From 217ca2997408be888a2f8b7cfc28ae678a2b87d0 Mon Sep 17 00:00:00 2001 From: mletalie Date: Thu, 26 Sep 2024 14:01:49 -0400 Subject: [PATCH] firewall prereqs PSC --- _topic_maps/_topic_map_osd.yml | 4 +- modules/ccs-gcp-customer-requirements.adoc | 6 +- ...ws-privatelink-firewall-prerequisites.adoc | 2 +- .../osd-gcp-psc-firewall-prerequisites.adoc | 235 ++++++++++++++++++ osd_planning/gcp-ccs.adoc | 3 +- 5 files changed, 243 insertions(+), 7 deletions(-) create mode 100644 modules/osd-gcp-psc-firewall-prerequisites.adoc diff --git a/_topic_maps/_topic_map_osd.yml b/_topic_maps/_topic_map_osd.yml index 6c03e29a5a..0f73bc8e58 100644 --- a/_topic_maps/_topic_map_osd.yml +++ b/_topic_maps/_topic_map_osd.yml @@ -369,8 +369,8 @@ Distros: openshift-dedicated Topics: - Name: Viewing audit logs File: audit-log-view -- Name: Required allowlist IP addresses for SRE cluster access - File: rh-required-whitelisted-IP-addresses-for-sre-access +# - Name: Required allowlist IP addresses for SRE cluster access +# File: rh-required-whitelisted-IP-addresses-for-sre-access --- Name: Authentication and authorization Dir: authentication diff --git a/modules/ccs-gcp-customer-requirements.adoc b/modules/ccs-gcp-customer-requirements.adoc index 20294c472e..8ccb8ea125 100644 --- a/modules/ccs-gcp-customer-requirements.adoc +++ b/modules/ccs-gcp-customer-requirements.adoc @@ -62,11 +62,11 @@ This policy only provides Red Hat with permissions and capabilities to change re * Volume snapshots will remain within the customer-provided GCP account and customer-specified region. -* Red Hat must have ingress access to the API server through allowlist IP addresses. +* To manage, monitor, and troubleshoot {product-title} clusters, Red Hat must have direct access to the cluster's API server. You must not restrict or otherwise prevent Red Hat's access to the {product-title} cluster's API server. + [NOTE] ==== -For information about allowlist IP addresses, see Additional resources. +SRE uses various methods to access clusters, depending on network configuration. Access to private clusters is restricted to Red Hat trusted IP addresses only. These access restrictions are managed automatically by Red Hat. ==== + -* Red Hat must have egress allowed to forward system and audit logs to a Red Hat managed central logging stack. +* {product-title} requires egress access to certain endpoints over the internet. Only clusters deployed with Private Service Connect can use a firewall to control egress traffic. For additional information, see the _GCP firewall prerequisites_ section. \ No newline at end of file diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc index dba2e6fbc1..2784769c26 100644 --- a/modules/osd-aws-privatelink-firewall-prerequisites.adoc +++ b/modules/osd-aws-privatelink-firewall-prerequisites.adoc @@ -87,7 +87,7 @@ endif::[] |`access.redhat.com` |443 -|Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`. +|Required. Hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`. |`registry.connect.redhat.com` |443 diff --git a/modules/osd-gcp-psc-firewall-prerequisites.adoc b/modules/osd-gcp-psc-firewall-prerequisites.adoc new file mode 100644 index 0000000000..336041e257 --- /dev/null +++ b/modules/osd-gcp-psc-firewall-prerequisites.adoc @@ -0,0 +1,235 @@ +// Module included in the following assemblies: +// +// * osd_planning/gcp-ccs.adoc + + +[id="osd-gcp-psc-firewall-prerequisites_{context}"] += GCP firewall prerequisites + +If you are using a firewall to control egress traffic from {product-title} on {GCP}, you must configure your firewall to grant access to certain domains and port combinations listed in the tables below. {product-title} requires this access to provide a fully managed OpenShift service. + +[IMPORTANT] +==== +Only {product-title} on {GCP} clusters deployed with Private Service Connect can use a firewall to control egress traffic. +==== + +// .Prerequisites +// Per SMEs, no prereqs. Will confirm with QE when ticket is reviewed. + +.Procedure + +. Add the following URLs that are used to install and download packages and tools to an allowlist: ++ +[cols="6,1,6",options="header"] +|=== +|Domain | Port | Function +|`registry.redhat.io` +|443 +|Provides core container images. + +|`quay.io` +|443 +|Provides core container images. + +|`cdn01.quay.io` + + `cdn02.quay.io` + + `cdn03.quay.io` + + `cdn04.quay.io` + + `cdn05.quay.io` + + `cdn06.quay.io` + +|443 +|Provides core container images. + +|`sso.redhat.com` +|443 +|Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on. + +|`quayio-production-s3.s3.amazonaws.com` +|443 +|Provides core container images. + +|`pull.q1w2.quay.rhcloud.com` +|443 +|Provides core container images. + +|`registry.access.redhat.com` +|443 +|Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes. + +|`registry.connect.redhat.com` +|443 +|Required for all third-party images and certified Operators. + +|`console.redhat.com` +|443 +|Required. Allows interactions between the cluster and {cluster-manager-first} to enable functionality, such as scheduling upgrades. + +|`sso.redhat.com` +|443 +|The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com`. + +|`catalog.redhat.com` +|443 +|The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`. +|=== ++ +. Add the following telemetry URLs to an allowlist: ++ +[cols="6,1,6",options="header"] +|=== +|Domain | Port | Function + +|`cert-api.access.redhat.com` +|443 +|Required for telemetry. + +|`api.access.redhat.com` +|443 +|Required for telemetry. + +|`infogw.api.openshift.com` +|443 +|Required for telemetry. + +|`console.redhat.com` +|443 +|Required for telemetry and Red{nbsp}Hat Insights. + +|`observatorium-mst.api.openshift.com` +|443 +|Required for managed OpenShift-specific telemetry. + +|`observatorium.api.openshift.com` +|443 +|Required for managed OpenShift-specific telemetry. +|=== ++ + +[NOTE] +==== +Managed clusters require the enabling of telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see _About remote health monitoring_ in the _Additional resources_ section. +==== + +. Add the following {product-title} URLs to an allowlist: ++ +[cols="6,1,6",options="header"] +|=== +|Domain | Port | Function + +|`mirror.openshift.com` +|443 +|Used to access mirrored installation content and images. This site is also a source of release image signatures. + +|`api.openshift.com` +|443 +|Used to check if updates are available for the cluster. +|=== + +. Add the following site reliability engineering (SRE) and management URLs to an allowlist: ++ +[cols="6,1,6",options="header"] +|=== +|Domain | Port | Function + +|`api.pagerduty.com` +|443 +|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on. + +|`events.pagerduty.com` +|443 +|This alerting service is used by the in-cluster alertmanager to send alerts notifying Red{nbsp}Hat SRE of an event to take action on. + +|`api.deadmanssnitch.com` +|443 +|Alerting service used by {product-title} to send periodic pings that indicate whether the cluster is available and running. + +|`nosnch.in` +|443 +|Alerting service used by {product-title} to send periodic pings that indicate whether the cluster is available and running. + +|`*.osdsecuritylogs.splunkcloud.com` + +OR + +`inputs1.osdsecuritylogs.splunkcloud.com` + +`inputs2.osdsecuritylogs.splunkcloud.com` + +`inputs4.osdsecuritylogs.splunkcloud.com` + +`inputs5.osdsecuritylogs.splunkcloud.com` + +`inputs6.osdsecuritylogs.splunkcloud.com` + +`inputs7.osdsecuritylogs.splunkcloud.com` + +`inputs8.osdsecuritylogs.splunkcloud.com` + +`inputs9.osdsecuritylogs.splunkcloud.com` + +`inputs10.osdsecuritylogs.splunkcloud.com` + +`inputs11.osdsecuritylogs.splunkcloud.com` + +`inputs12.osdsecuritylogs.splunkcloud.com` + +`inputs13.osdsecuritylogs.splunkcloud.com` + +`inputs14.osdsecuritylogs.splunkcloud.com` + +`inputs15.osdsecuritylogs.splunkcloud.com` +|9997 +|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting. + +|`http-inputs-osdsecuritylogs.splunkcloud.com` +|443 +|Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red{nbsp}Hat SRE for log-based alerting. + +|`sftp.access.redhat.com` (Recommended) +|22 +|The SFTP server used by `must-gather-operator` to upload diagnostic logs to help troubleshoot issues with the cluster. +|=== + +. Add the following URLs for the {GCP} API endpoints to an allowlist: ++ +[cols="6,1,6",options="header"] +|=== +|Domain | Port | Function + +| `accounts.google.com` +| 443 +| Used to access your GCP account. + +|`*.googleapis.com` + +OR + + `storage.googleapis.com` + + `iam.googleapis.com` + + `serviceusage.googleapis.com` + + `cloudresourcemanager.googleapis.com` + + `compute.googleapis.com` + + `oauth2.googleapis.com` + + `dns.googleapis.com` + + `iamcredentials.googleapis.com` +| 443 +| Used to access GCP services and resources. Review link:https://cloud.google.com/endpoints/docs[Cloud Endpoints] in the GCP documentation to determine the endpoints to allow for your APIs. +|=== ++ +[NOTE] +==== +Required Google APIs can be exposed using the link:https://cloud.google.com/vpc-service-controls/docs/restricted-vip-services[Private Google Access restricted virtual IP (VIP)], with the exception of the Service Usage API (serviceusage.googleapis.com). To circumvent this, you must expose the Service Usage API using the link:https://cloud.google.com/vpc/docs/configure-private-google-access#domain-options[Private Google Access private VIP]. +==== \ No newline at end of file diff --git a/osd_planning/gcp-ccs.adoc b/osd_planning/gcp-ccs.adoc index e8105feab4..607d0e371b 100644 --- a/osd_planning/gcp-ccs.adoc +++ b/osd_planning/gcp-ccs.adoc @@ -15,8 +15,9 @@ include::modules/ccs-gcp-customer-procedure.adoc[leveloffset=+1] include::modules/ccs-gcp-iam.adoc[leveloffset=+1] include::modules/ccs-gcp-provisioned.adoc[leveloffset=+1] include::modules/gcp-limits.adoc[leveloffset=+1] +include::modules/osd-gcp-psc-firewall-prerequisites.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* xref:../security/rh-required-whitelisted-IP-addresses-for-sre-access.adoc#rh-required-whitelisted-IP-addresses-for-sre-access[Required allowlist IP addresses for SRE access] \ No newline at end of file +* xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] \ No newline at end of file