Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-354

ROSA Classic: Support allowedSourceRanges for `default` IngressController



    • False
    • Hide


    • False
    • Not Selected
    • 0
    • 0% 0%
    • 0


      Feature Overview (aka. Goal Summary)  

      By default, the load balancer created by the Openshift Ingress Controller has an AWS Security Group (SG) that allows all traffic from everywhere. Even when the scheme/scope of the load balancer is internal, this can allow traffic from the entire VPC or the peered VPCs. Customers that have multiple tenants/workloads running in the VPCs and peered-VPCs prefer to restrict the Security Group (SG) inbound rules restricted to CIDR blocks that really need to make API calls to applications running on the ROSA clusters.  As part of this feature, ROSA will make available the OCP feature for setting allowedSourceRanges on the default ingress controller that is managed by OCM.  

      Requirements (aka. Acceptance Criteria):

      • Support for ROSA Classic only [OSD on AWS can follow up in another JIRA]
      • Ability for customers to configure allowedSourceRanges on the cluster's default ingress-controller that have CLB as Load Balancer
      • Support for OCP 4.13 and above (including 4.14 where NLB is default)
      • When setting allowedSourceRanges, OCM to always include MachineCIDR of the cluster in addition to customer provided CIDR ranges
      • When removing any CIDRs, OCM must set the allowedSourceRanges to (which is the default)
      • Support on ROSA Cluster Create and ROSA EDIT INGRESS CLI commands 
      • Support for OCM UI 
      • Support for Terraform
      • QA completes to ensure COs are healthy and y version update both preserves the change and completes cluster update
      • OCM 'Cluster Ingress Updated' Event pushed to Segment/Analytics captures a boolean to indicate whether or not allowedSourceRanges is updated
      • ROSA documentation published with support for all clients and an entry is created in what's new to highlight release
      • GTM external blog is published 


      • allowedSourceRanges is a new option from OCP (as of 4.13) that enabled controlling this from the IngressController, rather than patching the Service object


      References :


        Issue Links



              Unassigned Unassigned
              wgordon.openshift Will Gordon
              Hunter Kepley
              xue li xue li
              Balachandran Chandrasekaran Balachandran Chandrasekaran
              0 Vote for this issue
              8 Start watching this issue