Cloud Experts Documentation

OSD

Limit Egress with Google Cloud NGFW Standard

In this guide, we will implement egress restrictions for OpenShift Dedicated by using Google’s Cloud Next Generation Firewall (NGFW) Standardexternal link (opens in new tab) . Cloud NGFW is a fully distributed firewall service that allows fully qualified domain name (FQDN) objects in firewall policy rules. This is necessary for many of the external endpoints that OpenShift Dedicated relies on. The ability to restrict egress traffic using a firewall or other network device is only supported with OpenShift Dedicated clusters deployed using Google Private Service Connect (not yet generally available).

Configure Network Policies and Egress Firewalls for a ROSA Cluster

It’s common to want to restrict network access between namespaces, as well as restricting where traffic can go outside of the cluster. OpenShift achieves this with the Network Policy and Egress Firewall resources. It’s common to use these methods to restrict network traffic alongside Egress IP and other OpenShift and OVN-Kubernetes resources. Prerequisites ROSA Cluster 4.14 openshift-cli (oc) rosa-cli (rosa) jq Project Template The first thing to do is create a Project Template that containes Network Policys and Egress Firewalls with default deny rules

Patch token-refresher to use a cluster proxy

Currently, if you deploy a ROSA or OSD cluster with a proxy, the token-refresher pod in the openshift-monitoring namespace will be in crashloopbackoff. There is an RFE open to resolve this, but until then this can affect the ability of the cluster to report telemetry and potentially update. This article provides a workaround on how to patch the token-refresher deployment until that RFE has been fixed using the patch-operator. Prerequisites A logged in user with cluster-admin rights to a ROSA or OSD Cluster deployed using a cluster wide proxy

Assign Consistent Egress IP for External Traffic

It may be desirable to assign a consistent IP address for traffic that leaves the cluster when configuring items such as security groups or other sorts of security controls which require an IP-based configuration. By default, Kubernetes via the OVN-Kubernetes CNI will assign random IP addresses from a pool which will make configuring security lockdowns unpredictable or unnecessarily open. This guide shows you how to configure a set of predictable IP addresses for egress cluster traffic to meet common security standards and guidance and other potential use cases.

Configure Microsoft Entra ID as an OIDC identity provider for ROSA/OSD

This guide demonstrates how to configure Azure AD as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA). This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD. This guide will walk through the following steps: Register a new application in Azure AD for authentication. Configure the application registration in Azure AD to include optional and group claims in tokens.

OSD on Google Cloud

Filestore Storage for OSD on GCP Creating OSD on GCP w/ Existing VPC

Stop default router from serving custom domain routes

Note: This page is only valid for clusters using the Custom Domain Operator (CDO), which are ROSA clusters prior to version 4.14 OSD and ROSA supports custom domain operator to serve application custom domain, which provisions openshift ingress controller and cloud load balancers. However, when a route with custom domain is created, both default router and custom domain router serve routes. This article describes how to use route labels to stop default router from serving custom domain routes.

Creating a OSD in GCP with Existing VPCs

Tip The official documentation for installing a OSD cluster in GCP can be found here . For deploy an OSD cluster in GCP using existing Virtual Private Cloud (VPC) you need to implement some prerequisites that you must create before starting the OpenShift Dedicated installation though the OCM. Prerequisites gcloud CLIexternal link (opens in new tab) jqexternal link (opens in new tab) NOTE: Also the GCloud Shell can be used, and have the gcloud cli among other tools preinstalled.

Create Filestore Storage for OSD in GCP

By default, within OSD in GCP only the GCE-PD StorageClassexternal link (opens in new tab) is available in the cluster. With this StorageClass, only ReadWriteOnce mode is permitted, and the gcePersistentDisks can only be mounted by a single consumer in read-write modeexternal link (opens in new tab) . Because of that, and for provide Storage with Shared Access (RWX) Access Mode to our OpenShift clusters a GCP Filestoreexternal link (opens in new tab) could be used.

Deploying 3scale API Management to ROSA and OSD

This document will take you through deploying 3scale in any OSD or ROSA cluster. Review the official documentation here for more information or how to further customize or use 3scale. Prerequisites An existing ROSA or OSD cluster Access to an AWS account with permissions to create S3 buckets, IAM users, and IAM policies A subscription for 3scale API Management A wildcard domain configured with a CNAME to your cluster’s ingress controller Prepare AWS Account Set environment variables (ensuring you update the variables appropriately!

Configuring IDP for ROSA, OSD and ARO

Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) provide a simple way for the cluster administrator to configure one or more identity providers for their cluster[s] via the OpenShift Cluster Manager (OCM) , while Azure Red Hat OpenShift relies on the internal cluster authentication operatorexternal link (opens in new tab) . The identity providers available for use are: GitHub GitLab Google LDAP OpenID HTPasswd Configuring Specific Identity Providers ARO GitLab Azure AD Azure AD with Group Claims Azure AD via CLI Azure AD with Red Hat SSO ROSA/OSD GitLab Azure AD Azure AD with Group Claims (ROSA Only) Configuring Group Synchronization Using Group Sync Operator with Azure Active Directory and ROSA/OSD Using Group Sync Operator with Okta and ROSA/OSD

Installing the HashiCorp Vault Secret CSI Driver

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes. Prerequisites An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work) oc helm v3 Installing the Kubernetes Secret Store CSI Create an OpenShift Project to deploy the CSI into oc new-project k8s-secrets-store-csi Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

Installing the Kubernetes Secret Store CSI on OpenShift

The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets. It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself. Prerequisites An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work) kubectl helm v3 Installing the Kubernetes Secret Store CSI Create an OpenShift Project to deploy the CSI into

AWS ALB

Note: It is recommended that you use the Cloud Front based guide unless you absolutely must use an ALB based solution. Hereexternal link (opens in new tab) ’s a good overview of AWS LB types and what they support Problem Statement Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA) Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF

Examples of using a WAF in front of ROSA / OSD on AWS / OCP on AWS

Problem Statement Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA) Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF Quick Introduction by Paul Czarkowskiexternal link (opens in new tab) & Ryan Niksch on YouTubeexternal link (opens in new tab) Solutions Cloud Front -> WAF -> CustomDomain -> $APP This is the preferred method and can also work with most third party WAF systems that act as a reverse proxy

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.