Modifying Default IngressController allowedSourceRanges in ROSA/OSD

Solution In Progress - Updated -

Environment

  • Red Hat OpenShift on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4

Issue

  • Ingress Cluster Operator has the following message:
ingresscontroller "default" is progressing: IngressControllerProgressing: One or more status conditions indicate progressing: LoadBalancerProgressing=True (OperandsProgressing: One or more managed resources are progressing: You have manually edited an operator-managed object. You must revert your modifications by removing the service.beta.kubernetes.io/load-balancer-source-ranges annotation on service "router-default". You can use the new AllowedSourceRanges API field on the ingresscontroller object to configure this setting instead.).
  • Is it support to modify the default IngressController following settings
  endpointPublishingStrategy:
    loadBalancer:
      allowedSourceRanges:

Resolution

Currently it's not supported to make changes to the ingresscontroller: default and apps2, include the allowedSourceRanges.

  1. Reversion by Hive: In managed ROSA/OSD clusters, changes made to the default ingresscontroller are likely to be reverted by Hive. This reversion means that any modifications to default ingresscontroller may not persist.

  2. Use of Secondary Ingress Controller: Customers requiring modifications to allowedSourceRanges for security purposes should consider implementing a second ingress controller. This approach allows for customization without affecting the default ingress controller. Fro details, check KCS: Creating fully customizable non-default IngressController for ROSA and OSD

  3. Security Concerns and SRE Alerts: Modifying allowedSourceRanges incorrectly can lead to security alerts. Specifically, Red Hat required IPs might be blocked from ingress into the cluster, triggering alerts to Site Reliability Engineering (SRE) teams.

  4. Request For Enhancement (RFE): An RFE has been suggested and created for exploring the addition of allowedSourceRanges as an option in rosa edit ingress command. The RFE can be tracked at XCMSTRAT-354.

Diagnostic Steps

$ oc get co ingress
NAME      VERSION   AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
ingress   4.14.7    True        True          False      25d     ingresscontroller "default" is progressing: IngressControllerProgressing: One or more status conditions indicate progressing: LoadBalancerProgressing=True (OperandsProgressing: One or more managed resources are progressing: You have manually edited an operator-managed object. You must revert your modifications by removing the service.beta.kubernetes.io/load-balancer-source-ranges annotation on service "router-default". You can use the new AllowedSourceRanges API field on the ingresscontroller object to configure this setting instead.).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments