OCP 4.16 Deployment – Master and Worker Nodes on D...

yamope · ‎08-15-2025

I am planning to install OpenShift Container Platform (OCP) version 4.16 with the following topology:

3 master nodes (control plane)
3 worker nodes (data plane)

Question:
Can the master node IP addresses and the worker node IP addresses be in different network subnets? If yes, what are the technical considerations or requirements for such a setup?

The compliance team has advised that:

Master nodes (control plane) must be in the control-plane subnet.
Worker nodes (data plane) must be in the data-plane subnet.

Proposed configuration:

apilb01 api-loadbalancer01.com.vn 10.1.13.103 255.255.0.0

apilb02 api-loadbalancer02.com.vn 10.1.13.104 255.255.0.0

apilbvip 10.1.13.105

ingresslb01 ingress-loadbalancer01.com.vn 172.16.1.11 255.255.0.0

ingresslb02 ingress-loadbalancer02.com.vn 172.16.1.12 255.255.0.0

ingresslbvip 172.16.1.13

*.apps *.apps.com.vn 172.16.1.13 255.255.0.0

master01 master01.com.vn 10.1.13.85 255.255.0.0

master02 master02.com.vn 10.1.13.86 255.255.0.0

master03 master03.com.vn 10.1.13.87 255.255.0.0

worker01 worker01.com.vn 172.16.1.85 255.255.0.0

worker02 worker02.com.vn 172.16.1.86 255.255.0.0

worker03 worker03.com.vn 172.16.1.87 255.255.0.0

Chetan_Tiwary_ · ‎08-15-2025

@yamope Refer this documentation : https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/nodes/remote-worker-...

https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html-single/deploying_ins...

https://docs.redhat.com/en/documentation/openshift_container_platform/4.16/html/nodes/remote-worker-...

some obvious things that one need inorder is that routing works seamlessly between all your subnets. You want to be sure the installer understands how these subnets are set up.

Also, be sure to put your Ingress VIP in the right spot.

yamope · ‎08-16-2025

Thanks Chetan, It's value for me.

I also found some other redhat topic metion about this too. The next question is do we know what is best practise : All workers and master the same subnet or separate ? or depend on use cases? if yes, what are use cases? ( I'm going to looking for this information and update , looking forward for your rep too)
example:

https://issues.redhat.com/browse/OCPSTRAT-462

or

https://access.redhat.com/solutions/7018925

Issue

The worker nodes are in different subnets and there's a requirement to place the ingressVIP virtual IP address exclusively with the control plane nodes.
How to configure ingressVIP to be placed over control plane nodes only in vSphere?

Resolution

From OpenShift 4.13 onwards, it's possible to configure network components to run on the control plane such as ingressVIP.
First, create the install-config.yaml file and then manifests from it.

Chetan_Tiwary_ · ‎08-17-2025

@yamope

The decision between a single, unified network and a split, segmented one comes down to your cluster's goals.

For simplicity, a single subnet for both the control plane and workers works well. It is a great choice for smaller, contained environments.

If you need to scale, spread your cluster across different locations, or meet specific security rules, separating your subnets is a much better choice. For remote deployments, strict security needs, or certain cloud offerings, using segmented subnets is the best practice. Refer the same here in OCP doc :

Also from the same OCP dcouments ,I can see that you must place the ingress VIP on the control plane :

Check the same in Azure Red Hat Openshift ( ARO ) :

Red Hat Openshift on AWS ( ROSA ) :

OCP 4.16 Deployment – Master and Worker Nodes on Different Subnets?

OCP 4