firewall prereqs PSC

Author: mletalie

_topic_maps/_topic_map_osd.yml

@@ -369,8 +369,8 @@ Distros: openshift-dedicated
 Topics:
 - Name: Viewing audit logs
   File: audit-log-view
-- Name: Required allowlist IP addresses for SRE cluster access
-  File: rh-required-whitelisted-IP-addresses-for-sre-access
+# - Name: Required allowlist IP addresses for SRE cluster access
+#   File: rh-required-whitelisted-IP-addresses-for-sre-access
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/ccs-gcp-customer-requirements.adoc

@@ -62,11 +62,11 @@ This policy only provides Red Hat with permissions and capabilities to change re
 
 * Volume snapshots will remain within the customer-provided GCP account and customer-specified region.
 
-* Red Hat must have ingress access to the API server through allowlist IP addresses.
+* To manage, monitor, and troubleshoot {product-title} clusters, Red Hat must have direct access to the cluster's API server. You must not restrict or otherwise prevent Red Hat's access to the {product-title} cluster's API server.
 +
 [NOTE]
 ====
-For information about allowlist IP addresses, see Additional resources.
+SRE uses various methods to access clusters, depending on network configuration. Access to private clusters is restricted to Red Hat trusted IP addresses only. These access restrictions are managed automatically by Red Hat.
 ====
 +
-* Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack.
+* {product-title} requires egress access to certain endpoints over the internet. Only clusters deployed with Private Service Connect can use a firewall to control egress traffic. For additional information, see the _GCP firewall prerequisites_ section.

modules/osd-aws-privatelink-firewall-prerequisites.adoc

@@ -95,7 +95,7 @@ endif::[]
 
 |`access.redhat.com`
 |443
-|Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`. 
+|Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
 
 |`registry.connect.redhat.com`
 |443

modules/osd-gcp-psc-firewall-prerequisites.adoc

@@ -0,0 +1,235 @@
+// Module included in the following assemblies:
+//
+// * osd_planning/gcp-ccs.adoc
+
+
+[id="osd-gcp-psc-firewall-prerequisites_{context}"]
+= GCP firewall prerequisites
+
+If you are using a firewall to control egress traffic from {product-title} on {GCP}, you must configure your firewall to grant access to certain domains and port combinations listed in the tables below. {product-title} requires this access to provide a fully managed OpenShift service.
+
+[IMPORTANT]
+====
+Only {product-title} on {GCP} clusters deployed with Private Service Connect can use a firewall to control egress traffic.
+====
+
+// .Prerequisites
+// Per SMEs, no prereqs. Will confirm with QE when ticket is reviewed.
+
+.Procedure
+
+. Add the following URLs that are used to install and download packages and tools to an allowlist:
++
+[cols="6,1,6",options="header"]
+|===
+|Domain | Port | Function
+|`registry.redhat.io`
+|443
+|Provides core container images.
+
+|`quay.io`
+|443
+|Provides core container images.
+
+|`cdn01.quay.io`
+
+ `cdn02.quay.io`
+
+ `cdn03.quay.io`
+
+ `cdn04.quay.io`
+
+ `cdn05.quay.io`
+
+ `cdn06.quay.io`
+
+|443
+|Provides core container images.
+
+|`sso.redhat.com`
+|443
+|Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
+
+|`quayio-production-s3.s3.amazonaws.com`
+|443
+|Provides core container images.
+
+|`pull.q1w2.quay.rhcloud.com`
+|443
+|Provides core container images.
+
+|`registry.access.redhat.com`
+|443
+|Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
+
+|`registry.connect.redhat.com`
+|443
+|Required for all third-party images and certified Operators.
+
+|`console.redhat.com`
+|443
+|Required. Allows interactions between the cluster and {cluster-manager-first} to enable functionality, such as scheduling upgrades.
+
+|`sso.redhat.com`
+|443
+|The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com`.
+
+|`catalog.redhat.com`
+|443
+|The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`.
+|===
++
+. Add the following telemetry URLs to an allowlist:
++
+[cols="6,1,6",options="header"]
+|===
+|Domain | Port | Function
+
+|`cert-api.access.redhat.com`
+|443
+|Required for telemetry.
+
+|`api.access.redhat.com`
+|443
+|Required for telemetry.
+
+|`infogw.api.openshift.com`
+|443
+|Required for telemetry.
+
+|`console.redhat.com`
+|443
+|Required for telemetry and Red{nbsp}Hat Insights.
+
+|`observatorium-mst.api.openshift.com`
+|443
+|Required for managed OpenShift-specific telemetry.
+
+|`observatorium.api.openshift.com`
+|443
+|Required for managed OpenShift-specific telemetry.
+|===
++
+
+[NOTE]
+====
+Managed clusters require the enabling of telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see _About remote health monitoring_ in the _Additional resources_ section.
+====
+
+. Add the following {product-title} URLs to an allowlist:
++
+[cols="6,1,6",options="header"]
+|===
+|Domain | Port | Function
+
+|`mirror.openshift.com`
+|443
+|Used to access mirrored installation content and images. This site is also a source of release image signatures.
+
+|`api.openshift.com`
+|443
+|Used to check if updates are available for the cluster.
+|===
+
+. Add the following site reliability engineering (SRE) and management URLs to an allowlist:
++
+[cols="6,1,6",options="header"]
+|===
+|Domain | Port | Function
+
+|`api.pagerduty.com`
+|443
+|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on.
+
+|`events.pagerduty.com`
+|443
+|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on.
+
+|`api.deadmanssnitch.com`
+|443
+|Alerting service used by {product-title} to send periodic pings that indicate whether the cluster is available and running.
+
+|`nosnch.in`
+|443
+|Alerting service used by {product-title} to send periodic pings that indicate whether the cluster is available and running.
+
+|`*.osdsecuritylogs.splunkcloud.com`
+
+OR
+
+`inputs1.osdsecuritylogs.splunkcloud.com`
+
+`inputs2.osdsecuritylogs.splunkcloud.com`
+
+`inputs4.osdsecuritylogs.splunkcloud.com`
+
+`inputs5.osdsecuritylogs.splunkcloud.com`
+
+`inputs6.osdsecuritylogs.splunkcloud.com`
+
+`inputs7.osdsecuritylogs.splunkcloud.com`
+
+`inputs8.osdsecuritylogs.splunkcloud.com`
+
+`inputs9.osdsecuritylogs.splunkcloud.com`
+
+`inputs10.osdsecuritylogs.splunkcloud.com`
+
+`inputs11.osdsecuritylogs.splunkcloud.com`
+
+`inputs12.osdsecuritylogs.splunkcloud.com`
+
+`inputs13.osdsecuritylogs.splunkcloud.com`
+
+`inputs14.osdsecuritylogs.splunkcloud.com`
+
+`inputs15.osdsecuritylogs.splunkcloud.com`
+|9997
+|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting.
+
+|`http-inputs-osdsecuritylogs.splunkcloud.com`
+|443
+|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting.
+
+|`sftp.access.redhat.com` (Recommended)
+|22
+|The SFTP server used by `must-gather-operator` to upload diagnostic logs to help troubleshoot issues with the cluster.
+|===
+
+. Add the following URLs for the {GCP} API endpoints to an allowlist:
++
+[cols="6,1,6",options="header"]
+|===
+|Domain | Port | Function
+
+| `accounts.google.com`
+| 443
+| Used to access your GCP account.
+
+|`*.googleapis.com`
+
+OR
+
+ `storage.googleapis.com`
+
+ `iam.googleapis.com`
+
+ `serviceusage.googleapis.com`
+
+ `cloudresourcemanager.googleapis.com`
+
+ `compute.googleapis.com`
+
+ `oauth2.googleapis.com`
+
+ `dns.googleapis.com`
+
+ `iamcredentials.googleapis.com`
+| 443
+| Used to access GCP services and resources. Review link:https://cloud.google.com/endpoints/docs[Cloud Endpoints] in the GCP documentation to determine the endpoints to allow for your APIs.
+|===
++
+[NOTE]
+====
+Required Google APIs can be exposed using the link:https://cloud.google.com/vpc-service-controls/docs/restricted-vip-services[Private Google Access restricted virtual IP (VIP)], with the exception of the Service Usage API (serviceusage.googleapis.com). To circumvent this, you must expose the Service Usage API using the link:https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options[Private Google Access private VIP].
+====

osd_planning/gcp-ccs.adoc

@@ -15,8 +15,9 @@ include::modules/ccs-gcp-customer-procedure.adoc[leveloffset=+1]
 include::modules/ccs-gcp-iam.adoc[leveloffset=+1]
 include::modules/ccs-gcp-provisioned.adoc[leveloffset=+1]
 include::modules/gcp-limits.adoc[leveloffset=+1]
+include::modules/osd-gcp-psc-firewall-prerequisites.adoc[leveloffset=+1]
 
 [id="additional-resources_{context}"]
 == Additional resources
 
-* xref:../security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc#rh-required-whitelisted-IP-addresses-for-sre-access[Required allowlist IP addresses for SRE access]
+*  xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring]