Red Hat Summit26.2. Configuring your firewall
If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
26.2.1. Configuring your firewall for OpenShift Container Platform
Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.
There are no special configuration considerations for services running on only controller nodes compared to worker nodes.
If your environment has a dedicated load balancer in front of your OpenShift Container Platform cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.
Procédure
Allowlist the following registry URLs:
Expand URL Port Fonction registry.redhat.io443, 80
Provides core container images
access.redhat.com443, 80
Provides core container images
quay.io443, 80
Provides core container images
cdn.quay.io443, 80
Provides core container images
cdn01.quay.io443, 80
Provides core container images
cdn02.quay.io443, 80
Provides core container images
cdn03.quay.io443, 80
Provides core container images
sso.redhat.com443, 80
The
https://console.redhat.com/openshiftsite uses authentication fromsso.redhat.comYou can use the wildcards
*.quay.ioand*.openshiftapps.cominstead ofcdn0[1-3].quay.ioin your allowlist. When you add a site, such asquay.io, to your allowlist, do not add a wildcard entry, such as*.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such ascdn01.quay.io.- Allowlist any site that provides resources for a language or framework that your builds require.
If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
Expand URL Port Fonction cert-api.access.redhat.com443, 80
Required for Telemetry
api.access.redhat.com443, 80
Required for Telemetry
infogw.api.openshift.com443, 80
Required for Telemetry
console.redhat.com/api/ingress,cloud.redhat.com/api/ingress443, 80
Required for Telemetry and for
insights-operatorIf you use Alibaba Cloud, Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
Expand Cloud URL Port Fonction Alibaba
*.aliyuncs.com443, 80
Required to access Alibaba Cloud services and resources. Review the Alibaba endpoints_config.go file to determine the exact endpoints to allow for the regions that you use.
AWS
*.amazonaws.comAlternatively, if you choose to not use a wildcard for AWS APIs, you must allowlist the following URLs:
443, 80
Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
ec2.amazonaws.com443
Used to install and manage clusters in an AWS environment.
events.amazonaws.com443
Used to install and manage clusters in an AWS environment.
iam.amazonaws.com443
Used to install and manage clusters in an AWS environment.
route53.amazonaws.com443
Used to install and manage clusters in an AWS environment.
s3.amazonaws.com443
Used to install and manage clusters in an AWS environment.
s3.<aws_region>.amazonaws.com443
Used to install and manage clusters in an AWS environment.
s3.dualstack.<aws_region>.amazonaws.com443
Used to install and manage clusters in an AWS environment.
sts.amazonaws.com443
Used to install and manage clusters in an AWS environment.
sts.<aws_region>.amazonaws.com443
Used to install and manage clusters in an AWS environment.
tagging.us-east-1.amazonaws.com443
Used to install and manage clusters in an AWS environment. This endpoint is always
us-east-1, regardless of the region the cluster is deployed in.ec2.<aws_region>.amazonaws.com443
Used to install and manage clusters in an AWS environment.
elasticloadbalancing.<aws_region>.amazonaws.com443
Used to install and manage clusters in an AWS environment.
servicequotas.<aws_region>.amazonaws.com443, 80
Required. Used to confirm quotas for deploying the service.
tagging.<aws_region>.amazonaws.com443, 80
Allows the assignment of metadata about AWS resources in the form of tags.
PCG
*.googleapis.com443, 80
Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.
accounts.google.com443, 80
Required to access your GCP account.
L'azur
management.azure.com443, 80
Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs.
*.blob.core.windows.net443, 80
Required to download Ignition files.
login.microsoftonline.com443, 80
Required to access Azure services and resources. Review the Azure REST API reference in the Azure documentation to determine the endpoints to allow for your APIs.
Allowlist the following URLs:
Expand URL Port Fonction mirror.openshift.com443, 80
Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
storage.googleapis.com/openshift-release443, 80
A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
*.apps.<cluster_name>.<base_domain>443, 80
Required to access the default cluster routes unless you set an ingress wildcard during installation.
quayio-production-s3.s3.amazonaws.com443, 80
Required to access Quay image content in AWS.
api.openshift.com443, 80
Required both for your cluster token and to check if updates are available for the cluster.
rhcos.mirror.openshift.com443, 80
Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.
console.redhat.com/openshift443, 80
Required for your cluster token.
sso.redhat.com443, 80
The
https://console.redhat.com/openshiftsite uses authentication fromsso.redhat.comOperators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow
*.apps.<cluster_name>.<base_domain>, then allow these routes:-
oauth-openshift.apps.<cluster_name>.<base_domain> -
console-openshift-console.apps.<cluster_name>.<base_domain>, or the hostname that is specified in thespec.route.hostnamefield of theconsoles.operator/clusterobject if the field is not empty.
-
Allowlist the following URLs for optional third-party content:
Expand URL Port Fonction registry.connect.redhat.com443, 80
Required for all third-party images and certified operators.
rhc4tp-prod-z8cxf-image-registry-us-east-1-evenkyleffocxqvofrk.s3.dualstack.us-east-1.amazonaws.com443, 80
Provides access to container images hosted on
registry.connect.redhat.comoso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com443, 80
Required for Sonatype Nexus, F5 Big IP operators.
If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:
-
1.rhel.pool.ntp.org -
2.rhel.pool.ntp.org -
3.rhel.pool.ntp.org
-
If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}