Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring your firewall

If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Lightspeed, the Telemetry service, a cloud to host your cluster, and certain build strategies.

Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires. When using a firewall, make additional configurations to the firewall so that OpenShift Container Platform can access the sites that it requires to function.

There are no special configuration considerations for services running on only controller nodes compared to worker nodes.

Note

If your environment has a dedicated load balancer in front of your OpenShift Container Platform cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.

Procedure

  1. Set the following registry URLs for your firewall’s allowlist:

    Expand
    URLPortFunction

    registry.redhat.io

    443

    Provides core container images

    access.redhat.com

    443

    Hosts a signature store that a container client requires for verifying images pulled from registry.access.redhat.com. In a firewall environment, ensure that this resource is on the allowlist.

    registry.access.redhat.com

    443

    Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images.

    quay.io

    443

    Provides core container images

    cdn.quay.io

    443

    Provides core container images

    cdn01.quay.io

    443

    Provides core container images

    cdn02.quay.io

    443

    Provides core container images

    cdn03.quay.io

    443

    Provides core container images

    cdn04.quay.io

    443

    Provides core container images

    cdn05.quay.io

    443

    Provides core container images

    cdn06.quay.io

    443

    Provides core container images

    sso.redhat.com

    443

    The https://console.redhat.com site uses authentication from sso.redhat.com

    icr.io

    443

    Provides IBM Cloud Pak container images. This domain is only required if you use IBM Cloud Paks.

    cp.icr.io

    443

    Provides IBM Cloud Pak container images. This domain is only required if you use IBM Cloud Paks.

    • You can use the wildcard *.quay.io instead of cdn.quay.io and cdn0[1-6].quay.io in your allowlist.
    • You can use the wildcard *.access.redhat.com to simplify the configuration and ensure that all subdomains, including registry.access.redhat.com, are allowed.
    • When you add a site, such as quay.io, to your allowlist, do not add a wildcard entry, such as *.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as cdn01.quay.io.
  2. Set your firewall’s allowlist to include any site that provides resources for a language or framework that your builds require.

  3. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Lightspeed:

    Expand
    URLPortFunction

    cert-api.access.redhat.com

    443

    Required for Telemetry

    api.access.redhat.com

    443

    Required for Telemetry

    infogw.api.openshift.com

    443

    Required for Telemetry

    console.redhat.com

    443

    Required for Telemetry and for insights-operator

  4. If you use Alibaba Cloud, Amazon Web Services (AWS), Microsoft Azure, or Google Cloud to host your cluster, you must grant access to the URLs that offer the cloud provider API and DNS for that cloud:

    Expand
    CloudURLPortFunction

    Alibaba

    *.aliyuncs.com

    443

    Required to access Alibaba Cloud services and resources. Review the Alibaba endpoints_config.go file to find the exact endpoints to allow for the regions that you use.

    AWS

    aws.amazon.com

    443

    Used to install and manage clusters in an AWS environment.

    *.amazonaws.com

    Alternatively, if you choose to not use a wildcard for AWS APIs, you must include the following URLs in your allowlist:

    443

    Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to find the exact endpoints to allow for the regions that you use.

    ec2.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    events.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    iam.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    route53.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    *.s3.dualstack.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    sts.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    sts.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    tagging.us-east-1.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment. This endpoint is always us-east-1, regardless of the region the cluster is deployed in.

    ec2.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    elasticloadbalancing.<aws_region>.amazonaws.com

    443

    Used to install and manage clusters in an AWS environment.

    servicequotas.<aws_region>.amazonaws.com

    443

    Required. Used to confirm quotas for deploying the service.

    tagging.<aws_region>.amazonaws.com

    443

    Allows the assignment of metadata about AWS resources in the form of tags.

    *.cloudfront.net

    443

    Used to provide access to CloudFront. If you use the AWS Security Token Service (STS) and the private S3 bucket, you must provide access to CloudFront.

    GCP

    *.googleapis.com

    443

    Required to access Google Cloud services and resources. Review Cloud Endpoints in the Google Cloud documentation to find the endpoints to allow for your APIs.

    accounts.google.com

    443

    Required to access your Google Cloud account.

    Microsoft Azure

    management.azure.com

    443

    Required to access Microsoft Azure services and resources. Review the Microsoft Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.

    *.blob.core.windows.net

    443

    Required to download Ignition files.

    login.microsoftonline.com

    443

    Required to access Microsoft Azure services and resources. Review the Azure REST API reference in the Microsoft Azure documentation to find the endpoints to allow for your APIs.

  5. Allowlist the following URLs:

    Expand
    URLPortFunction

    *.apps.<cluster_name>.<base_domain>

    443

    Required to access the default cluster routes unless you set an ingress wildcard during installation.

    api.openshift.com

    443

    Required both for your cluster token and to check if updates are available for the cluster.

    console.redhat.com

    443

    Required for your cluster token.

    mirror.openshift.com

    443

    Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    quayio-production-s3.s3.amazonaws.com

    443

    Required to access Quay image content in AWS.

    rhcos.mirror.openshift.com

    443

    Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.

    sso.redhat.com

    443

    The https://console.redhat.com site uses authentication from sso.redhat.com

    storage.googleapis.com/openshift-release

    443

    A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow *.apps.<cluster_name>.<base_domain>, then allow these routes:

    • oauth-openshift.apps.<cluster_name>.<base_domain>
    • canary-openshift-ingress-canary.apps.<cluster_name>.<base_domain>
    • console-openshift-console.apps.<cluster_name>.<base_domain>, or the hostname that is specified in the spec.route.hostname field of the consoles.operator/cluster object if the field is not empty.

  6. Allowlist the following URL for optional third-party content:

    Expand
    URLPortFunction

    registry.connect.redhat.com

    443

    Required for all third-party images and certified operators.

  7. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:

    • 1.rhel.pool.ntp.org
    • 2.rhel.pool.ntp.org
    • 3.rhel.pool.ntp.org
Note

If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.

The following network flow matrixes describe the ingress flows to OpenShift Container Platform services for the following environments:

  • OpenShift Container Platform on bare metal
  • Single-node OpenShift with other platforms
  • OpenShift Container Platform on Amazon Web Services (AWS)
  • Single-node OpenShift on AWS
Note

You can use the commatrix plugin for the oc command to generate local network flow data for your cluster. For more information see "Generating ingress network flow data using the commatrix plugin".

Use the information in the appropriate network flow matrix to help you manage ingress traffic for your specific environment. You can restrict ingress traffic to essential flows to improve network security.

Additionally, consider the following dynamic port ranges when managing ingress traffic for both bare metal and cloud environments:

  • 9000-9999: Reserved for internal OpenShift Container Platform components. Do not assign user workloads or services to ports in this range.
  • 30000-32767: Kubernetes NodePort service ports. These ports are required only if you expose services by using the NodePort service type. If NodePort services are not used, you can block this port range.

To view or download the complete raw CSV content for an environment, see the following resources:

Note

The network flow matrixes describe ingress traffic flows for a base OpenShift Container Platform or single-node OpenShift installation. The matrixes do not apply for hosted control planes, Red Hat build of MicroShift, or standalone clusters.

2.2.1. Base network flows
Copy link

The following matrixes describe the base ingress flows to OpenShift Container Platform services.

Note

For base ingress flows to single-node OpenShift clusters, see the Control plane node base flows matrix only.

Expand
Table 2.1. Control plane node base flows
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

22

Host system service

sshd

  

master

TRUE

Ingress

TCP

111

Host system service

rpcbind

  

master

TRUE

Ingress

TCP

2379

openshift-etcd

etcd

etcd

etcdctl

master

FALSE

Ingress

TCP

2380

openshift-etcd

healthz

etcd

etcd

master

FALSE

Ingress

TCP

6080

openshift-kube-apiserver

 

kube-apiserver

kube-apiserver-insecure-readyz

master

FALSE

Ingress

TCP

6443

openshift-kube-apiserver

apiserver

kube-apiserver

kube-apiserver

master

FALSE

Ingress

TCP

8080

openshift-network-operator

 

network-operator

network-operator

master

FALSE

Ingress

TCP

8798

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

machine-config-daemon

master

FALSE

Ingress

TCP

9001

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

kube-rbac-proxy

master

FALSE

Ingress

TCP

9099

openshift-cluster-version

cluster-version-operator

cluster-version-operator

cluster-version-operator

master

FALSE

Ingress

TCP

9100

openshift-monitoring

node-exporter

node-exporter

kube-rbac-proxy

master

FALSE

Ingress

TCP

9103

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-node

master

FALSE

Ingress

TCP

9104

openshift-network-operator

metrics

network-operator

network-operator

master

FALSE

Ingress

TCP

9105

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-ovn-metrics

master

FALSE

Ingress

TCP

9107

openshift-ovn-kubernetes

egressip-node-healthcheck

ovnkube-node

ovnkube-controller

master

FALSE

Ingress

TCP

9108

openshift-ovn-kubernetes

ovn-kubernetes-control-plane

ovnkube-control-plane

kube-rbac-proxy

master

FALSE

Ingress

TCP

9192

openshift-cluster-machine-approver

machine-approver

machine-approver

kube-rbac-proxy

master

FALSE

Ingress

TCP

9258

openshift-cloud-controller-manager-operator

machine-approver

cluster-cloud-controller-manager

cluster-cloud-controller-manager

master

FALSE

Ingress

TCP

9637

openshift-machine-config-operator

kube-rbac-proxy-crio

kube-rbac-proxy-crio

kube-rbac-proxy-crio

master

FALSE

Ingress

TCP

9978

openshift-etcd

etcd

etcd

etcd-metrics

master

FALSE

Ingress

TCP

9979

openshift-etcd

etcd

etcd

etcd-metrics

master

FALSE

Ingress

TCP

9980

openshift-etcd

etcd

etcd

etcd

master

FALSE

Ingress

TCP

10250

Host system service

kubelet

  

master

FALSE

Ingress

TCP

10256

openshift-ovn-kubernetes

ovnkube

ovnkube

ovnkube-controller

master

FALSE

Ingress

TCP

10257

openshift-kube-controller-manager

kube-controller-manager

kube-controller-manager

kube-controller-manager

master

FALSE

Ingress

TCP

10259

openshift-kube-scheduler

scheduler

openshift-kube-scheduler

kube-scheduler

master

FALSE

Ingress

TCP

17697

openshift-kube-apiserver

openshift-kube-apiserver-healthz

kube-apiserver

kube-apiserver-check-endpoints

master

FALSE

Ingress

TCP

22623

openshift-machine-config-operator

machine-config-server

machine-config-server

machine-config-server

master

FALSE

Ingress

TCP

22624

openshift-machine-config-operator

machine-config-server

machine-config-server

machine-config-server

master

FALSE

Ingress

UDP

111

Host system service

rpcbind

  

master

TRUE

Expand
Table 2.2. Worker node base flows
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

22

Host system service

sshd

  

worker

TRUE

Ingress

TCP

111

Host system service

rpcbind

  

worker

TRUE

Ingress

TCP

8798

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

machine-config-daemon

worker

FALSE

Ingress

TCP

9001

openshift-machine-config-operator

machine-config-daemon

machine-config-daemon

kube-rbac-proxy

worker

FALSE

Ingress

TCP

9100

openshift-monitoring

node-exporter

node-exporter

kube-rbac-proxy

worker

FALSE

Ingress

TCP

9103

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-node

worker

FALSE

Ingress

TCP

9105

openshift-ovn-kubernetes

ovn-kubernetes-node

ovnkube-node

kube-rbac-proxy-ovn-metrics

worker

FALSE

Ingress

TCP

9107

openshift-ovn-kubernetes

egressip-node-healthcheck

ovnkube-node

ovnkube-controller

worker

FALSE

Ingress

TCP

9637

openshift-machine-config-operator

kube-rbac-proxy-crio

kube-rbac-proxy-crio

kube-rbac-proxy-crio

worker

FALSE

Ingress

TCP

10250

Host system service

kubelet

  

worker

FALSE

Ingress

TCP

10256

openshift-ovn-kubernetes

ovnkube

ovnkube

ovnkube-controller

worker

FALSE

Ingress

UDP

111

Host system service

rpcbind

  

worker

TRUE

In addition to the base network flows, the following matrix describes the ingress flows to OpenShift Container Platform services that are specific to OpenShift Container Platform on bare metal.

Expand
Table 2.3. OpenShift Container Platform on bare metal
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

53

openshift-dns

dns-default

dnf-default

dns

master

FALSE

Ingress

TCP

6180

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6183

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6385

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

6388

openshift-machine-api

metal3-state

metal3

metal3-httpd

master

FALSE

Ingress

TCP

9444

openshift-kni-infra

 

haproxy

haproxy

master

FALSE

Ingress

TCP

9445

openshift-kni-infra

 

haproxy

haproxy

master

FALSE

Ingress

TCP

9454

openshift-kni-infra

 

haproxy

haproxy

master

FALSE

Ingress

TCP

18080

openshift-kni-infra

 

coredns

coredns

master

FALSE

Ingress

UDP

53

openshift-dns

dns-default

dnf-default

dns

master

FALSE

Ingress

UDP

6081

openshift-ovn-kubernetes

ovn-kubernetes geneve

  

master

FALSE

Ingress

TCP

53

openshift-dns

dns-default

dnf-default

dns

worker

FALSE

Ingress

TCP

80

openshift-ingress

router-internal-default

router-default

router

worker

FALSE

Ingress

TCP

443

openshift-ingress

router-internal-default

router-default

router

worker

FALSE

Ingress

TCP

1936

openshift-ingress

router-internal-default

router-default

router

worker

FALSE

Ingress

TCP

18080

openshift-kni-infra

 

coredns

coredns

worker

FALSE

Ingress

UDP

53

openshift-dns

dns-default

dnf-default

dns

worker

FALSE

Ingress

UDP

6081

openshift-ovn-kubernetes

ovn-kubernetes geneve

  

worker

FALSE

In addition to the base network flows, the following matrix describes the ingress flows to OpenShift Container Platform services that are specific to single-node OpenShift configured with platform: none in the installation manifest.

Expand
Table 2.4. Single-node OpenShift with other platforms
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

80

openshift-ingress

router-internal-default

router-default

router

master

FALSE

Ingress

TCP

443

openshift-ingress

router-internal-default

router-default

router

master

FALSE

Ingress

TCP

1936

openshift-ingress

router-internal-default

router-default

router

master

FALSE

In addition to the base network flows, the following matrix describes the ingress flows to OpenShift Container Platform services that are specific to OpenShift Container Platform on AWS.

Expand
Table 2.5. OpenShift Container Platform on AWS
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

10258

openshift-cloud-controller-manager-operator

cloud-controller

cloud-controller-manager

cloud-controller-manager

master

FALSE

Ingress

TCP

80

openshift-ingress

router-default

router-default

router

worker

FALSE

Ingress

TCP

443

openshift-ingress

router-default

router-default

router

worker

FALSE

Ingress

UDP

6081

openshift-ovn-kubernetes

ovn-kubernetes geneve

  

worker

FALSE

In addition to the base network flows, the following matrix describes the ingress flows to OpenShift Container Platform services that are specific to single-node OpenShift on AWS.

Expand
Table 2.6. Single-node OpenShift on AWS
DirectionProtocolPortNamespaceServicePodContainerNode RoleOptional

Ingress

TCP

80

openshift-ingress

router-default

router-default

router

master

FALSE

Ingress

TCP

443

openshift-ingress

router-default

router-default

router

master

FALSE

Ingress

TCP

10258

openshift-cloud-controller-manager-operator

cloud-controller

cloud-controller-manager

cloud-controller-manager

master

FALSE

The commatrix plugin for the oc command generates ingress network flow data from your cluster. You can also use the plugin to identify any differences between open ports on the host and expected ingress flows for your environment.

The plugin generates ingress flows to OpenShift Container Platform services for the following environments:

  • OpenShift Container Platform on bare metal
  • Single-node OpenShift with other platforms
  • OpenShift Container Platform on Amazon Web Services (AWS)
  • Single-node OpenShift on AWS

The plugin outputs the network flow data in various formats, such as CSV or JSON.

2.4. Installing the commatrix plugin
Copy link

You can install the commatrix plugin from the Red Hat Ecosystem Catalog.

Note

You can also install the commatrix plugin by using Krew. For more information, see "CLI Manager Operator overview".

Prerequisites

  • You installed the OpenShift CLI (oc).
  • You installed Podman.

Procedure

  1. Log in to the Red Hat Ecosystem Catalog registry by running the following command and entering your credentials: 

    $ podman login registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Extract the commatrix binary from the plugin image by running the following commands: 

    $ podman create --name oc-commatrix registry.redhat.io/openshift-kni/commatrix:v4.21
$ podman cp oc-commatrix:/oc-commatrix .
$ podman rm oc-commatrix
    Copy to Clipboard Toggle word wrap

  3. Move the extracted binary to a directory in your system PATH, such as /usr/local/bin/, by running the following command: 

    sudo mv oc-commatrix /usr/local/bin/
    Copy to Clipboard Toggle word wrap

Verification

  • Run the following command to verify that the plugin is available locally: 

    $ oc commatrix
    Copy to Clipboard Toggle word wrap 
    Generate an up-to-date communication flows matrix for all ingress flows of openshift (multi-node and single-node in OpenShift) and Operators.

 Optionally, generate a host open ports matrix and the difference with the communication matrix.

 For additional details, please refer to the communication matrix documentation(https://github.com/openshift-kni/commatrix/blob/main/README.md).

Usage:
  commatrix [command]

Available Commands:
  completion  Generate the autocompletion script for the specified shell
  generate    Generate an up-to-date communication flows matrix for all ingress flows.
  help        Help about any command

Flags:
  -h, --help   help for commatrix

Use "commatrix [command] --help" for more information about a command.
    Copy to Clipboard Toggle word wrap

Use the commatrix plugin for the oc command to generate ingress network flow data from your cluster and identify any differences between open ports on the host and expected ingress flows for your environment.

Prerequisites

  • You installed the OpenShift CLI (oc).
  • You logged in as a user with cluster-admin privileges.
  • You installed Podman.
  • You installed the commatrix plugin.

Procedure

  1. Generate network flow data by running the following command: 

    $ oc commatrix generate
    Copy to Clipboard Toggle word wrap
    Note

    By default, the plugin generates the network flow data in CSV format in a communication-matrix directory in your current working directory.

Verification

  • View the generated network flow data in the communication-matrix directory by running the following command: 

    $ cat communication-matrix/communication-matrix.csv
    Copy to Clipboard Toggle word wrap 
    Direction,Protocol,Port,Namespace,Service,Pod,Container,Node Role,Optional
Ingress,TCP,4194,kube-system,kubelet,konnectivity-agent,,,false
Ingress,TCP,9100,openshift-monitoring,node-exporter,node-exporter,kube-rbac-proxy,,false
Ingress,TCP,9103,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-node,,false

...
    Copy to Clipboard Toggle word wrap

2.6. Reference flags for the commatrix plugin
Copy link

The following matrix describes the flags for the commatrix plugin.

Expand
FlagTypeDescription

--customEntriesFormat

string

Define the format of a custom entries file. The plugin appends the entries in this file to the generated data. Supported values are json, yaml, or csv.

--customEntriesPath

string

Define the file path to a custom entries file. The plugin appends the entries in this file to the generated data.

--debug

boolean

Enable verbose logging for debugging. The default value is false.

--destDir

string

Define the directory for output files. The default value is communication-matrix.

--format

string

Define the output format. Supported values are json, yaml, csv, or nft. The default value is csv.

--host-open-ports

boolean

Generate the expected communication data for the cluster environment. Identify the actual open ports on the cluster node to compare the difference between the expected open ports and the actual open ports. You can view the differences in the generated matrix-diff-ss file in the destination directory.

-h

boolean

Display the plugin help information.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top