doc: updated outbound traffic information for operator hub access

README.md

@@ -30,7 +30,7 @@ Optionally, the module supports advanced security group management for the worke
     * [2 MZR clusters in same VPC example](./examples/multiple_mzr_clusters)
     * [Advanced example (mzr, auto-scale, kms, taints)](./examples/advanced)
     * [Attaching custom security groups](./examples/custom_sg)
-    * [Basic single zone example](./examples/basic)
+    * [Basic single zone cluster with allowed outbound traffic](./examples/basic)
     * [Cluster security group rules example](./examples/add_rules_to_sg)
     * [Cross account KMS encryption example](./examples/cross_kms_support)
     * [Financial Services compliant example](./examples/fscloud)
@@ -116,6 +116,12 @@ module "ocp_base" {
 }
 ```
 
+### Secure by default cluster settings
+
+In OCP version 4.15, outbound traffic is disabled by default. [Learn more](https://cloud.ibm.com/docs/openshift?topic=openshift-vpc-security-group-reference).
+
+There is a provision to toggle outbound traffic by using the modules' `disable_outbound_traffic_protection` input. Refer [Managing outbound traffic protection in VPC clusters](https://cloud.ibm.com/docs/openshift?topic=openshift-sbd-allow-outbound#sbd-example-oh).
+
 ### Default Worker Pool management
 
 You can manage the default worker pool using Terraform, and make changes to it through this module. This option is enabled by default. Under the hood, the default worker pool is imported as a `ibm_container_vpc_worker_pool` resource. Advanced users may opt-out of this option by setting `import_default_worker_pool_on_create` parameter to `false`. For most use cases it is recommended to keep this variable to `true`.

examples/basic/README.md

@@ -1,8 +1,9 @@
-# Basic single zone example
+# Basic single zone cluster with allowed outbound traffic
 
-A simple example that shows how to provision a basic single zone OCP VPC cluster.
+A simple example that shows how to provision a basic single zone OCP VPC cluster. Also the outbound traffic is allowed, which is required for accessing the Operator Hub.
 
 The following resources are provisioned by this example:
+
 - A new resource group, if an existing one is not passed in.
 - A basic VPC and subnet with public gateway enabled.
 - A single zone OCP VPC cluster.

examples/basic/main.tf

@@ -68,16 +68,18 @@ locals {
 }
 
 module "ocp_base" {
-  source               = "../.."
-  resource_group_id    = module.resource_group.resource_group_id
-  region               = var.region
-  tags                 = var.resource_tags
-  cluster_name         = var.prefix
-  force_delete_storage = true
-  vpc_id               = ibm_is_vpc.vpc.id
-  vpc_subnets          = local.cluster_vpc_subnets
-  ocp_version          = var.ocp_version
-  worker_pools         = local.worker_pools
-  access_tags          = var.access_tags
-  ocp_entitlement      = var.ocp_entitlement
+  source                               = "../.."
+  resource_group_id                    = module.resource_group.resource_group_id
+  region                               = var.region
+  tags                                 = var.resource_tags
+  cluster_name                         = var.prefix
+  force_delete_storage                 = true
+  vpc_id                               = ibm_is_vpc.vpc.id
+  vpc_subnets                          = local.cluster_vpc_subnets
+  ocp_version                          = var.ocp_version
+  worker_pools                         = local.worker_pools
+  access_tags                          = var.access_tags
+  ocp_entitlement                      = var.ocp_entitlement
+  disable_outbound_traffic_protection  = true # set as True to enable outbound traffic; required for accessing Operator Hub in the OpenShift console.
+  import_default_worker_pool_on_create = false
 }