OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history bug_report picture_as_pdf
×

OpenShift Dedicated on Google Cloud Platform (GCP) architecture models

With OpenShift Dedicated on Google Cloud Platform (GCP), you can create clusters that are accessible over public or private networks.

Private OpenShift Dedicated on Google Cloud Platform (GCP) architecture on public and private networks

You can customize the access patterns for your API service endpoint and Red Hat SRE management by choosing one of the following network configuration types:

  • Private cluster with Private Service Connect (PSC).

  • Private cluster without PSC

  • Public cluster

Red Hat recommends using PSC when deploying a private OpenShift Dedicated cluster on Google Cloud Platform (GCP). PSC ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE), and private OpenShift clusters.

Private Service Connect overview

Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy OpenShift Dedicated clusters in a private and secured environment within Google Cloud Platform (GCP) without any public facing cloud resources. For more information on PSC, see Private Service Connect.

Private Service Connect is supported by the Customer Cloud Subscription (CCS) infrastructure type only.

Private Service Connect architecture

The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.

The following image depicts how Red HAT SREs and other internal resources access and support clusters created using PSC.

  • A unique PSC Service Attachment is created for each OSD cluster in the customer GCP project. The PSC Service Attachment points to the cluster API server load balancer created in the customer GCP project.

  • Similar to Service Attachments, a unique PSC Service Endpoint is created in the Red Hat Management GCP project for each OSD cluster.

  • A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC Service Attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the Machine CIDR range and cannot be used in more than one Service Attachment.

  • Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC Endpoint and Service Attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.

  • Access to PSC Service Attachments is possible only via the Red Hat Management project.

PSC architecture overview
Figure 1. PSC architecture overview

Private OpenShift Dedicated on Google Cloud Platform (GCP) with Private Service Connect architecture model

With a private GCP Private Service Connect (PSC) network configuration, your cluster API server endpoint and application routes are private. Public subnets or NAT gateways are not required in your VPC for egress. Red Hat SRE management access the cluster over the GCP PSC-enabled private connectivity. The default ingress controller are private. Additional ingress controllers can be public or private. The following diagram shows network connectivity of a private cluster with PSC.

Private with PSC architecture model
Figure 2. OpenShift Dedicated on Google Cloud Platform (GCP) deployed on a private network with PSC

Private OpenShift Dedicated on Google Cloud Platform (GCP) without Private Service Connect (PSC) architecture model

With a private network configuration, your cluster API server endpoint and application routes are private. Private OpenShift Dedicated on GCP clusters use some public subnets, but no control plane or worker nodes are deployed in public subnets.

Red Hat recommends using Private Service Connect (PSC) when deploying a private OpenShift Dedicated cluster on Google Cloud Platform (GCP). PSC ensures there is a secured, private connectivity between Red Hat infrastructure, Site Reliability Engineering (SRE), and private OpenShift clusters.

Red Hat SRE management access the cluster through a public load balancer endpoint that are restricted to Red Hat IPs. The API server endpoint is private. A separate Red Hat API server endpoint is public (but restricted to Red Hat trusted IP addresses). The default ingress controller can be public or private. The following image shows network connectivity of a private cluster without Private Service Connect (PSC).

Private without PSC architecture model
Figure 3. OpenShift Dedicated on Google Cloud Platform (GCP) deployed on a private network without PSC

Public OpenShift Dedicated on Google Cloud Platform (GCP) architecture model

With a public network configuration, your cluster API server endpoint and application routes are internet-facing. The default ingress controller can be public or private. The following image shows the network connectivity of a public cluster.

Public architecture model
Figure 4. OpenShift Dedicated on Google Cloud Platform (GCP) deployed on a public network

Additional resources