Chapter 2. Configuring your firewall
If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
2.1. Configuring your firewall for OpenShift Container Platform
Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires. When using a firewall, make additional configurations to the firewall so that OpenShift Container Platform can access the sites that it requires to function.
There are no special configuration considerations for services running on only controller nodes compared to worker nodes.
If your environment has a dedicated load balancer in front of your OpenShift Container Platform cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.
Procedure
Set the following registry URLs for your firewall’s allowlist:
URL Port Function registry.redhat.io
443
Provides core container images
access.redhat.com
443
Hosts a signature store that a container client requires for verifying images pulled from
registry.access.redhat.com
. In a firewall environment, ensure that this resource is on the allowlist.registry.access.redhat.com
443
Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images.
quay.io
443
Provides core container images
cdn.quay.io
443
Provides core container images
cdn01.quay.io
443
Provides core container images
cdn02.quay.io
443
Provides core container images
cdn03.quay.io
443
Provides core container images
cdn04.quay.io
443
Provides core container images
cdn05.quay.io
443
Provides core container images
cdn06.quay.io
443
Provides core container images
sso.redhat.com
443
The
https://console.redhat.com
site uses authentication fromsso.redhat.com
-
You can use the wildcards
*.quay.io
and*.openshiftapps.com
instead ofcdn.quay.io
andcdn0[1-6].quay.io
in your allowlist. -
You can use the wildcard
*.access.redhat.com
to simplify the configuration and ensure that all subdomains, includingregistry.access.redhat.com
, are allowed. -
When you add a site, such as
quay.io
, to your allowlist, do not add a wildcard entry, such as*.quay.io
, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such ascdn01.quay.io
.
-
You can use the wildcards
- Set your firewall’s allowlist to include any site that provides resources for a language or framework that your builds require.
If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
URL Port Function cert-api.access.redhat.com
443
Required for Telemetry
api.access.redhat.com
443
Required for Telemetry
infogw.api.openshift.com
443
Required for Telemetry
console.redhat.com
443
Required for Telemetry and for
insights-operator
If you use Alibaba Cloud, Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that offer the cloud provider API and DNS for that cloud:
Cloud URL Port Function Alibaba
*.aliyuncs.com
443
Required to access Alibaba Cloud services and resources. Review the Alibaba endpoints_config.go file to find the exact endpoints to allow for the regions that you use.
AWS
aws.amazon.com
443
Used to install and manage clusters in an AWS environment.
*.amazonaws.com
Alternatively, if you choose to not use a wildcard for AWS APIs, you must include the following URLs in your allowlist:
443
Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to find the exact endpoints to allow for the regions that you use.
ec2.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
events.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
iam.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
route53.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
*.s3.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
*.s3.<aws_region>.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
*.s3.dualstack.<aws_region>.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
sts.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
sts.<aws_region>.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
tagging.us-east-1.amazonaws.com
443
Used to install and manage clusters in an AWS environment. This endpoint is always
us-east-1
, regardless of the region the cluster is deployed in.ec2.<aws_region>.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
elasticloadbalancing.<aws_region>.amazonaws.com
443
Used to install and manage clusters in an AWS environment.
servicequotas.<aws_region>.amazonaws.com
443
Required. Used to confirm quotas for deploying the service.
tagging.<aws_region>.amazonaws.com
443
Allows the assignment of metadata about AWS resources in the form of tags.
*.cloudfront.net
443
Used to provide access to CloudFront. If you use the AWS Security Token Service (STS) and the private S3 bucket, you must provide access to CloudFront.
GCP
*.googleapis.com
443
Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to find the endpoints to allow for your APIs.
accounts.google.com
443
Required to access your GCP account.
Microsoft Azure
management.azure.com
443
Required to access Microsoft Azure services and resources. Review the Microsoft Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.
*.blob.core.windows.net
443
Required to download Ignition files.
login.microsoftonline.com
443
Required to access Microsoft Azure services and resources. Review the Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.
Allowlist the following URLs:
URL Port Function *.apps.<cluster_name>.<base_domain>
443
Required to access the default cluster routes unless you set an ingress wildcard during installation.
api.openshift.com
443
Required both for your cluster token and to check if updates are available for the cluster.
console.redhat.com
443
Required for your cluster token.
mirror.openshift.com
443
Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
quayio-production-s3.s3.amazonaws.com
443
Required to access Quay image content in AWS.
rhcos.mirror.openshift.com
443
Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.
sso.redhat.com
443
The
https://console.redhat.com
site uses authentication fromsso.redhat.com
storage.googleapis.com/openshift-release
443
A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow
*.apps.<cluster_name>.<base_domain>
, then allow these routes:-
oauth-openshift.apps.<cluster_name>.<base_domain>
-
canary-openshift-ingress-canary.apps.<cluster_name>.<base_domain>
-
console-openshift-console.apps.<cluster_name>.<base_domain>
, or the hostname that is specified in thespec.route.hostname
field of theconsoles.operator/cluster
object if the field is not empty.
-
Allowlist the following URLs for optional third-party content:
URL Port Function registry.connect.redhat.com
443
Required for all third-party images and certified operators.
rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com
443
Provides access to container images hosted on
registry.connect.redhat.com
oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com
443
Required for Sonatype Nexus, F5 Big IP operators.
If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:
-
1.rhel.pool.ntp.org
-
2.rhel.pool.ntp.org
-
3.rhel.pool.ntp.org
-
If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.
Additional resources
2.2. OpenShift Container Platform network flow matrix
The network flow matrix describes the ingress flows to OpenShift Container Platform services. The network information in the matrix is accurate for both bare-metal and cloud environments. Use the information in the network flow matrix to help you manage ingress traffic. You can restrict ingress traffic to essential flows to improve network security.
To view or download the raw CSV content, see this resource.
Additionally, consider the following dynamic port ranges when managing ingress traffic:
-
9000-9999
: Host level services -
30000-32767
: Kubernetes node ports -
49152-65535
: Dynamic or private ports
The network flow matrix describes ingress traffic flows for a base OpenShift Container Platform installation. It does not describe network flows for additional components, such as optional Operators available from the Red Hat Marketplace. The matrix does not apply for Hosted-Control-Plane, MicroShift, or standalone clusters.
Direction | Protocol | Port | Namespace | Service | Pod | Container | Node Role | Optional |
---|---|---|---|---|---|---|---|---|
Ingress | TCP | 22 | Host system service | sshd | master | TRUE | ||
Ingress | TCP | 53 | openshift-dns | dns-default | dnf-default | dns | master | FALSE |
Ingress | TCP | 80 | openshift-ingress | router-default | router-default | router | master | FALSE |
Ingress | TCP | 111 | Host system service | rpcbind | master | TRUE | ||
Ingress | TCP | 443 | openshift-ingress | router-default | router-default | router | master | FALSE |
Ingress | TCP | 1936 | openshift-ingress | router-default | router-default | router | master | FALSE |
Ingress | TCP | 2379 | openshift-etcd | etcd | etcd | etcdctl | master | FALSE |
Ingress | TCP | 2380 | openshift-etcd | healthz | etcd | etcd | master | FALSE |
Ingress | TCP | 5050 | openshift-machine-api | ironic-proxy | ironic-proxy | master | FALSE | |
Ingress | TCP | 6080 | openshift-kube-apiserver | kube-apiserver | kube-apiserver-insecure-readyz | master | FALSE | |
Ingress | TCP | 6180 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
Ingress | TCP | 6183 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
Ingress | TCP | 6385 | openshift-machine-api | ironic-proxy | ironic-proxy | master | FALSE | |
Ingress | TCP | 6388 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
Ingress | TCP | 6443 | openshift-kube-apiserver | apiserver | kube-apiserver | kube-apiserver | master | FALSE |
Ingress | TCP | 8080 | openshift-network-operator | network-operator | network-operator | master | FALSE | |
Ingress | TCP | 8798 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | machine-config-daemon | master | FALSE |
Ingress | TCP | 9001 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | kube-rbac-proxy | master | FALSE |
Ingress | TCP | 9099 | openshift-cluster-version | cluster-version-operator | cluster-version-operator | cluster-version-operator | master | FALSE |
Ingress | TCP | 9100 | openshift-monitoring | node-exporter | node-exporter | kube-rbac-proxy | master | FALSE |
Ingress | TCP | 9103 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-node | master | FALSE |
Ingress | TCP | 9104 | openshift-network-operator | metrics | network-operator | network-operator | master | FALSE |
Ingress | TCP | 9105 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-ovn-metrics | master | FALSE |
Ingress | TCP | 9107 | openshift-ovn-kubernetes | egressip-node-healthcheck | ovnkube-node | ovnkube-controller | master | FALSE |
Ingress | TCP | 9108 | openshift-ovn-kubernetes | ovn-kubernetes-control-plane | ovnkube-control-plane | kube-rbac-proxy | master | FALSE |
Ingress | TCP | 9192 | openshift-cluster-machine-approver | machine-approver | machine-approver | kube-rbac-proxy | master | FALSE |
Ingress | TCP | 9258 | openshift-cloud-controller-manager-operator | machine-approver | cluster-cloud-controller-manager | cluster-cloud-controller-manager | master | FALSE |
Ingress | TCP | 9444 | openshift-kni-infra | haproxy | haproxy | master | FALSE | |
Ingress | TCP | 9445 | openshift-kni-infra | haproxy | haproxy | master | FALSE | |
Ingress | TCP | 9447 | openshift-machine-api | metal3-baremetal-operator | master | FALSE | ||
Ingress | TCP | 9537 | Host system service | crio-metrics | master | FALSE | ||
Ingress | TCP | 9637 | openshift-machine-config-operator | kube-rbac-proxy-crio | kube-rbac-proxy-crio | kube-rbac-proxy-crio | master | FALSE |
Ingress | TCP | 9978 | openshift-etcd | etcd | etcd | etcd-metrics | master | FALSE |
Ingress | TCP | 9979 | openshift-etcd | etcd | etcd | etcd-metrics | master | FALSE |
Ingress | TCP | 9980 | openshift-etcd | etcd | etcd | etcd | master | FALSE |
Ingress | TCP | 10250 | Host system service | kubelet | master | FALSE | ||
Ingress | TCP | 10256 | openshift-ovn-kubernetes | ovnkube | ovnkube | ovnkube-controller | master | FALSE |
Ingress | TCP | 10257 | openshift-kube-controller-manager | kube-controller-manager | kube-controller-manager | kube-controller-manager | master | FALSE |
Ingress | TCP | 10258 | openshift-cloud-controller-manager-operator | cloud-controller | cloud-controller-manager | cloud-controller-manager | master | FALSE |
Ingress | TCP | 10259 | openshift-kube-scheduler | scheduler | openshift-kube-scheduler | kube-scheduler | master | FALSE |
Ingress | TCP | 10260 | openshift-cloud-controller-manager-operator | cloud-controller | cloud-controller-manager | cloud-controller-manager | master | FALSE |
Ingress | TCP | 10300 | openshift-cluster-csi-drivers | csi-livenessprobe | csi-driver-node | csi-driver | master | FALSE |
Ingress | TCP | 10309 | openshift-cluster-csi-drivers | csi-node-driver | csi-driver-node | csi-node-driver-registrar | master | FALSE |
Ingress | TCP | 10357 | openshift-kube-apiserver | openshift-kube-apiserver-healthz | kube-apiserver | kube-apiserver-check-endpoints | master | FALSE |
Ingress | TCP | 17697 | openshift-kube-apiserver | openshift-kube-apiserver-healthz | kube-apiserver | kube-apiserver-check-endpoints | master | FALSE |
Ingress | TCP | 18080 | openshift-kni-infra | coredns | coredns | master | FALSE | |
Ingress | TCP | 22623 | openshift-machine-config-operator | machine-config-server | machine-config-server | machine-config-server | master | FALSE |
Ingress | TCP | 22624 | openshift-machine-config-operator | machine-config-server | machine-config-server | machine-config-server | master | FALSE |
Ingress | UDP | 53 | openshift-dns | dns-default | dnf-default | dns | master | FALSE |
Ingress | UDP | 111 | Host system service | rpcbind | master | TRUE | ||
Ingress | UDP | 6081 | openshift-ovn-kubernetes | ovn-kubernetes geneve | master | FALSE | ||
Ingress | TCP | 22 | Host system service | sshd | worker | TRUE | ||
Ingress | TCP | 53 | openshift-dns | dns-default | dnf-default | dns | worker | FALSE |
Ingress | TCP | 80 | openshift-ingress | router-default | router-default | router | worker | FALSE |
Ingress | TCP | 111 | Host system service | rpcbind | worker | TRUE | ||
Ingress | TCP | 443 | openshift-ingress | router-default | router-default | router | worker | FALSE |
Ingress | TCP | 1936 | openshift-ingress | router-default | router-default | router | worker | FALSE |
Ingress | TCP | 8798 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | machine-config-daemon | worker | FALSE |
Ingress | TCP | 9001 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | kube-rbac-proxy | worker | FALSE |
Ingress | TCP | 9100 | openshift-monitoring | node-exporter | node-exporter | kube-rbac-proxy | worker | FALSE |
Ingress | TCP | 9103 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-node | worker | FALSE |
Ingress | TCP | 9105 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-ovn-metrics | worker | FALSE |
Ingress | TCP | 9107 | openshift-ovn-kubernetes | egressip-node-healthcheck | ovnkube-node | ovnkube-controller | worker | FALSE |
Ingress | TCP | 9537 | Host system service | crio-metrics | worker | FALSE | ||
Ingress | TCP | 9637 | openshift-machine-config-operator | kube-rbac-proxy-crio | kube-rbac-proxy-crio | kube-rbac-proxy-crio | worker | FALSE |
Ingress | TCP | 10250 | Host system service | kubelet | worker | FALSE | ||
Ingress | TCP | 10256 | openshift-ovn-kubernetes | ovnkube | ovnkube | ovnkube-controller | worker | TRUE |
Ingress | TCP | 10300 | openshift-cluster-csi-drivers | csi-livenessprobe | csi-driver-node | csi-driver | worker | FALSE |
Ingress | TCP | 10309 | openshift-cluster-csi-drivers | csi-node-driver | csi-driver-node | csi-node-driver-registrar | worker | FALSE |
Ingress | TCP | 18080 | openshift-kni-infra | coredns | coredns | worker | FALSE | |
Ingress | UDP | 53 | openshift-dns | dns-default | dnf-default | dns | worker | FALSE |
Ingress | UDP | 111 | Host system service | rpcbind | worker | TRUE | ||
Ingress | UDP | 6081 | openshift-ovn-kubernetes | ovn-kubernetes geneve | worker | FALSE |