You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/configuring-firewall.adoc
+39-9Lines changed: 39 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,103 +13,133 @@ There are no special configuration considerations for services running on only c
13
13
14
14
. Allowlist the following registry URLs:
15
15
+
16
-
[cols="3,4",options="header"]
16
+
[cols="3,2,4",options="header"]
17
17
|===
18
-
|URL | Function
18
+
|URL | Port | Function
19
+
19
20
|`registry.redhat.io`
21
+
|443, 80
20
22
|Provides core container images
21
23
22
24
|`quay.io`
25
+
|443 or 80
26
+
|Provides core container images
27
+
28
+
|`*.quay.io`
29
+
|443, 80
23
30
|Provides core container images
24
31
25
32
|`sso.redhat.com`
33
+
|443, 80
26
34
|The `https://cloud.redhat.com/openshift` site uses authentication from `sso.redhat.com`
27
35
28
36
|`openshift.org`
37
+
|443, 80
29
38
|Provides {op-system-first} images
39
+
30
40
|===
31
41
+
32
42
When you add a site such as `quay.io` to your allowlist, do not add a wildcard entry such as `*.quay.io` to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a host name such as `cdn01.quay.io`.
43
+
+
44
+
CDN host names, such as `cdn01.quay.io` are covered when you add a wildcard entry such as `*.quay.io` in your allowlist.
33
45
34
46
. Allowlist any site that provides resources for a language or framework that your builds require.
35
47
36
48
. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
37
49
+
38
-
[cols="3,4",options="header"]
50
+
[cols="3,2,4",options="header"]
39
51
|===
40
-
|URL | Function
52
+
|URL | Port | Function
41
53
42
54
|`cert-api.access.redhat.com`
55
+
|443, 80
43
56
|Required for Telemetry
44
57
45
58
|`api.access.redhat.com`
59
+
|443, 80
46
60
|Required for Telemetry
47
61
48
62
|`infogw.api.openshift.com`
63
+
|443, 80
49
64
|Required for Telemetry
50
65
51
66
|`https://cloud.redhat.com/api/ingress`
67
+
|443, 80
52
68
|Required for Telemetry and for `insights-operator`
53
69
|===
54
70
55
71
. If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
56
72
+
57
-
[cols="2a,8a,8a",options="header"]
73
+
[cols="2a,8a,2a,8a",options="header"]
58
74
|===
59
-
|Cloud |URL |Function
75
+
|Cloud |URL | Port |Function
60
76
61
77
.2+|AWS
62
78
|`*.amazonaws.com`
79
+
|443, 80
63
80
|Required to access AWS services and resources. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
|Required to access AWS services and resources when using strict security requirements. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
67
85
68
86
.2+|GCP
69
87
|`*.googleapis.com`
88
+
|443, 80
70
89
|Required to access GCP services and resources. Review link:https://cloud.google.com/endpoints/[Cloud Endpoints] in the GCP documentation to determine the endpoints to allow for your APIs.
71
90
72
91
|`accounts.google.com`
92
+
|443, 80
73
93
| Required to access your GCP account.
74
94
75
95
|Azure
76
96
|`management.azure.com`
97
+
|443, 80
77
98
|Required to access Azure services and resources. Review the link:https://docs.microsoft.com/en-us/rest/api/azure/[Azure REST API Reference] in the Azure documentation to determine the endpoints to allow for your APIs.
78
99
79
100
|===
80
101
81
102
. Allowlist the following URLs:
82
103
+
83
-
[cols="3,4",options="header"]
104
+
[cols="3,2,4",options="header"]
84
105
|===
85
-
|URL | Function
106
+
|URL | Port | Function
86
107
87
108
|`mirror.openshift.com`
109
+
|443, 80
88
110
|Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
89
111
90
112
|`storage.googleapis.com/openshift-release`
113
+
|443, 80
91
114
|A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
92
115
93
116
|`*.apps.<cluster_name>.<base_domain>`
117
+
|443, 80
94
118
|Required to access the default cluster routes unless you set an ingress wildcard during installation.
95
119
96
120
|`quay-registry.s3.amazonaws.com`
121
+
|443, 80
97
122
|Required to access Quay image content in AWS.
98
123
99
124
|`api.openshift.com`
125
+
|443, 80
100
126
|Required to check if updates are available for the cluster.
101
127
102
128
|`art-rhcos-ci.s3.amazonaws.com`
129
+
|443, 80
103
130
|Required to download {op-system-first} images.
104
131
105
132
|`api.openshift.com`
133
+
|443, 80
106
134
|Required for your cluster token.
107
135
108
136
|`cloud.redhat.com/openshift`
137
+
|443, 80
109
138
|Required for your cluster token.
110
139
111
140
|`registry.access.redhat.com`
112
-
|Required for `odo` CLI.
141
+
|443, 80
142
+
|Required for `odo` CLI.
113
143
|===
114
144
+
115
145
Operators require route access to perform health checks. Specifically, the
0 commit comments