Bug 1732396

Summary: API port exposed through 443 in external load balancer
Product: OpenShift Container Platform Reporter: Ramon Gordillo <ramon.gordillo>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: Johnny Liu <jialiu>
Status: CLOSED WONTFIX Docs Contact:
Severity: unspecified    
Priority: unspecified CC: aos-bugs, jokerman, mfojtik, mmccomas
Version: 4.1.z   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-29 16:40:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ramon Gordillo 2019-07-23 09:38:58 UTC
Some customers are restricted to use only some external ports (443, 80) to the external load balancers in their datacenters (due to firewall and anti-DoS rules).

More than public cloud installations, where it is more easy to add some extra policies, this applies to private ones (VMWare, Bare Metal, etc).


There are other bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1663453
https://bugzilla.redhat.com/show_bug.cgi?id=1686139

Close as WONTFIX, but I guess they are related to use 443 in the container, not exposing it through the LB.

The idea will be to be able to expose API port in 6443 in the instances, and exposing it through 443.


Version: 4.1.x
How reproducible: Always.


Actual usage:
oc login https://api.cluster.base:6443

Expected usage:
oc login https://api.cluster.base

It is a blocker to OCP 4.x adoption in restricted environments (public sector).

Comment 1 Stefan Schimanski 2019-07-23 09:43:23 UTC
Reassigning to installer. This is nothing we as kube-apiserver owner can decide and change. The installer owns the LBs and sets them up.

Comment 2 Abhinav Dahiya 2019-07-29 16:40:39 UTC
Please open an RFE, there are no plans to support 443.