How to make a cluster private and/or create an additional Ingress Router for public applications

Resolution

Important Notes:

1. For ROSA clusters, this procedure is only available for non-STS clusters.
2. For ROSA STS, consider using AWS PrivateLink for private clusters.
3. To be able to access private applications, the cluster needs to have private connections already configured.
   • For ROSA, consider Step 1 in Configuring private connections.
   • For OSD, consider the Prerequisites in Enabling an existing cluster to be private

Follow the next two sections to either:

• Configure a single private router to make all applications private. Note: Same procedure can be used to change the cluster from private to public.
• Enable a second public or private Ingress Router to configure both public and/or private applications.

Configure a single private router

• To make all applications in the cluster to use a private router and block all access to all applications from the internet, by using OpenShift Cluster Manager, follow these steps:

  1. Search and click into the cluster requiring the change

  2. Click on the Networking tab

  3. And then, on the Edit cluster ingress button

  4. Set the Default application router to "Make router private".

  5. Click on Save

• The Internet-facingLoad Balancer will be replaced by a new Internal only, and all applications will be private and inaccessible from the internet.

Enable a second public or private Ingress Router

Considerations:

• Since All applications are exposed on the Default application router this router should not be configured as public as it would expose all the applications to the internet.
• The second or Additional application router will only expose applications that match the label. This router should be set public, so that labels can be used to expose specific applications to the internet.
• Accidentally setting the routers in reverse, with the Additional application router to private and the Default application router to public, will mean some apps are private but all apps on the cluster will be public. This may not meet the security requirements.

Procedure for ROSA clusters

• Via the rosa command-line, as presented at the ROSA Documentation, a second router can be added to a cluster. This allows for one router to be private and the other to be public facing. Or for other options like public-public or private-private depending on requirements.

1. By using the rosa command-line, add a new ingress with a route selector label match:

       $ rosa create ingress --cluster=<mycluster> --label-match=route=public
   

2. Validate the available Ingresses:

       $ rosa list ingresses --cluster=<mycluster>
   

3. Using the oc expose command with a label will ensure the Additional application router exposes the application to the internet:

       $ oc expose service/<myApp> --name <myApp> --labels="route=public"
   

4. Run the following command and confirm the application has been exposed on the Default application router (private) as well as on the Additional application router (public)

       $ oc describe route <myApp>
   

Procedure for OSD clusters

• To create an additional Ingress Router in OSD clusters, by using OpenShift Cluster Manager, follow these steps:

  1. Search and click into the cluster requiring the change

  2. Click on the Networking tab

  3. Next on the Edit cluster ingress button

  4. Then, on Advanced options, click on Enable additional router to create a new router. You have the option to leave it as public or make it private.

  5. Set the Label match for additional router, for example: "route=public"

  6. Click on Save

  7. Using the oc expose command with a label will ensure the Additional application router exposes the application to the internet:

     $ oc expose service/<myApp> --name <myApp> --labels="route=public"
     

  8. Run the following command and confirm the application has been exposed on the Default application router (private) as well as on the Additional application router (public)

     $ oc describe route <myApp>