This guide helps you choose the correct deployment model when installing Red Hat OpenShift using Installer-Provisioned Infrastructure (IPI) on IBM Cloud Power Virtual Server.

All clusters:

• Run on Power Virtual Server
• Are installed using the OpenShift IPI installer
• Require DNS configuration before installation

The key difference between cluster types is how users access the cluster and whether it connects to the internet.

Step 1: Choose Your Cluster Type

There are three supported models:

Public Cluster

When to Choose This

Choose a Public cluster if:

• Applications must be reachable from the internet
• Administrators need direct external API access
• You want the simplest setup

How You Access It

• OpenShift API is reachable from the internet
• Application URLs are publicly accessible
• You can run oc from any authorized internet-connected workstation

DNS Requirement

You must use:

→ IBM Cloud Internet Services

Requirements:

• A pre-configured public DNS domain
• DNS records:
  • api.<cluster>.<domain>
  • *.apps.<cluster>.<domain>
• Records resolve to public IP addresses

Important! If you do not have CIS managing your external domain, you cannot deploy a public cluster.

Internet Behavior

• The cluster connects to the internet
• Images and updates are pulled automatically
• No image mirroring is required

Summary

Public clusters are the easiest to deploy and manage, but they expose endpoints to the internet.

Private Cluster

When to Choose This

Choose a Private cluster if:

• Applications are for internal users only
• You do not want public access to the API or apps
• Your organization requires restricted inbound access

How You Access It

The cluster is not reachable from the internet.

Common access methods:

Option 1 (via corporate network):
Workstation → VPN → Bastion → Cluster

Option 2 (via bastion floating IP):
Workstation → Floating IP → Bastion → Cluster

A bastion (jump server) is strongly recommended.

DNS Requirement

You must use:

→ IBM Cloud DNS Services

Requirements:

• A private DNS zone
• DNS records:
  • api.<cluster>.<domain>
  • *.apps.<cluster>.<domain>
• Records resolve to private IP addresses
• Do not use CIS for private clusters

Internet Behavior

• The cluster can access the internet for updates
• No image mirroring required
• Applications are not publicly accessible

Summary

Private clusters protect inbound access while maintaining normal update behavior.

Disconnected (Air-Gapped) Cluster

When to Choose This

Choose a Disconnected cluster if:

• Internet access is prohibited
• You operate in a regulated or secure environment
• You require strict supply chain control

How You Access It

Access requires controlled entry, typically through a bastion.

Common access patterns:

Option 1 (via private connectivity):
Workstation → VPN → Bastion → Cluster

Option 2 (via bastion floating IP):
Workstation → Floating IP → Bastion → Cluster

There is no public API or application access.

DNS Requirement

You must use:

→ IBM Cloud DNS Services

Requirements:

• Private DNS zone

• API and apps resolve to private IP addresses

• CIS is not used

Internet Behavior

• No outbound internet connectivity
• You must mirror:
  • OpenShift release images
  • Operator catalogs
  • Application images
• Updates are manually staged

Summary

Disconnected clusters provide maximum isolation but require additional operational planning.

Quick Decision Guide

Ask yourself:

1. Must users access applications from the internet?

• Yes → Public

• No → Continue

2. Is outbound internet allowed?

• Yes → Private

• No → Disconnected

DNS Summary

Operational Complexity Comparison

Final Recommendation Guidance

• Choose Public for external-facing applications or simple deployments.
• Choose Private for most enterprise production workloads.
• Choose Disconnected only when regulatory or security requirements demand complete isolation.