Cloud Experts Documentation

OSD

OpenShift Network Calculator

Overview

The OpenShift Network Calculator helps you determine the network requirements for your OpenShift cluster, specifically designed for clusters using the OVN-Kubernetes Container Network Interface (CNI). This tool calculates the number of pods, services, and nodes your network configuration can support, and identifies potential network conflicts with OVN-Kubernetes reserved networks.

Proper network planning is critical when deploying OpenShift clusters, as incorrect CIDR ranges can lead to IP address exhaustion, network conflicts, or connectivity issues. This calculator is particularly useful when planning deployments for:

Add an Ingress Controller to an OSD GCP Cluster and optionally with a custom domain.

Starting with OpenShift 4.14, OSD GCP supports adding additional Ingress Controllers which can use used to configure a custom domain on a OSD GCP cluster without having to use the now deprecated Custom Domain Operator. This guide shows how to add an additional Ingress Controller ( public or private ) to a OSD GCP cluster and optionally also configuring a custom domain.

Prerequisites

Set up environment

  1. Export few environment variables

Important: The variables below can be customized to fit your needs for your ingress controller.

Limit Egress with Google Secure Web Proxy

In this guide, we will implement egress restrictions for OpenShift Dedicated by using Google’s Secure Web Proxyexternal link (opens in new tab) . Secure Web Proxy is a cloud first service that helps you secure egress web traffic (HTTP/S). OpenShift Dedicated relies on egress being allowed to specific fully qualified domain names (FQDNs), not just IP addresses. Secure Web Proxy provides support for limiting egress web traffic to the FQDNs necessary for the external endpoints that OpenShift Dedicated relies on.

Maximo Application Suite on OpenShift Dedicated Google Cloud Platform ( OSD GCP )

IBM Maximo Application Suite (MAS) is a set of applications for asset monitoring, management, predictive maintenance and reliability planning. When combined with Red Hat OpenShift Dedicated on Google Cloud ( OSD GCP ), this frees up your Maximo and operations team to focus on what is important to them ( Maximo ) rather than having to worry about managing and building clusters.

This document outlines how to get quickly get started with OSD GCP and installing Maximo all through automation.

Limit Egress with Google Cloud NGFW Standard

In this guide, we will implement egress restrictions for OpenShift Dedicated by using Google’s Cloud Next Generation Firewall (NGFW) Standardexternal link (opens in new tab) . Cloud NGFW is a fully distributed firewall service that allows fully qualified domain name (FQDN) objects in firewall policy rules. This is necessary for many of the external endpoints that OpenShift Dedicated relies on.

Configure Network Policies and Egress Firewalls for a ROSA Cluster

It’s common to want to restrict network access between namespaces, as well as restricting where traffic can go outside of the cluster. OpenShift achieves this with the Network Policy and Egress Firewall resources.

It’s common to use these methods to restrict network traffic alongside Egress IP and other OpenShift and OVN-Kubernetes resources.

Prerequisites

Project Template

The first thing to do is create a Project Template that containes Network Policys and Egress Firewalls with default deny rules

Patch token-refresher to use a cluster proxy

Currently, if you deploy a ROSA or OSD cluster with a proxy, the token-refresher pod in the openshift-monitoring namespace will be in crashloopbackoff. There is an RFE open to resolve this, but until then this can affect the ability of the cluster to report telemetry and potentially update. This article provides a workaround on how to patch the token-refresher deployment until that RFE has been fixed using the patch-operator.

Prerequisites

  • A logged in user with cluster-admin rights to a ROSA or OSD Cluster deployed using a cluster wide proxy

    Assign Consistent Egress IP for External Traffic

    It may be desirable to assign a consistent IP address for traffic that leaves the cluster when configuring items such as security groups or other sorts of security controls which require an IP-based configuration. By default, Kubernetes via the OVN-Kubernetes CNI will assign random IP addresses from a pool which will make configuring security lockdowns unpredictable or unnecessarily open. This guide shows you how to configure a set of predictable IP addresses for egress cluster traffic to meet common security standards and guidance and other potential use cases.

    Configure Microsoft Entra ID as an OIDC identity provider for ROSA/OSD

    This guide demonstrates how to configure Azure AD as the cluster identity provider in Red Hat OpenShift Service on AWS (ROSA). This guide will walk through the creation of an Azure Active Directory (Azure AD) application and configure Red Hat OpenShift Service on AWS (ROSA) to authenticate using Azure AD.

    This guide will walk through the following steps:

    1. Register a new application in Azure AD for authentication.
    2. Configure the application registration in Azure AD to include optional and group claims in tokens.
    3. Configure the OpenShift cluster to use Azure AD as the identity provider.
    4. Grant additional permissions to individual groups.

    Before you Begin

    Create a set of security groups and assign users by following the Microsoft documentationexternal link (opens in new tab) .

    OSD on Google Cloud

    Stop default router from serving custom domain routes

    Note: This page is only valid for clusters using the Custom Domain Operator (CDO), which are ROSA clusters prior to version 4.14

    OSD and ROSA supports custom domain operator to serve application custom domain, which provisions openshift ingress controller and cloud load balancers. However, when a route with custom domain is created, both default router and custom domain router serve routes. This article describes how to use route labels to stop default router from serving custom domain routes.

    Creating a OSD in GCP with Existing VPCs

    Tip The official documentation for installing a OSD cluster in GCP can be found here .

    For deploy an OSD cluster in GCP using existing Virtual Private Cloud (VPC) you need to implement some prerequisites that you must create before starting the OpenShift Dedicated installation though the OCM.

    Prerequisites

    NOTE: Also the GCloud Shell can be used, and have the gcloud cli among other tools preinstalled.

    Create Filestore Storage for OSD in GCP

    By default, within OSD in GCP only the GCE-PD StorageClassexternal link (opens in new tab) is available in the cluster. With this StorageClass, only ReadWriteOnce mode is permitted, and the gcePersistentDisks can only be mounted by a single consumer in read-write modeexternal link (opens in new tab) .

    Deploying 3scale API Management to ROSA and OSD

    This document will take you through deploying 3scale in any OSD or ROSA cluster. Review the official documentation here for more information or how to further customize or use 3scale.

    Prerequisites

    • An existing ROSA or OSD cluster
    • Access to an AWS account with permissions to create S3 buckets, IAM users, and IAM policies
    • A subscription for 3scale API Management
    • A wildcard domain configured with a CNAME to your cluster’s ingress controller

    Prepare AWS Account

    1. Set environment variables (ensuring you update the variables appropriately!)

      Configuring IDP for ROSA, OSD and ARO

      Red Hat OpenShift on AWS (ROSA) and OpenShift Dedicated (OSD) provide a simple way for the cluster administrator to configure one or more identity providers for their cluster[s] via the OpenShift Cluster Manager (OCM) , while Azure Red Hat OpenShift relies on the internal cluster authentication operatorexternal link (opens in new tab) .

      The identity providers available for use are:

      Installing the HashiCorp Vault Secret CSI Driver

      The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes.

      Prerequisites

      1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
      2. oc
      3. helm v3

      Installing the Kubernetes Secret Store CSI

      1. Create an OpenShift Project to deploy the CSI into

      2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

        Installing the Kubernetes Secret Store CSI on OpenShift

        The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.

        It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.

        Prerequisites

        1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
        2. kubectl
        3. helm v3

        Installing the Kubernetes Secret Store CSI

        1. Create an OpenShift Project to deploy the CSI into

          AWS ALB

          Note: It is recommended that you use the Cloud Front based guide unless you absolutely must use an ALB based solution.

          Hereexternal link (opens in new tab) ’s a good overview of AWS LB types and what they support

          Problem Statement

          1. Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)

          2. Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF

            Examples of using a WAF in front of ROSA / OSD on AWS / OCP on AWS

            Problem Statement

            1. Operator requires WAF (Web Application Firewall) in front of their workloads running on OpenShift (ROSA)

            2. Operator does not want WAF running on OpenShift to ensure that OCP resources do not experience Denial of Service through handling the WAF

            Quick Introduction by Paul Czarkowskiexternal link (opens in new tab) & Ryan Niksch on YouTubeexternal link (opens in new tab)

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2026 Red Hat