Bug 1732396 - API port exposed through 443 in external load balancer
Summary: API port exposed through 443 in external load balancer
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.z
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Abhinav Dahiya
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-23 09:38 UTC by Ramon Gordillo
Modified: 2019-07-29 16:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-29 16:40:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Ramon Gordillo 2019-07-23 09:38:58 UTC
Some customers are restricted to use only some external ports (443, 80) to the external load balancers in their datacenters (due to firewall and anti-DoS rules).

More than public cloud installations, where it is more easy to add some extra policies, this applies to private ones (VMWare, Bare Metal, etc).


There are other bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1663453
https://bugzilla.redhat.com/show_bug.cgi?id=1686139

Close as WONTFIX, but I guess they are related to use 443 in the container, not exposing it through the LB.

The idea will be to be able to expose API port in 6443 in the instances, and exposing it through 443.


Version: 4.1.x
How reproducible: Always.


Actual usage:
oc login https://api.cluster.base:6443

Expected usage:
oc login https://api.cluster.base

It is a blocker to OCP 4.x adoption in restricted environments (public sector).

Comment 1 Stefan Schimanski 2019-07-23 09:43:23 UTC
Reassigning to installer. This is nothing we as kube-apiserver owner can decide and change. The installer owns the LBs and sets them up.

Comment 2 Abhinav Dahiya 2019-07-29 16:40:39 UTC
Please open an RFE, there are no plans to support 443.


Note You need to log in before you can comment on or make changes to this bug.