Merge pull request #52037 from skrthomas/OSDOCS-4369

skrthomas · web-flow · commit 9bfea5234343 · 2022-11-22T14:35:42.000-05:00
OSDOCS-4369: Adding clarification about Private OpenShift cluster default behavior
diff --git a/modules/private-clusters-about.adoc b/modules/private-clusters-about.adoc
@@ -6,7 +6,10 @@
 [id="private-clusters-about_{context}"]
 = About private clusters
 
-By default, {product-title} is provisioned using publicly-accessible DNS and endpoints. You can set the DNS, Ingress Controller, and API server to private after you deploy your cluster.
+
+By default, {product-title} is provisioned using publicly-accessible DNS and endpoints. You can set the DNS, Ingress Controller, and API server to private after you deploy your private cluster. 
+
+include::snippets/snip-private-clusters-public-ingress.adoc[]
 
 [discrete]
 [id="private-clusters-about-dns_{context}"]
diff --git a/modules/private-clusters-default.adoc b/modules/private-clusters-default.adoc
@@ -45,9 +45,10 @@ Public zones are not supported in Route 53 in an AWS Top Secret Region. Therefor
 must be private if they are deployed to an AWS Top Secret Region.
 ====
 endif::aws-secret[]
-
 By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
 
+include::snippets/snip-private-clusters-public-ingress.adoc[]
+
 To deploy a private cluster, you must:
 
 * Use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
diff --git a/post_installation_configuration/configuring-private-cluster.adoc b/post_installation_configuration/configuring-private-cluster.adoc
@@ -15,3 +15,5 @@ include::modules/private-clusters-setting-dns-private.adoc[leveloffset=+1]
 include::modules/private-clusters-setting-ingress-private.adoc[leveloffset=+1]
 
 include::modules/private-clusters-setting-api-private.adoc[leveloffset=+1]
+
+include::modules/nw-ingresscontroller-change-internal.adoc[leveloffset=+2]
diff --git a/snippets/snip-private-clusters-public-ingress.adoc b/snippets/snip-private-clusters-public-ingress.adoc
@@ -0,0 +1,12 @@
+// Text snippet included in the following modules:
+//
+// * modules/private-clusters-default.adoc
+// * modules/private-clusters-about.adoc
+// * modules/private-clusters-about-aws.adoc
+
+:_content-type: SNIPPET
+
+[IMPORTANT]
+====
+If the cluster has any public subnets, load balancer services created by administrators might be publicly accessible. To ensure cluster security, verify that these services are explicitly annotated as private.
+====
