2.4. Configuring your firewall
If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
2.4.1. Configuring your firewall for OpenShift Container Platform
Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.
Procedure
Whitelist the following registry URLs:
URL Function registry.redhat.ioProvides core container images
*.quay.ioProvides core container images
sso.redhat.comThe
https://cloud.redhat.com/openshiftsite uses authentication fromsso.redhat.com- Whitelist any site that provides resources for a language or framework that your builds require.
If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
URL Function cert-api.access.redhat.comRequired for Telemetry
api.access.redhat.comRequired for Telemetry
infogw.api.openshift.comRequired for Telemetry
Required for Telemetry and for
insights-operatorIf you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
Cloud URL Function AWS
*.amazonaws.comRequired to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
GCP
*.googleapis.comRequired to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.
accounts.google.comRequired to access your GCP account.
Azure
management.azure.comRequired to access Azure services and resources. Review the Azure REST API Reference in the Azure documentation to determine the endpoints to allow for your APIs.
Whitelist the following URLs:
URL Function mirror.openshift.comRequired to access mirrored installation content and images
*.apps.<cluster_name>.<base_domain>Required to access the default cluster routes unless you set an ingress wildcard during installation
quay-registry.s3.amazonaws.comRequired to access Quay image content in AWS
api.openshift.comRequired to check if updates are available for the cluster
art-rhcos-ci.s3.amazonaws.comRequired to download Red Hat Enterprise Linux CoreOS (RHCOS) images
api.openshift.comRequired for your cluster token
cloud.redhat.com/openshiftRequired for your cluster token
