이 콘텐츠는 선택한 언어로 제공되지 않습니다.
Chapter 1. Private Service Connect overview
You can create a private OpenShift Dedicated cluster on Google Cloud Platform (GCP) using Google Cloud’s security-enhanced networking feature Private Service Connect (PSC).
1.1. Understanding Private Service Connect
Private Service Connect (PSC), a capability of Google Cloud networking, enables private communication between services across different projects or organizations within GCP. Users that implement PSC as part of their network connectivity can deploy OpenShift Dedicated clusters in a private and secured environment within Google Cloud Platform (GCP) without any public facing cloud resources.
For more information about PSC, see Private Service Connect.
PSC is only available on OpenShift Dedicated version 4.17 and later, and is only supported by the Customer Cloud Subscription (CCS) infrastructure type.
1.2. Prerequisites
In addition to the prerequisites that you need to complete before deploying any OpenShift Dedicated on Google Cloud Platform (GCP) cluster, you must also complete the following prerequisites to deploy a private cluster using Private Service Connect (PSC):
A pre-created Virtual Private Cloud (VPC) with the following subnets in the same Google Cloud Platform (GCP) region where your cluster will be deployed:
- A control plane subnet
- A worker subnet
A subnet used for the PSC service attachment with the purpose set to Private Service Connect.
ImportantThe subnet mask for the PSC service attachment must be /29 or larger and must be dedicated to an individual OpenShift Dedicated cluster. Additionally, the subnet must be contained within the Machine CIDR range used while provisioning the OpenShift Dedicated cluster.
For information about how to create a VPC on Google Cloud Platform (GCP), see Create and manage VPC networks in the Google Cloud documentation.
- Provide a path from the OpenShift Dedicated cluster to the internet for the domains and ports listed in the GCP firewall prerequisites in the Additional resources section.
- Enabled Cloud Identity-Aware Proxy API at the Google Cloud Platform (GCP) project level.
In addition to the requirements listed above, clusters configured with the Service Account authentication type must grant the IAP-Secured Tunnel User role to osd-ccs-admin service account.
For more information about the prerequisites that must be completed before deploying an OpenShift Dedicated on Google Cloud Platform (GCP), see Customer Requirements.
PSC is supported with the Customer Cloud Subscription (CCS) infrastructure type only. To create an OpenShift Dedicated on Google Cloud Platform (GCP) using PSC, see Creating a cluster on GCP with Workload Identity Federation.
1.3. Private Service Connect architecture
The PSC architecture includes producer services and consumer services. Using PSC, the consumers can access producer services privately from inside their VPC network. Similarly, it allows producers to host services in their own separate VPC networks and offer a private connect to their consumers.
The following image depicts how Red HAT SREs and other internal resources access and support clusters created using PSC.
- A unique PSC service attachment is created for each OSD cluster in the customer GCP project. The PSC service attachment points to the cluster API server load balancer created in the customer GCP project.
- Similar to service attachments, a unique PSC endpoint is created in the Red Hat Management GCP project for each OSD cluster.
- A dedicated subnet for GCP Private Service Connect is created in the cluster’s network within the customer GCP project. This is a special subnet type where the producer services are published via PSC service attachments. This subnet is used to Source NAT (SNAT) incoming requests to the cluster API server. Additionally, the PSC subnet must be within the Machine CIDR range and cannot be used in more than one service attachment.
- Red Hat internal resources and SREs access private OSD clusters using the connectivity between a PSC endpoint and service attachment. Even though the traffic transits multiple VPC networks, it remains entirely within Google Cloud.
- Access to PSC service attachments is possible only via the Red Hat Management project.
Figure 1.1. PSC architecture overview
1.4. Next steps
- To learn more about OpenShift Dedicated on Google Cloud Platform (GCP) cluster prerequisites, see Customer Requirements.
- To configure your firewalls, see GCP firewall prerequisites.
- To create an OpenShift Dedicated on Google Cloud Platform (GCP) using PSC with the Workload Identity Federation authentication type, see Creating a cluster on GCP with Workload Identity Federation.
