Red Hat Summit2.2. OpenShift Container Platform ネットワークフローマトリクス
ネットワークフローマトリクスは、OpenShift Container Platform サービスへの Ingress フローを記述します。マトリクス内のネットワーク情報は、ベアメタル環境とクラウド環境の両方に対して正確です。ネットワークフローマトリクスの情報を使用して、Ingress トラフィックを管理します。Ingress トラフィックを重要なフローに制限して、ネットワークセキュリティーを強化できます。
未処理の CSV コンテンツを表示またはダウンロードするには、このリソース を参照してください。
さらに、Ingress トラフィックを管理するときは、次の動的ポート範囲を考慮してください。
-
9000-9999: ホストレベルのサービス -
30000-32767: Kubernetes ノードポート -
49152-65535: 動的ポートまたはプライベートポート
ネットワークフローマトリクスは、ベースの OpenShift Container Platform インストールの Ingress トラフィックフローを説明します。Red Hat Marketplace から入手できるオプションの Operator など、追加コンポーネントのネットワークフローは説明しません。このマトリックスは、Hosted Control Plane、Red Hat build of MicroShift、またはスタンドアロンクラスターには適用されません。
| 方向 | プロトコル | ポート | namespace | サービス | Pod | コンテナー | ノードのロール | 任意 |
|---|---|---|---|---|---|---|---|---|
| Ingress | TCP | 22 | Host system service | sshd | master | TRUE | ||
| Ingress | TCP | 53 | openshift-dns | dns-default | dnf-default | dns | master | FALSE |
| Ingress | TCP | 80 | openshift-ingress | router-default | router-default | router | master | FALSE |
| Ingress | TCP | 111 | Host system service | rpcbind | master | TRUE | ||
| Ingress | TCP | 443 | openshift-ingress | router-default | router-default | router | master | FALSE |
| Ingress | TCP | 1936 | openshift-ingress | router-default | router-default | router | master | FALSE |
| Ingress | TCP | 2379 | openshift-etcd | etcd | etcd | etcdctl | master | FALSE |
| Ingress | TCP | 2380 | openshift-etcd | healthz | etcd | etcd | master | FALSE |
| Ingress | TCP | 6080 | openshift-kube-apiserver | kube-apiserver | kube-apiserver-insecure-readyz | master | FALSE | |
| Ingress | TCP | 6180 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
| Ingress | TCP | 6183 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
| Ingress | TCP | 6385 | openshift-machine-api | ironic-proxy | ironic-proxy | master | FALSE | |
| Ingress | TCP | 6388 | openshift-machine-api | metal3-state | metal3 | metal3-httpd | master | FALSE |
| Ingress | TCP | 6443 | openshift-kube-apiserver | apiserver | kube-apiserver | kube-apiserver | master | FALSE |
| Ingress | TCP | 8080 | openshift-network-operator | network-operator | network-operator | master | FALSE | |
| Ingress | TCP | 8798 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | machine-config-daemon | master | FALSE |
| Ingress | TCP | 9001 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | kube-rbac-proxy | master | FALSE |
| Ingress | TCP | 9099 | openshift-cluster-version | cluster-version-operator | cluster-version-operator | cluster-version-operator | master | FALSE |
| Ingress | TCP | 9100 | openshift-monitoring | node-exporter | node-exporter | kube-rbac-proxy | master | FALSE |
| Ingress | TCP | 9103 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-node | master | FALSE |
| Ingress | TCP | 9104 | openshift-network-operator | metrics | network-operator | network-operator | master | FALSE |
| Ingress | TCP | 9105 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-ovn-metrics | master | FALSE |
| Ingress | TCP | 9107 | openshift-ovn-kubernetes | egressip-node-healthcheck | ovnkube-node | ovnkube-controller | master | FALSE |
| Ingress | TCP | 9108 | openshift-ovn-kubernetes | ovn-kubernetes-control-plane | ovnkube-control-plane | kube-rbac-proxy | master | FALSE |
| Ingress | TCP | 9192 | openshift-cluster-machine-approver | machine-approver | machine-approver | kube-rbac-proxy | master | FALSE |
| Ingress | TCP | 9258 | openshift-cloud-controller-manager-operator | machine-approver | cluster-cloud-controller-manager | cluster-cloud-controller-manager | master | FALSE |
| Ingress | TCP | 9444 | openshift-kni-infra | haproxy | haproxy | master | FALSE | |
| Ingress | TCP | 9445 | openshift-kni-infra | haproxy | haproxy | master | FALSE | |
| Ingress | TCP | 9637 | openshift-machine-config-operator | kube-rbac-proxy-crio | kube-rbac-proxy-crio | kube-rbac-proxy-crio | master | FALSE |
| Ingress | TCP | 9978 | openshift-etcd | etcd | etcd | etcd-metrics | master | FALSE |
| Ingress | TCP | 9979 | openshift-etcd | etcd | etcd | etcd-metrics | master | FALSE |
| Ingress | TCP | 9980 | openshift-etcd | etcd | etcd | etcd | master | FALSE |
| Ingress | TCP | 10250 | Host system service | kubelet | master | FALSE | ||
| Ingress | TCP | 10256 | openshift-ovn-kubernetes | ovnkube | ovnkube | ovnkube-controller | master | FALSE |
| Ingress | TCP | 10257 | openshift-kube-controller-manager | kube-controller-manager | kube-controller-manager | kube-controller-manager | master | FALSE |
| Ingress | TCP | 10258 | openshift-cloud-controller-manager-operator | cloud-controller | cloud-controller-manager | cloud-controller-manager | master | FALSE |
| Ingress | TCP | 10259 | openshift-kube-scheduler | scheduler | openshift-kube-scheduler | kube-scheduler | master | FALSE |
| Ingress | TCP | 10260 | openshift-cloud-controller-manager-operator | cloud-controller | cloud-controller-manager | cloud-controller-manager | master | FALSE |
| Ingress | TCP | 10300 | openshift-cluster-csi-drivers | csi-livenessprobe | csi-driver-node | csi-driver | master | FALSE |
| Ingress | TCP | 10309 | openshift-cluster-csi-drivers | csi-node-driver | csi-driver-node | csi-node-driver-registrar | master | FALSE |
| Ingress | TCP | 10357 | openshift-kube-apiserver | openshift-kube-apiserver-healthz | kube-apiserver | kube-apiserver-check-endpoints | master | FALSE |
| Ingress | TCP | 17697 | openshift-kube-apiserver | openshift-kube-apiserver-healthz | kube-apiserver | kube-apiserver-check-endpoints | master | FALSE |
| Ingress | TCP | 18080 | openshift-kni-infra | coredns | coredns | master | FALSE | |
| Ingress | TCP | 22623 | openshift-machine-config-operator | machine-config-server | machine-config-server | machine-config-server | master | FALSE |
| Ingress | TCP | 22624 | openshift-machine-config-operator | machine-config-server | machine-config-server | machine-config-server | master | FALSE |
| Ingress | UDP | 53 | openshift-dns | dns-default | dnf-default | dns | master | FALSE |
| Ingress | UDP | 111 | Host system service | rpcbind | master | TRUE | ||
| Ingress | UDP | 6081 | openshift-ovn-kubernetes | ovn-kubernetes geneve | master | FALSE | ||
| Ingress | TCP | 22 | Host system service | sshd | worker | TRUE | ||
| Ingress | TCP | 53 | openshift-dns | dns-default | dnf-default | dns | worker | FALSE |
| Ingress | TCP | 80 | openshift-ingress | router-default | router-default | router | worker | FALSE |
| Ingress | TCP | 111 | Host system service | rpcbind | worker | TRUE | ||
| Ingress | TCP | 443 | openshift-ingress | router-default | router-default | router | worker | FALSE |
| Ingress | TCP | 1936 | openshift-ingress | router-default | router-default | router | worker | FALSE |
| Ingress | TCP | 8798 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | machine-config-daemon | worker | FALSE |
| Ingress | TCP | 9001 | openshift-machine-config-operator | machine-config-daemon | machine-config-daemon | kube-rbac-proxy | worker | FALSE |
| Ingress | TCP | 9100 | openshift-monitoring | node-exporter | node-exporter | kube-rbac-proxy | worker | FALSE |
| Ingress | TCP | 9103 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-node | worker | FALSE |
| Ingress | TCP | 9105 | openshift-ovn-kubernetes | ovn-kubernetes-node | ovnkube-node | kube-rbac-proxy-ovn-metrics | worker | FALSE |
| Ingress | TCP | 9107 | openshift-ovn-kubernetes | egressip-node-healthcheck | ovnkube-node | ovnkube-controller | worker | FALSE |
| Ingress | TCP | 9637 | openshift-machine-config-operator | kube-rbac-proxy-crio | kube-rbac-proxy-crio | kube-rbac-proxy-crio | worker | FALSE |
| Ingress | TCP | 10250 | Host system service | kubelet | worker | FALSE | ||
| Ingress | TCP | 10256 | openshift-ovn-kubernetes | ovnkube | ovnkube | ovnkube-controller | worker | TRUE |
| Ingress | TCP | 10300 | openshift-cluster-csi-drivers | csi-livenessprobe | csi-driver-node | csi-driver | worker | FALSE |
| Ingress | TCP | 10309 | openshift-cluster-csi-drivers | csi-node-driver | csi-driver-node | csi-node-driver-registrar | worker | FALSE |
| Ingress | TCP | 18080 | openshift-kni-infra | coredns | coredns | worker | FALSE | |
| Ingress | UDP | 53 | openshift-dns | dns-default | dnf-default | dns | worker | FALSE |
| Ingress | UDP | 111 | Host system service | rpcbind | worker | TRUE | ||
| Ingress | UDP | 6081 | openshift-ovn-kubernetes | ovn-kubernetes geneve | worker | FALSE |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}