Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 2. Using a firewall

Firewalls are not required in Red Hat build of MicroShift, but using a firewall can prevent undesired access to the Red Hat build of MicroShift API.

2.1. About network traffic through the firewall
Link kopieren

When using a firewall, you must explicitly allow the following OVN-Kubernetes traffic when the firewalld service is running:

CNI pod to CNI pod
CNI pod to Host-Network pod Host-Network pod to Host-Network pod
CNI pod
The Kubernetes pod that uses the CNI network
Host-Network pod
The Kubernetes pod that uses host network Install and configure the firewalld service by using the following procedures.
Important

Red Hat build of MicroShift pods must have access to the internal CoreDNS component and API servers.

2.2. Installing the firewalld service
Link kopieren

Use the following procedure to install and run the firewalld service for Red Hat build of MicroShift.

Procedure

  1. To install the firewalld service, run the following command: 

    $ sudo dnf install -y firewalld
    Copy to Clipboard Toggle word wrap

  2. To initiate the firewall, run the following command: 

    $ sudo systemctl enable firewalld --now
    Copy to Clipboard Toggle word wrap

2.3. Required firewall settings
Link kopieren

An IP address range for the cluster network must be enabled during firewall configuration. You can use the default values or customize the IP address range. If you choose to customize the cluster network IP address range from the default 10.42.0.0/16 setting, you must also use the same custom range in the firewall configuration.

Expand
Table 2.1. Firewall IP address settings
IP RangeFirewall rule requiredDescription

10.42.0.0/16

No

Host network pod access to other pods

169.254.169.1

Yes

Host network pod access to Red Hat build of MicroShift API server

The following are examples of commands for settings that are mandatory for firewall configuration:

Example commands

  • Configure host network pod access to other pods: 

    $ sudo firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
    Copy to Clipboard Toggle word wrap

  • Configure host network pod access to services backed by Host endpoints, such as the Red Hat build of MicroShift API: 

    $ sudo firewall-cmd --permanent --zone=trusted --add-source=169.254.169.1
    Copy to Clipboard Toggle word wrap

2.4. Using optional port settings
Link kopieren

The Red Hat build of MicroShift firewall service allows optional port settings.

Procedure

  • To add customized ports to your firewall configuration, use the following command syntax: 

    $ sudo firewall-cmd --permanent --zone=public --add-port=<port number>/<port protocol>
    Copy to Clipboard Toggle word wrap
    Expand
    Table 2.2. Optional ports
    Port(s)Protocol(s)Description

    80

    TCP

    HTTP port used to serve applications through the OpenShift Container Platform router.

    443

    TCP

    HTTPS port used to serve applications through the OpenShift Container Platform router.

    5353

    UDP

    mDNS service to respond for OpenShift Container Platform route mDNS hosts.

    30000-32767

    TCP

    Port range reserved for NodePort services; can be used to expose applications on the LAN.

    30000-32767

    UDP

    Port range reserved for NodePort services; can be used to expose applications on the LAN.

    6443

    TCP

    HTTPS API port for the Red Hat build of MicroShift API.

The following are examples of commands used when requiring external access through the firewall to services running on Red Hat build of MicroShift, such as port 6443 for the API server, for example, ports 80 and 443 for applications exposed through the router.

Example commands

  • Configuring a port for the Red Hat build of MicroShift API server: 

    $ sudo firewall-cmd --permanent --zone=public --add-port=6443/tcp
    Copy to Clipboard Toggle word wrap

  • Configuring ports for applications exposed through the router: 

    $ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
    Copy to Clipboard Toggle word wrap 
    $ sudo firewall-cmd --permanent --zone=public --add-port=443/tcp
    Copy to Clipboard Toggle word wrap

2.5. Allowing network traffic through the firewall
Link kopieren

You can allow network traffic through the firewall by first configuring the IP address range with either default or custom values, and then allow internal traffic from pods through the network gateway by inserting the DNS server.

Procedure

Set the default values or a custom IP address range. After setting the IP address range, allow internal traffic from the pods through the network gateway.

  1. To set the IP address range:

    1. To configure the IP address range with default values, run the following command: 

      $ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=10.42.0.0/16
      Copy to Clipboard Toggle word wrap

    2. Alternatively, you can configure the IP address range with custom values by running the following command: 

      $ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=<custom IP range>
      Copy to Clipboard Toggle word wrap

  2. To allow internal traffic from pods through the network gateway, run the following command: 

    $ sudo firewall-offline-cmd --permanent --zone=trusted --add-source=169.254.169.1
    Copy to Clipboard Toggle word wrap

2.5.1. Applying firewall settings
Link kopieren

To apply firewall settings, use the following one-step procedure:

Procedure

After you have finished configuring network access through the firewall, run the following command to restart the firewall and apply settings: 

$ sudo firewall-cmd --reload
Copy to Clipboard Toggle word wrap

2.6. Verifying firewall settings
Link kopieren

After you have restarted the firewall, you can verify your settings by listing them.

Procedure

  • To verify rules added in the default public zone, such as ports-related rules, run the following command: 

    $ sudo firewall-cmd --list-all
    Copy to Clipboard Toggle word wrap

  • To verify rules added in the trusted zone, such as IP-range related rules, run the following command: 

    $ sudo firewall-cmd --zone=trusted --list-all
    Copy to Clipboard Toggle word wrap

2.7. Known firewall issue
Link kopieren

  • To avoid breaking traffic flows with a firewall reload or restart, execute firewall commands before starting Red Hat build of MicroShift. The CNI driver in Red Hat build of MicroShift makes use of iptable rules for some traffic flows, such as those using the NodePort service. The iptable rules are generated and inserted by the CNI driver, but are deleted when the firewall reloads or restarts. The absence of the iptable rules breaks traffic flows. If firewall commands have to be executed after Red Hat build of MicroShift is running, manually restart ovnkube-master pod in the openshift-ovn-kubernetes namespace to reset the rules controlled by the CNI driver.
Nach oben
Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2025 Red Hat