Hardening the Ingress Controller in OpenShift is critical for securing your cluster's external traffic. The Ingress Controller (based on HAProxy by default in OpenShift) acts as the entry point for external traffic into the cluster, so it must be configured securely to protect against attacks and misconfigurations.

Below is a comprehensive guide to OpenShift Ingress hardening, covering best practices, configurations, and security considerations:

Ensure all routes use HTTPS/TLS encryption.

• Use Red Hat OpenShift Service Mesh or cert-manager to automate certificate management.
• Enforce re-encryption if using internal services with certificates.
• Disable plain HTTP unless absolutely necessary.

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: secure-route
spec:
  host: secure.example.com
  tls:
    termination: edge
    key: <PEM-encoded key>
    certificate: <PEM-encoded certificate>
    caCertificate: <CA cert if needed>
    destinationCACertificate: <internal CA cert if re-encrypting>
  to:
    kind: Service
    name: my-service

By default, OpenShift allows unencrypted HTTP traffic. You should disable this.

Edit the IngressController to disable HTTP:

oc edit ingresscontroller -n openshift-ingress-operator <ingress-name>

Add:

spec:
  routeAdmission:
    disableHTTP: true

This blocks cleartext HTTP access to all routes served by this controller.

Limit access to certain routes based on client IP addresses.

Update the IngressController:

spec:
  endpointPublishingStrategy:
    type: HostNetwork
  httpHeaders:
    XForwardedHeaders: Append
  routeAdmission:
    allowedInsecureEdgeTerminationPolicyTypes:
      - None
    sourceCIDRs:
      - 192.168.100.0/24

This restricts access to only clients coming from the specified CIDR range.

⚠️ Ensure you are not locking yourself out.

Ensure strong ciphers and protocols are used.

Create a custom IngressController with specific TLS settings:

spec:
  tlsSecurityProfile:
    type: Custom
    cipherSuites:
      - ECDHE-ECDSA-AES256-GCM-SHA384
      - ECDHE-RSA-AES256-GCM-SHA384
      - ECDHE-ECDSA-CHACHA20-POLY1305
      - ECDHE-RSA-CHACHA20-POLY1305
      - ECDHE-ECDSA-AES128-GCM-SHA256
      - ECDHE-RSA-AES128-GCM-SHA256
    minTLSVersion: VersionTLS12

Avoid leaking unnecessary headers like Server, Via, etc.

Patch HAProxy via ConfigMap or modify IngressController config.

Example patch (advanced):

• Modify the HAProxy template used by the router pod to remove unwanted headers.

OpenShift does not provide native rate limiting, but you can integrate:

• Use OpenShift Service Mesh (Istio) with Envoy’s rate-limiting features.
• Deploy a WAF (Web Application Firewall) like ModSecurity alongside HAProxy.
• Use cloud provider tools (e.g., AWS WAF, Azure Front Door, Cloudflare).

Use multiple Ingress Controllers for different classes of applications.

Deploy additional IngressControllers:

oc create namespace sensitive-ingress
oc apply -f - <<EOF
apiVersion: operator.openshift.io/v1
kind: IngressController
metadata:
  name: sensitive-router
  namespace: openshift-ingress-operator
spec:
  namespaceSelector:
    matchLabels:
      app: sensitive
  replicas: 2
  endpointPublishingStrategy:
    type: HostNetwork
EOF

Apply strict policies to this dedicated Ingress Controller.

Enable logging and monitoring for suspicious activity.

• Enable access logs for the IngressController:

spec:
  logging:
    access:
      enabled: true

• Integrate with OpenShift Logging or external SIEM (e.g., Splunk, ELK).
• Use Prometheus and Grafana for real-time metrics.

Perform regular checks and updates.

• Use oc adm commands to audit routes and IngressController configs.
• Keep OpenShift updated to latest versions (especially for CVE fixes).
• Run penetration tests on exposed endpoints.

Offload authentication to an identity provider.

• Configure OAuth with external providers (LDAP, GitHub, OIDC, etc.).
• Use JWT validation in Service Mesh for per-route auth.
• Protect routes with OpenShift’s built-in OAuth proxy sidecar if needed.

Would you like a sample hardened IngressController YAML manifest or help implementing any of these steps?