IBM Cloud Kubernetes Service - Secure By Default Cluster VPC Networking

With ever increasing cyber security threats across the Internet, IBM Cloud strives to keep our customer's workloads safe. As part of this continued work, upcoming versions of Red Hat OpenShift on IBM Cloud Service and IBM Cloud Kubernetes Service clusters in IBM Cloud VPC will be created with an important new feature called Secure By Default Cluster VPC Networking. The objective of this feature is to provision new clusters with networking restricted only with connectivity necessary for the cluster to operate and in an initial state preventing access to the public Internet.

What will you need to do in order to use this feature? For new clusters, nothing! Beginning with Red Hat OpenShift on IBM Cloud version 4.15 and IBM Cloud Kubernetes Service version 1.30, new clusters in IBM Cloud VPC will be created with Secure by Default Cluster VPC Networking by leveraging IBM Cloud VPC Security Groups. Additionally, any VPC load balancers that you create in these clusters are automatically attached to a security group that allows only the necessary network traffic to the cluster.

Understanding Egress connectivity in Secure by Default Cluster VPC Networking clusters

All egress traffic (including access to the public Internet) will be blocked in these newly created clusters, so you may need to take additional steps if your newly created cluster requires egress connectivity. Examples of the connections that will be blocked by default include the following:

• Pulling images from external public registries like quay.io or Docker Hub.
• Connecting to IBM services over the public network, such as IAM or COS.
• Connecting to other external services of the public network.
• Accessing the Red Hat Marketplace and OperatorHub.

In most cases you will be able to add specific security group rules to allow egress connections you may need. In some cases you may need to open all egress connectivity from the cluster. For these cases, we will provide a new API, CLI, Terraform, and UI option to allow all egress traffic.

When a new Red Hat OpenShift on IBM Cloud version 4.15+ or IBM Cloud Kubernetes Service 1.30+ cluster is created in the IBM Cloud User Interface the following option will be presented to allow all egress traffic for the cluster that is being created:

Upgrading Existing Clusters

What happens to clusters that upgrade to Red Hat OpenShift on IBM Cloud 4.15 or IBM Cloud Kubernetes Service 1.30? Don't worry. Clusters that are upgraded will continue to function as they do today. We won't modify existing clusters to this new security group model. Additionally, your VPCs will be able to contain both Secure by Default Cluster VPC Networking clusters and clusters that use the current existing behavior.

How Can You Learn More about Secure by Default Cluster Networking?

A follow up blog will be available in the upcoming weeks with specific details on the design of Secure by Default Cluster VPC Networking. Also, when Red Hat OpenShift on IBM Cloud version 4.15 and IBM Cloud Kubernetes Service version 1.30 are released, we will provide documentation with more specific details and examples for well-known use cases.