Details
-
Feature
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
-
False
-
Green
-
100
-
100%
-
-
0
Description
Feature Overview (aka. Goal Summary)
This feature strengthens both security and AWS integration themes of ROSA service. Developers deploying workloads in ROSA service often need to connect their workloads running inside OCP to other AWS Services or applications running in other VPCs. This feature will allow cluster administrators to assign optional additional Security Groups to control plane nodes, infra nodes, and all the worker nodes of machine pools (at machine pool granularity). Following will be parts of this feature that will be delivered separately (not necessarily in the phased/ordered way)
XCMSTRAT-41(This): Support for creating additional Security Group IDs on day-two machine pools after ROSA Classic/OSD cluster creationXCMSTRAT-46: Support for creating additional Security Group IDs on day-one machine pool + Control Plane nodes + Infra nodes during ROSA Classic /OSD cluster creation (Note:XCMSTRAT-374is split fromXCMSTRAT-46to cover control Plane and Infra nodes)- XCMSTRAT-319: Support for changing machine pools to add/remove additional Security Group IDs on ROSA Classic/OSD cluster creation
XCMSTRAT-320: Support for Additional Security Group IDs on ROSA HCP clusters
Goals (aka. expected user outcomes)
- Improve ROSA retention by providing an ability to add additional machine pools with additional Security Group IDs to existing clusters
- Support for ROSA Classic and OSD on AWS using OCP 4.11 and above.
Requirements (aka. Acceptance Criteria):
- Ability to create machine pool in an existing cluster with additional Security Groups.
- Ability to apply up to 15 Security Group IDs.
- Ability to define additional Security Group IDs at the machine pool level and have all the worker nodes of the machine pool consistently use the SG-IDs.
- Support for clusters created with BYO-VPC.
- Support for ROSA and OSD CCS on AWS Clusters (Support for HCP is covered part of XCMSTRAT-319)
- Support for OCP 4.11 and above.
- OCM CREATE MACHINE Pool API for CS (api.openshift.com) to support additional SG-IDs.
- During pre-flight, provided SG is validated for existence and AWS Quota.
- During pre-flight, number of total SG rules as per AWS quota is validated on top of total number of SGs attached.
- During pre-flight, the SG-ID tags are validated to ensure OpenShift and ROSA specific tags can be added.
- When the cluster is upgraded, all the nodes part of machine pool to retain the additional SG-IDs added.
- When the cluster is deleted, the SG-ID is unaltered/retained.
- Consistent UX Support for clients - ROSA CLI, OCM UI and Terraform.
- OCM API for CS to support displaying/describing cluster with additional SG-IDs. Clusters that don't have additional SG-IDs to list 'None'.
- ROSA CLI Describe command list additional security groups on control plane nodes, and infra nodes
- ROSA CLI for machine pool to display additional SG-IDs assigned .
- Documentation to support the field in the Cluster Creation page, ROSA CLI reference and Defaults for ROSA Cluster creation pages.
- Release: CLI, OCM UI and OSDOCS to release/publish on the same day. Terraform release can follow on another day.
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
Questions to Answer (Optional):
Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. Initial completion during Refinement status.
Interoperability Considerations
Which other projects and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
References:
__ [1] Scenarios for connecting to RDS Database - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html#CHAP_CommonTasks.Connect.ScenariosForAccess
[2]Controlling access to RDS instance using Security Groups - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html
Attachments
Issue Links
- is blocked by
-
HIVE-2306 Add Support for configuring day 2 security group
- Closed
- is related to
-
XCMSTRAT-46 ROSA: Additional Security Group(s) during Cluster Creation (Day-1)
- Closed
- relates to
-
XCMSTRAT-319 ROSA: Remove or Add Additional Security Group(s) on Existing Machine Pools (Day-2)
- New
-
XCMSTRAT-667 ROSA HCP: UI for Additional Security Groups on CREATE MACHINEPOOL
- Backlog
-
XCMSTRAT-320 ROSA HCP: Additional Security Group(s) on Machine Pools
- Closed
- links to