Uploaded image for project: 'Container / Cluster Management (XCM) Strategy'
  1. Container / Cluster Management (XCM) Strategy
  2. XCMSTRAT-354

ROSA Classic: Support allowedSourceRanges for `default` IngressController

    XMLWordPrintable

Details

    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • 0
    • 0% 0%
    • 0

    Description

      Feature Overview (aka. Goal Summary)  

      By default, the load balancer created by the Openshift Ingress Controller has an AWS Security Group (SG) that allows all traffic from everywhere. Even when the scheme/scope of the load balancer is internal, this can allow traffic from the entire VPC or the peered VPCs. Customers that have multiple tenants/workloads running in the VPCs and peered-VPCs prefer to restrict the Security Group (SG) inbound rules restricted to CIDR blocks that really need to make API calls to applications running on the ROSA clusters.  As part of this feature, ROSA will make available the OCP feature for setting allowedSourceRanges on the default ingress controller that is managed by OCM.  

      Requirements (aka. Acceptance Criteria):

      • Support for ROSA Classic only [OSD on AWS can follow up in another JIRA]
      • Ability for customers to configure allowedSourceRanges on the cluster's default ingress-controller that have CLB as Load Balancer
      • Support for OCP 4.13 and above (including 4.14 where NLB is default)
      • When setting allowedSourceRanges, OCM to always include MachineCIDR of the cluster in addition to customer provided CIDR ranges
      • When removing any CIDRs, OCM must set the allowedSourceRanges to 0.0.0.0/0 (which is the default)
      • Support on ROSA Cluster Create and ROSA EDIT INGRESS CLI commands 
      • Support for OCM UI 
      • Support for Terraform
      • QA completes to ensure COs are healthy and y version update both preserves the change and completes cluster update
      • OCM 'Cluster Ingress Updated' Event pushed to Segment/Analytics captures a boolean to indicate whether or not allowedSourceRanges is updated
      • ROSA documentation published with support for all clients and an entry is created in what's new to highlight release
      • GTM external blog is published 

      Background

      • allowedSourceRanges is a new option from OCP (as of 4.13) that enabled controlling this from the IngressController, rather than patching the Service object

       

      References :

      Attachments

        Issue Links

          split to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. XCMSTRAT-362 Support tlsSecurityProfile for `default` IngressController

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • New

          Activity

            People

              Unassigned Unassigned
              wgordon.openshift Will Gordon
              Hunter Kepley
              Xue Li Xue Li
              Balachandran Chandrasekaran Balachandran Chandrasekaran
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated: