BZ#1874098: image reg, cdn, and firewalls

Mike McKiernan · Mike McKiernan · commit 297d2a3f78a5 · 2020-12-14T12:22:56.000-05:00
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874098
diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc
@@ -28,6 +28,8 @@ There are no special configuration considerations for services running on only c
 |`openshift.org`
 |Provides {op-system-first} images
 |===
++
+When you add a site such as `quay.io` to your allowlist, do not add a wildcard entry such as `*.quay.io` to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as `cdn01.quay.io`.
 
 . Allowlist any site that provides resources for a language or framework that your builds require.
 
@@ -107,7 +109,7 @@ There are no special configuration considerations for services running on only c
 |Required for your cluster token.
 
 |`registry.access.redhat.com`
-|Required for `odo` CLI . 
+|Required for `odo` CLI. 
 |===
 +
 Operators require route access to perform health checks. Specifically, the
