OpenShift
OpenShift copied to clipboard
Azure
Configurable Egress IP
In a private ARO cluster with UDR, as described at: https://learn.microsoft.com/en-us/azure/openshift/howto-create-private-cluster-4x#create-a-private-cluster-without-a-public-ip-address , provide the ability to configure EgressIP as described at: https://docs.openshift.com/container-platform/4.13/networking/ovn_kubernetes_network_provider/configuring-egress-ips-ovn.html
That would actually be a great improvement, as we're currently making use for a pretty long time (since v3) of NS egressIPs on our IPI onPrem environment. We run special workloads which make connections to private resources outside the cluster protected by additional FWs, ACLs, etc. Those are currently limited in our platform to run only onPrem.
This may be necessary for some use cases that we're evaluating to put into ARO (or ROSA or on-prem). I'm concerned to see that it has been moved from "Coming Soon" back into "Backlog (Committed Items)".
This feature is necessary to ensure a secure cluster. In a standard private cluster you will route egress traffic to a firewall and without unique source IPs for namespaces you have to create firewall openings for the entire worker subnet. This means that if an attacker gets access to the worker node through privilege escalation then they will be able to use those firewall openings for further infiltration.
Would love to see that feature available on ARO in 2024 asap. Unfortunately, I have already had to reject projects from using ARO because this essential feature for us is not yet available.
Could someone please provide an update on when this feature will be introduced in ARO?
