With OpenShift Dedicated on Google Cloud Platform (GCP), you can create clusters that are accessible over public or private networks.
You can customize the access patterns for your API server endpoint and Red Hat SRE management by choosing one of the following network configuration types:
Private cluster with Private Service Connect (PSC).
Private cluster without PSC
Public cluster
Red Hat recommends using PSC when deploying a private OpenShift Dedicated cluster on Google Cloud Platform (GCP). PSC ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE), and private OpenShift clusters. |
Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy OpenShift Dedicated clusters in a private and secured environment within Google Cloud Platform (GCP) without any public facing cloud resources.
For more information about PSC, see Private Service Connect.
PSC is only available on OpenShift Dedicated version 4.17 and later, and is only supported by the Customer Cloud Subscription (CCS) infrastructure type. |
The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.
The following image depicts how Red HAT SREs and other internal resources access and support clusters created using PSC.
A unique PSC service attachment is created for each OSD cluster in the customer GCP project. The PSC service attachment points to the cluster API server load balancer created in the customer GCP project.
Similar to service attachments, a unique PSC endpoint is created in the Red Hat Management GCP project for each OSD cluster.
A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC service attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the Machine CIDR range and cannot be used in more than one service attachment.
Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC endpoint and service attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.
Access to PSC service attachments is possible only via the Red Hat Management project.
With a private GCP Private Service Connect (PSC) network configuration, your cluster API server endpoint and application routes are private. Public subnets or NAT gateways are not required in your VPC for egress. Red Hat SRE management access the cluster over the GCP PSC-enabled private connectivity. The default ingress controller are private. Additional ingress controllers can be public or private. The following diagram shows network connectivity of a private cluster with PSC.
With a private network configuration, your cluster API server endpoint and application routes are private. Private OpenShift Dedicated on GCP clusters use some public subnets, but no control plane or worker nodes are deployed in public subnets.
Red Hat recommends using Private Service Connect (PSC) when deploying a private OpenShift Dedicated cluster on Google Cloud Platform (GCP). PSC ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE), and private OpenShift clusters. |
Red Hat SRE management access the cluster through a public load balancer endpoint that are restricted to Red Hat IPs. The API server endpoint is private. A separate Red Hat API server endpoint is public (but restricted to Red Hat trusted IP addresses). The default ingress controller can be public or private. The following image shows network connectivity of a private cluster without Private Service Connect (PSC).
With a public network configuration, your cluster API server endpoint and application routes are internet-facing. The default ingress controller can be public or private. The following image shows the network connectivity of a public cluster.