration
      • [ ] Default router service created with Security Group when enabled
      • [ ] CIO handles Security Group lifecycle management appropriately
      • [ ] Integration with existing ingress controller configuration maintained
      • [ ] Proper error handling and status reporting for Security Group issues

      Configuration Management

      • [ ] Configuration changes properly validated and applied
      • [ ] Security Group settings persist through cluster operations
      • [ ] Integration with existing AWS authentication and authorization
      • [ ] Proper handling of AWS permissions for Security Group operations
      • [ ] Configuration documented in cluster configuration references

      Testing and Validation

      • [ ] Installation with NLB Security Groups succeeds in test environments
      • [ ] Network connectivity validated with Security Groups applied
      • [ ] Ingress functionality confirmed with Security Group restrictions
      • [ ] Multiple cluster configurations tested successfully
      • [ ] Upgrade scenarios validated with Security Group settings

      Definition of Done

      • Self-managed OCP clusters can opt-in to NLB Security Groups for default ingress
      • Configuration is properly documented and tested
      • Feature works reliably across supported AWS regions and configurations
      • Integration with existing OCP networking components is seamless

              Unassigned Unassigned
              rhn-support-rvanderp Richard Vanderpool
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: