OSDOCS-15819 User managed firewall rules for GCP #104757
Conversation
openshift-ci
bot
added
the
size/L
|
🤖 Thu Jan 15 15:57:31 - Prow CI generated the docs preview: |
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
bscott-rh
force-pushed
the
OSDOCS-15819
branch
from
e0e9c9a to
0c6c4ef
Compare
| |platform: | ||
| gcp: | ||
| firewallRulesManagement: | ||
| |Specifies the firewall management policy for the cluster. `Managed` indicates that the firewall rules will be created and destroyed by the cluster. `Unmanaged` indicates that the user should create and destroy the firewall rules. For shared VPC installation, if the installer credential doesn't have firewall rules management permissions, the `firewallRulesManagement` parameter can be absent or set to `Unmanaged`. For non-shared VPC installation, if the installer credential doesn't have firewall rules management permissions, the `firewallRulesManagement` parameter must be set to `Unmanaged`. If you manage your own firewall rules, you must pre-configure the VPC network and the firewall rules before the installation. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
| |platform: | ||
| gcp: | ||
| firewallRulesManagement: | ||
| |Specifies the firewall management policy for the cluster. `Managed` indicates that the firewall rules will be created and destroyed by the cluster. `Unmanaged` indicates that the user should create and destroy the firewall rules. For shared VPC installation, if the installer credential doesn't have firewall rules management permissions, the `firewallRulesManagement` parameter can be absent or set to `Unmanaged`. For non-shared VPC installation, if the installer credential doesn't have firewall rules management permissions, the `firewallRulesManagement` parameter must be set to `Unmanaged`. If you manage your own firewall rules, you must pre-configure the VPC network and the firewall rules before the installation. |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'installation program' rather than 'the installer'. For more information, see RedHat.TermsErrors.
|
|
||
| If you are installing into an existing VPC, you must enable the `firewallRulesManagement` parameter in your `install-config.yaml` file. If you are installing into a shared VPC, you can either enable the `firewallRulesManagement` parameter, or exclude the `compute.firewalls.create` and `compute.firewalls.delete` permissions, which will indicate to the installation program that you are managing your own firewall rules. | ||
|
|
||
| You must create the following firewall rules prior to installation if you want to manage your own firewall rules: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'before' rather than 'prior to'. For more information, see RedHat.TermsErrors.
| `<compute_node_tags>`:: Specifies the network tags that apply to the compute machines in your cluster. These tags must be specified in the `install-config.yaml` file you use to deploy the cluster. | ||
| `<internal_network_cidr>`:: Specifies the network CIDR of the machine network that contains all the machines in your cluster. | ||
|
|
||
| After installation, you can reduce the port range of the `ingress-k8s-http-hc` rule to the port that the ingress load balancer service uses, which is not known prior to installation. You can determine the service port by running the following command: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'before' rather than 'prior to'. For more information, see RedHat.TermsErrors.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.TaskContents: The '.Procedure' block title is missing.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
| `<compute_node_tags>`:: Specifies the network tags that apply to the compute machines in your cluster. These tags must be specified in the `install-config.yaml` file you use to deploy the cluster. | ||
| `<internal_network_cidr>`:: Specifies the network CIDR of the machine network that contains all the machines in your cluster. | ||
|
|
||
| After installation, you can reduce the port range of the `ingress-k8s-http-hc` and `internal-cluster` rules from `tcp:30000-32767` to the individual port that the ingress load balancer service uses, which is not known prior to installation. You can determine the service port by running the following command after installation: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'before' rather than 'prior to'. For more information, see RedHat.TermsErrors.
There was a problem hiding this comment.
🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.
|
@patrickdillon @jianli-wei Hi Patrick and Jianli, please take a look at this docs PR covering user-managed firewall rules for GCP. This PR adds a new section Managing your own firewall rules to the "configuring a google cloud project" page, as well as modifications to the permissions content and install config parameters table. I will resolve the vale linting errors once the content is ready to go. Thank you |
|
cc @barbacbd |
| [role="_abstract"] | ||
| You can manage your own firewall rules when installing a cluster on {gcp-short} into an existing VPC by enabling the `firewallRulesManagement` parameter in the `install-config.yaml` file. You can limit the permissions that you grant to the installation program by managing your own firewall rules. | ||
|
|
||
| If you want to manage your own firewall rules, you must create the following rules prior to installation: |
There was a problem hiding this comment.
🤖 [error] RedHat.TermsErrors: Use 'before' rather than 'prior to'. For more information, see RedHat.TermsErrors.
|
@bscott-rh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/verified by jiwei |
openshift-ci-robot
added
the
verified
|
@jianli-wei: This PR has been marked as verified by DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
6 participants
Version(s):
4.21
Issue:
https://issues.redhat.com/browse/OSDOCS-15819
Link to docs preview:
Managing your own firewall rules
non-XPN permissions
XPN permissions
Existing VPC prerequisites
Shared VPC prerequisites
Installation configuration parameters
QE review:
TBD: Day 2