Chapter 2. Configuring your firewall


If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.

2.1. Configuring your firewall for OpenShift Container Platform

Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires. When using a firewall, make additional configurations to the firewall so that OpenShift Container Platform can access the sites that it requires to function.

There are no special configuration considerations for services running on only controller nodes compared to worker nodes.

Note

If your environment has a dedicated load balancer in front of your OpenShift Container Platform cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.

Procedure

  1. Set the following registry URLs for your firewall’s allowlist:

    URLPortFunction

    registry.redhat.io

    443

    Provides core container images

    access.redhat.com

    443

    Hosts a signature store that a container client requires for verifying images pulled from registry.access.redhat.com. In a firewall environment, ensure that this resource is on the allowlist.

    registry.access.redhat.com

    443

    Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images.

    quay.io

    443

    Provides core container images

    cdn.quay.io

    443

    Provides core container images

    cdn01.quay.io

    443

    Provides core container images

    cdn02.quay.io

    443

    Provides core container images

    cdn03.quay.io

    443

    Provides core container images

    cdn04.quay.io

    443

    Provides core container images

    cdn05.quay.io

    443

    Provides core container images

    cdn06.quay.io

    443

    Provides core container images

    sso.redhat.com

    443

    The https://console.redhat.com site uses authentication from sso.redhat.com

    • You can use the wildcards *.quay.io and *.openshiftapps.com instead of cdn.quay.io and cdn0[1-6].quay.io in your allowlist.
    • You can use the wildcard *.access.redhat.com to simplify the configuration and ensure that all subdomains, including registry.access.redhat.com, are allowed.
    • When you add a site, such as quay.io, to your allowlist, do not add a wildcard entry, such as *.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as cdn01.quay.io.
  2. Set your firewall’s allowlist to include any site that provides resources for a language or framework that your builds require.
  3. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:

    URLPortFunction

    cert-api.access.redhat.com

    443

    Required for Telemetry

    api.access.redhat.com

    443

    Required for Telemetry

    infogw.api.openshift.com

    443

    Required for Telemetry

    console.redhat.com

    443

    Required for Telemetry and for insights-operator

  4. If you use Alibaba Cloud, Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that offer the cloud provider API and DNS for that cloud:

    CloudURLPortFunction

    Alibaba

    *.aliyuncs.com

    443

    Required to access Alibaba Cloud services and resources. Review the Alibaba endpoints_config.go file to find the exact endpoints to allow for the regions that you use.

    AWS

    aws.amazon.com

    443

    Used to install and manage clusters in an AWS environment.

    *.amazonaws.com

    Alternatively, if you choose to not use a wildcard for AWS APIs, you must include the following URLs in your allowlist:

    443

    Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to find the exact endpoints to allow for the regions that you use.

    ec2.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    events.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    iam.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    route53.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.dualstack.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    sts.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    sts.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    tagging.us-east-1.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment. This endpoint is always us-east-1, regardless of the region the cluster is deployed in.

    ec2.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    elasticloadbalancing.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    servicequotas.<aws_region>.amazonaws.com

    443

    Required. Used to confirm quotas for deploying the service.

    tagging.<aws_region>.amazonaws.com

    443

    Allows the assignment of metadata about AWS resources in the form of tags.

    *.cloudfront.net

    443

    Used to provide access to CloudFront. If you use the AWS Security Token Service (STS) and the private S3 bucket, you must provide access to CloudFront.

    GCP

    *.googleapis.com

    443

    Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to find the endpoints to allow for your APIs.

    accounts.google.com

    443

    Required to access your GCP account.

    Microsoft Azure

    management.azure.com

    443

    Required to access Microsoft Azure services and resources. Review the Microsoft Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.

    *.blob.core.windows.net

    443

    Required to download Ignition files.

    login.microsoftonline.com

    443

    Required to access Microsoft Azure services and resources. Review the Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.

  5. Allowlist the following URLs:

    URLPortFunction

    *.apps.<cluster_name>.<base_domain>

    443

    Required to access the default cluster routes unless you set an ingress wildcard during installation.

    api.openshift.com

    443

    Required both for your cluster token and to check if updates are available for the cluster.

    console.redhat.com

    443

    Required for your cluster token.

    mirror.openshift.com

    443

    Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    quayio-production-s3.s3.amazonaws.com

    443

    Required to access Quay image content in AWS.

    rhcos.mirror.openshift.com

    443

    Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.

    sso.redhat.com

    443

    The https://console.redhat.com site uses authentication from sso.redhat.com

    storage.googleapis.com/openshift-release

    443

    A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow *.apps.<cluster_name>.<base_domain>, then allow these routes:

    • oauth-openshift.apps.<cluster_name>.<base_domain>
    • canary-openshift-ingress-canary.apps.<cluster_name>.<base_domain>
    • console-openshift-console.apps.<cluster_name>.<base_domain>, or the hostname that is specified in the spec.route.hostname field of the consoles.operator/cluster object if the field is not empty.
  6. Allowlist the following URLs for optional third-party content:

    URLPortFunction

    registry.connect.redhat.com

    443

    Required for all third-party images and certified operators.

    rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com

    443

    Provides access to container images hosted on registry.connect.redhat.com

    oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com

    443

    Required for Sonatype Nexus, F5 Big IP operators.

  7. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:

    • 1.rhel.pool.ntp.org
    • 2.rhel.pool.ntp.org
    • 3.rhel.pool.ntp.org
Note

If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.

2.2. OpenShift Container Platform network flow matrix

The network flow matrix describes the ingress flows to OpenShift Container Platform services. The network information in the matrix is accurate for both bare-metal and cloud environments. Use the information in the network flow matrix to help you manage ingress traffic. You can restrict ingress traffic to essential flows to improve network security.

To view or download the raw CSV content, see this resource.

Additionally, consider the following dynamic port ranges when managing ingress traffic:

  • 9000-9999: Host level services
  • 30000-32767: Kubernetes node ports
  • 49152-65535: Dynamic or private ports
Note

The network flow matrix describes ingress traffic flows for a base OpenShift Container Platform installation. It does not describe network flows for additional components, such as optional Operators available from the Red Hat Marketplace. The matrix does not apply for Hosted-Control-Plane, MicroShift, or standalone clusters.

Table 2.1. Network flow matrix
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

22

Host system service

sshd

  

master

TRUE

Ingress

TCP

53

openshift-dns

dns-default

dnf-default

dns

master

FALSE

Ingress

TCP

80

openshift-ingress

router-default

router-default

router

master

FALSE

Ingress

TCP

111

Host system service

rpcbind

  

master

TRUE

Ingress

TCP

443

openshift-ingress

router-default

router-default

router

master

FALSE

Ingress

TCP

1936

openshift-ingress

router-default

router-default

router

master

FALSE

Ingress

TCP

2379

openshift-etcd

etcd

etcd

etcdctl

master

FALSE

Ingress

TCP

2380

openshift-etcd

healthz

etcd

etcd

master

FALSE

Ingress

TCP

5050

openshift-machine-api

 

ironic-proxy

ironic-proxy

master

FALSE

Ingress

TCP

6080

openshift-kube-apiserver

 

kube-apiserver

kube-apiserver-insecure-readyz

master

FALSE

Ingress

TCP

6180

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6183

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6385

openshift-machine-api

 

ironic-proxy

ironic-proxy

master

FALSE

Ingress

TCP

6388

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6443

openshift-kube-apiserver

apiserver

kube-apiserver

kube-apiserver

master

FALSE

Ingress

TCP

8080

openshift-network-operator

 

network-operator

network-operator

master

FALSE

Ingress

TCP

8798

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

machine-config-daemon

master

FALSE

Ingress

TCP

9001

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

kube-rbac-proxy

master

FALSE

Ingress

TCP

9099

openshift-cluster-version

cluster-version-operator

cluster-version-operator

cluster-version-operator

master

FALSE

Ingress

TCP

9100

openshift-monitoring

node-exporter

node-exporter

kube-rbac-proxy

master

FALSE

Ingress

TCP

9103

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-node

master

FALSE

Ingress

TCP

9104

openshift-network-operator

metrics

network-operator

network-operator

master

FALSE

Ingress

TCP

9105

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-ovn-metrics

master

FALSE

Ingress

TCP

9107

openshift-ovn-kubernetes

egressip-node-healthcheck

ovnkube-node

ovnkube-controller

master

FALSE

Ingress

TCP

9108

openshift-ovn-kubernetes

ovn-kubernetes-control-plane

ovnkube-control-plane

kube-rbac-proxy

master

FALSE

Ingress

TCP

9192

openshift-cluster-machine-approver

machine-approver

machine-approver

kube-rbac-proxy

master

FALSE

Ingress

TCP

9258

openshift-cloud-controller-manager-operator

machine-approver

cluster-cloud-controller-manager

cluster-cloud-controller-manager

master

FALSE

Ingress

TCP

9444

openshift-kni-infra

 

haproxy

haproxy

master

FALSE

Ingress

TCP

9445

openshift-kni-infra

 

haproxy

haproxy

master

FALSE

Ingress

TCP

9447

openshift-machine-api

 

metal3-baremetal-operator

 

master

FALSE

Ingress

TCP

9537

Host system service

crio-metrics

  

master

FALSE

Ingress

TCP

9637

openshift-machine-config-operator

kube-rbac-proxy-crio

kube-rbac-proxy-crio

kube-rbac-proxy-crio

master

FALSE

Ingress

TCP

9978

openshift-etcd

etcd

etcd

etcd-metrics

master

FALSE

Ingress

TCP

9979

openshift-etcd

etcd

etcd

etcd-metrics

master

FALSE

Ingress

TCP

9980

openshift-etcd

etcd

etcd

etcd

master

FALSE

Ingress

TCP

10250

Host system service

kubelet

  

master

FALSE

Ingress

TCP

10256

openshift-ovn-kubernetes

ovnkube

ovnkube

ovnkube-controller

master

FALSE

Ingress

TCP

10257

openshift-kube-controller-manager

kube-controller-manager

kube-controller-manager

kube-controller-manager

master

FALSE

Ingress

TCP

10258

openshift-cloud-controller-manager-operator

cloud-controller

cloud-controller-manager

cloud-controller-manager

master

FALSE

Ingress

TCP

10259

openshift-kube-scheduler

scheduler

openshift-kube-scheduler

kube-scheduler

master

FALSE

Ingress

TCP

10260

openshift-cloud-controller-manager-operator

cloud-controller

cloud-controller-manager

cloud-controller-manager

master

FALSE

Ingress

TCP

10300

openshift-cluster-csi-drivers

csi-livenessprobe

csi-driver-node

csi-driver

master

FALSE

Ingress

TCP

10309

openshift-cluster-csi-drivers

csi-node-driver

csi-driver-node

csi-node-driver-registrar

master

FALSE

Ingress

TCP

10357

openshift-kube-apiserver

openshift-kube-apiserver-healthz

kube-apiserver

kube-apiserver-check-endpoints

master

FALSE

Ingress

TCP

17697

openshift-kube-apiserver

openshift-kube-apiserver-healthz

kube-apiserver

kube-apiserver-check-endpoints

master

FALSE

Ingress

TCP

18080

openshift-kni-infra

 

coredns

coredns

master

FALSE

Ingress

TCP

22623

openshift-machine-config-operator

machine-config-server

machine-config-server

machine-config-server

master

FALSE

Ingress

TCP

22624

openshift-machine-config-operator

machine-config-server

machine-config-server

machine-config-server

master

FALSE

Ingress

UDP

53

openshift-dns

dns-default

dnf-default

dns

master

FALSE

Ingress

UDP

111

Host system service

rpcbind

  

master

TRUE

Ingress

UDP

6081

openshift-ovn-kubernetes

ovn-kubernetes geneve

  

master

FALSE

Ingress

TCP

22

Host system service

sshd

  

worker

TRUE

Ingress

TCP

53

openshift-dns

dns-default

dnf-default

dns

worker

FALSE

Ingress

TCP

80

openshift-ingress

router-default

router-default

router

worker

FALSE

Ingress

TCP

111

Host system service

rpcbind

  

worker

TRUE

Ingress

TCP

443

openshift-ingress

router-default

router-default

router

worker

FALSE

Ingress

TCP

1936

openshift-ingress

router-default

router-default

router

worker

FALSE

Ingress

TCP

8798

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

machine-config-daemon

worker

FALSE

Ingress

TCP

9001

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

kube-rbac-proxy

worker

FALSE

Ingress

TCP

9100

openshift-monitoring

node-exporter

node-exporter

kube-rbac-proxy

worker

FALSE

Ingress

TCP

9103

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-node

worker

FALSE

Ingress

TCP

9105

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-ovn-metrics

worker

FALSE

Ingress

TCP

9107

openshift-ovn-kubernetes

egressip-node-healthcheck

ovnkube-node

ovnkube-controller

worker

FALSE

Ingress

TCP

9537

Host system service

crio-metrics

  

worker

FALSE

Ingress

TCP

9637

openshift-machine-config-operator

kube-rbac-proxy-crio

kube-rbac-proxy-crio

kube-rbac-proxy-crio

worker

FALSE

Ingress

TCP

10250

Host system service

kubelet

  

worker

FALSE

Ingress

TCP

10256

openshift-ovn-kubernetes

ovnkube

ovnkube

ovnkube-controller

worker

TRUE

Ingress

TCP

10300

openshift-cluster-csi-drivers

csi-livenessprobe

csi-driver-node

csi-driver

worker

FALSE

Ingress

TCP

10309

openshift-cluster-csi-drivers

csi-node-driver

csi-driver-node

csi-node-driver-registrar

worker

FALSE

Ingress

TCP

18080

openshift-kni-infra

 

coredns

coredns

worker

FALSE

Ingress

UDP

53

openshift-dns

dns-default

dnf-default

dns

worker

FALSE

Ingress

UDP

111

Host system service

rpcbind

  

worker

TRUE

Ingress

UDP

6081

openshift-ovn-kubernetes

ovn-kubernetes geneve

  

worker

FALSE

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.