*.[cluster-name].openshift.com
OpenShift Dedicated uses a software-defined networking (SDN) approach to provide a unified cluster network that enables communication between pods across the cluster. This pod network is established and maintained by the OpenShift SDN, which configures an overlay network using Open vSwitch (OVS).
By default, OpenShift Dedicated uses the ovs-networkpolicy plug-in, which allows
project administrators to configure their own isolation policies using
NetworkPolicy objects. These policies can be fully managed by project owners and
dedicated-admin
users to add network-level isolation for the projects.
Additionally, some OpenShift Dedicated clusters also support the ovs-multitenant plug-in, which provides project-level isolation for pods and services. Each project receives a unique Virtual Network ID (VNID) that identifies traffic from pods assigned to the project. By default, pods from different projects cannot send packets to or receive packets from pods and services of a different project. However, the cluster administrator can join projects and later isolate them using admin commands. For more information on pod network management, see Managing Networking.
Security groups are provided by the cloud provider. They provide security at the protocol and port access level. Each security group works similar to a firewall and has a set of rules that filter traffic coming into and out of a node.
OpenShift Dedicated has separate security groups configured for the following components:
master nodes
infrastructure nodes
compute Nodes
etcd
router ELB
External master ELB
Internal master ELB
All new persistent volumes (PVs) are encrypted at rest. PVs are backed by block storage, which is Read-Write-Once and will be dynamically provisioned and recycled based on application requests.
All communication channels with the REST API, as well as between master components such as etcd and the API server, are secured with TLS. TLS provides strong encryption, data integrity, and authentication of servers with X.509 server certificates and public key infrastructure. By default, a new internal PKI is created for each deployment of OpenShift Dedicated. The internal PKI uses 2048 bit RSA keys and SHA-256 signatures.
The OpenShift Dedicated server and oc
client provides TLS 1.2 or newer by default.
Both server and client prefer modern cipher suites with authenticated encryption
algorithms and perfect forward secrecy. Cipher suites with deprecated and
insecure algorithms such as RC4, 3DES, and MD5 are disabled. Some internal
clients (for example, LDAP authentication) have less restricted settings with
TLS 1.0 to 1.2 and more cipher suites enabled.
OpenShift Dedicated includes security certificates needed for both internal and external services on the cluster. For external routes, there are two separate wildcard certificates that are provided and installed on each cluster. For clusters that use an additional router shard and ELB, there will be a third wildcard certificate.
For cluster services such as the API and web console, the wildcard certificate is:
*.[cluster-name].openshift.com
For application routes, the wildcard certificate is:
*.[shard-id].[cluster-name].openshiftapps.com
Custom domains and subdomains are not available for the platform service routes or the default application routes. However, you can upload your own certificates for custom application routes through the web console or API.