XML

Word

Printable

<--- Cut-n-Paste the entire contents of this description into your new Epic --->

Epic Goal

Expose router-default with a LoadBalancer service.
Investigate all the possible alternatives to keep some form of firewalling capabilities.
- NetworkPolicy
- nftables
- iptables

Why is this important?

In order to expose the router in ports 80 and 443, the pod is using hostPort to bind directly to the host's ports.
To enable other workloads to reach the router, an internal ClusterIP service is created, mapping to the ports described above.
With current configuration the router-default can not scale to allow more instances.
With current configuration no other application in the host (or cluster) can bind to ports 80 or 443.
Swapping the ClusterIP service for a LoadBalancer (and removing the hostPorts from the deployment) invalidates the use of firewalld because of the precedence the iptables rules take. This means firewall rules are ignored even if ports 80 and 443 are blocked explicitly.

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.
...

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

is related to

USHIFT-639 Make IP address on which routes are exposed configurable