diff --git a/README.md b/README.md index 16f9dc97..a029045b 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ Optionally, the module supports advanced security group management for the worke * [2 MZR clusters in same VPC example](./examples/multiple_mzr_clusters) * [Advanced example (mzr, auto-scale, kms, taints)](./examples/advanced) * [Attaching custom security groups](./examples/custom_sg) - * [Basic single zone example](./examples/basic) + * [Basic single zone cluster with allowed outbound traffic](./examples/basic) * [Cluster security group rules example](./examples/add_rules_to_sg) * [Cross account KMS encryption example](./examples/cross_kms_support) * [Financial Services compliant example](./examples/fscloud) @@ -116,6 +116,12 @@ module "ocp_base" { } ``` +### Secure by default cluster settings + +In OCP version 4.15, outbound traffic is disabled by default. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-security-group-reference). + +There is a provision to toggle outbound traffic by using the modules' `disable_outbound_traffic_protection` input. Refer [Managing outbound traffic protection in VPC clusters](https://cloud.ibm.com/docs/openshift?topic=openshift-sbd-allow-outbound#sbd-example-oh). + ### Default Worker Pool management You can manage the default worker pool using Terraform, and make changes to it through this module. This option is enabled by default. Under the hood, the default worker pool is imported as a `ibm_container_vpc_worker_pool` resource. Advanced users may opt-out of this option by setting `import_default_worker_pool_on_create` parameter to `false`. For most use cases it is recommended to keep this variable to `true`. diff --git a/examples/basic/README.md b/examples/basic/README.md index ee3f7a6e..e8ee30ed 100644 --- a/examples/basic/README.md +++ b/examples/basic/README.md @@ -1,8 +1,9 @@ -# Basic single zone example +# Basic single zone cluster with allowed outbound traffic -A simple example that shows how to provision a basic single zone OCP VPC cluster. +A simple example that shows how to provision a basic single zone OCP VPC cluster. Also the outbound traffic is allowed, which is required for accessing the Operator Hub. The following resources are provisioned by this example: + - A new resource group, if an existing one is not passed in. - A basic VPC and subnet with public gateway enabled. - A single zone OCP VPC cluster. diff --git a/examples/basic/main.tf b/examples/basic/main.tf index 6538e3d5..536129c6 100644 --- a/examples/basic/main.tf +++ b/examples/basic/main.tf @@ -68,16 +68,18 @@ locals { } module "ocp_base" { - source = "../.." - resource_group_id = module.resource_group.resource_group_id - region = var.region - tags = var.resource_tags - cluster_name = var.prefix - force_delete_storage = true - vpc_id = ibm_is_vpc.vpc.id - vpc_subnets = local.cluster_vpc_subnets - ocp_version = var.ocp_version - worker_pools = local.worker_pools - access_tags = var.access_tags - ocp_entitlement = var.ocp_entitlement + source = "../.." + resource_group_id = module.resource_group.resource_group_id + region = var.region + tags = var.resource_tags + cluster_name = var.prefix + force_delete_storage = true + vpc_id = ibm_is_vpc.vpc.id + vpc_subnets = local.cluster_vpc_subnets + ocp_version = var.ocp_version + worker_pools = local.worker_pools + access_tags = var.access_tags + ocp_entitlement = var.ocp_entitlement + disable_outbound_traffic_protection = true # set as True to enable outbound traffic; required for accessing Operator Hub in the OpenShift console. + import_default_worker_pool_on_create = false }