13.4. Configuring your firewall


If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.

13.4.1. Configuring your firewall for OpenShift Container Platform

Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.

There are no special configuration considerations for services running on only controller nodes versus worker nodes.

Procedure

  1. Allowlist the following registry URLs:

    URLPortFunction

    registry.redhat.io

    443, 80

    Provides core container images

    quay.io

    443, 80

    Provides core container images

    *.quay.io

    443, 80

    Provides core container images

    sso.redhat.com

    443, 80

    The https://cloud.redhat.com/openshift site uses authentication from sso.redhat.com

    openshift.org

    443, 80

    Provides Red Hat Enterprise Linux CoreOS (RHCOS) images

    When you add a site, such as quay.io, to your allowlist, do not add a wildcard entry, such as *.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as cdn01.quay.io.

    CDN host names, such as cdn01.quay.io, are covered when you add a wildcard entry, such as *.quay.io, in your allowlist.

  2. Allowlist any site that provides resources for a language or framework that your builds require.
  3. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:

    URLPortFunction

    cert-api.access.redhat.com

    443, 80

    Required for Telemetry

    api.access.redhat.com

    443, 80

    Required for Telemetry

    infogw.api.openshift.com

    443, 80

    Required for Telemetry

    https://cloud.redhat.com/api/ingress

    443, 80

    Required for Telemetry and for insights-operator

  4. If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:

    CloudURLPortFunction

    AWS

    *.amazonaws.com

    443, 80

    Required to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.

    oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com

    443, 80

    Required to access AWS services and resources when using strict security requirements. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.

    GCP

    *.googleapis.com

    443, 80

    Required to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.

    accounts.google.com

    443, 80

    Required to access your GCP account.

    Azure

    management.azure.com

    443, 80

    Required to access Azure services and resources. Review the Azure REST API Reference in the Azure documentation to determine the endpoints to allow for your APIs.

  5. Allowlist the following URLs:

    URLPortFunction

    mirror.openshift.com

    443, 80

    Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    storage.googleapis.com/openshift-release

    443, 80

    A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.

    *.apps.<cluster_name>.<base_domain>

    443, 80

    Required to access the default cluster routes unless you set an ingress wildcard during installation.

    quay-registry.s3.amazonaws.com

    443, 80

    Required to access Quay image content in AWS.

    api.openshift.com

    443, 80

    Required to check if updates are available for the cluster.

    art-rhcos-ci.s3.amazonaws.com

    443, 80

    Required to download Red Hat Enterprise Linux CoreOS (RHCOS) images.

    api.openshift.com

    443, 80

    Required for your cluster token.

    cloud.redhat.com/openshift

    443, 80

    Required for your cluster token.

    registry.access.redhat.com

    443, 80

    Required for odo CLI.

    Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow *.apps.<cluster_name>.<base_domain>, then allow these routes:

    • oauth-openshift.apps.<cluster_name>.<base_domain>
    • console-openshift-console.apps.<cluster_name>.<base_domain>, or the host name that is specified in the spec.route.hostname field of the consoles.operator/cluster object if the field is not empty.
  6. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:

    • 1.rhel.pool.ntp.org
    • 2.rhel.pool.ntp.org
    • 3.rhel.pool.ntp.org
注意

If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.