openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
d009f78440d123ace84aa778fae4059b69ce4786
openshift-docs/modules/configuring-firewall.adoc

347 lines
11 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/install_config/configuring-firewall.adoc
// * installing/installing-oci-agent-based-installer.adoc
ifeval::["{context}" == "installing-oci-agent-based-installer"]
:oci-agent:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="configuring-firewall_{context}"]
= Configuring your firewall for {product-title}
Before you install {product-title}, you must configure your firewall to grant access to the sites that {product-title} requires. When using a firewall, make additional configurations to the firewall so that {product-title} can access the sites that it requires to function.
ifndef::oci-agent[]
There are no special configuration considerations for services running on only controller nodes compared to worker nodes.
endif::oci-agent[]
ifdef::oci-agent[]
For a disconnected environment, you must mirror content from both Red{nbsp}Hat and Oracle. This environment requires that you create firewall rules to expose your firewall to specific ports and registries.
endif::oci-agent[]
[NOTE]
====
If your environment has a dedicated load balancer in front of your {product-title} cluster, review the allowlists between your firewall and load balancer to prevent unwanted network restrictions to your cluster.
====
.Procedure
. Set the following registry URLs for your firewall's allowlist:
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`registry.redhat.io`
|443
|Provides core container images
|`access.redhat.com`
|443
|Hosts a signature store that a container client requires for verifying images pulled from `registry.access.redhat.com`. In a firewall environment, ensure that this resource is on the allowlist.
|`registry.access.redhat.com`
|443
|Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images.
|`quay.io`
|443
|Provides core container images
|`cdn.quay.io`
|443
|Provides core container images
|`cdn01.quay.io`
|443
|Provides core container images
|`cdn02.quay.io`
|443
|Provides core container images
|`cdn03.quay.io`
|443
|Provides core container images
|`cdn04.quay.io`
|443
|Provides core container images
|`cdn05.quay.io`
|443
|Provides core container images
|`cdn06.quay.io`
|443
|Provides core container images
|`sso.redhat.com`
|443
|The `https://console.redhat.com` site uses authentication from `sso.redhat.com`
|`icr.io`
|443
|Provides IBM Cloud Pak container images. This domain is only required if you use IBM Cloud Paks.
|`cp.icr.io`
|443
|Provides IBM Cloud Pak container images. This domain is only required if you use IBM Cloud Paks.
|===
+
* You can use the wildcard `*.quay.io` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist.
* You can use the wildcard `*.access.redhat.com` to simplify the configuration and ensure that all subdomains, including `registry.access.redhat.com`, are allowed.
* When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`.
. Set your firewall's allowlist to include any site that provides resources for a language or framework that your builds require.
. If you do not disable Telemetry, you must grant access to the following URLs to access {red-hat-lightspeed}:
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`cert-api.access.redhat.com`
|443
|Required for Telemetry
|`api.access.redhat.com`
|443
|Required for Telemetry
|`infogw.api.openshift.com`
|443
|Required for Telemetry
|`console.redhat.com`
|443
|Required for Telemetry and for `insights-operator`
|===
ifdef::oci-agent[]
. Set your firewall's allowlist to include the following registry URLs:
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`api.openshift.com`
|443
|Required both for your cluster token and to check if updates are available for the cluster.
|`rhcos.mirror.openshift.com`
|443
|Required to download {op-system-first} images.
|===
. Set your firewall's allowlist to include the following external URLs. Each repository URL hosts {oci} containers. Consider mirroring images to as few repositories as possible to reduce any performance issues.
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`k8s.gcr.io`
|port
|A Kubernetes registry that hosts container images for a community-based image registry. This image registry is hosted on a custom Google Container Registry (GCR) domain.
|`ghcr.io`
|port
|A GitHub image registry where you can store and manage Open Container Initiative images. Requires an access token to publish, install, and delete private, internal, and public packages.
|`storage.googleapis.com`
|443
|A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
|`registry.k8s.io`
|port
|Replaces the `k8s.gcr.io` image registry because the `k8s.gcr.io` image registry does not support other platforms and vendors.
|===
endif::oci-agent[]
ifndef::oci-agent[]
. If you use {alibaba}, {aws-first}, {azure-first}, or {gcp-first} to host your cluster, you must grant access to the URLs that offer the cloud provider API and DNS for that cloud:
+
[cols="2a,8a,2a,8a",options="header"]
|===
|Cloud |URL | Port |Function
|Alibaba
|`*.aliyuncs.com`
|443
|Required to access Alibaba Cloud services and resources. Review the link:https://github.com/aliyun/alibaba-cloud-sdk-go/blob/master/sdk/endpoints/endpoints_config.go?spm=a2c4g.11186623.0.0.47875873ciGnC8&file=endpoints_config.go[Alibaba endpoints_config.go file] to find the exact endpoints to allow for the regions that you use.
.17+|AWS
|`aws.amazon.com`
|443
|Used to install and manage clusters in an AWS environment.
|`*.amazonaws.com`
Alternatively, if you choose to not use a wildcard for AWS APIs, you must include the following URLs in your allowlist:
|443
|Required to access AWS services and resources. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to find the exact endpoints to allow for the regions that you use.
|`ec2.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`events.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`iam.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`route53.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`*.s3.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`*.s3.<aws_region>.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`*.s3.dualstack.<aws_region>.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`sts.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`sts.<aws_region>.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`tagging.us-east-1.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment. This endpoint is always `us-east-1`, regardless of the region the cluster is deployed in.
|`ec2.<aws_region>.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`elasticloadbalancing.<aws_region>.amazonaws.com`
|443
|Used to install and manage clusters in an AWS environment.
|`servicequotas.<aws_region>.amazonaws.com`
|443
|Required. Used to confirm quotas for deploying the service.
|`tagging.<aws_region>.amazonaws.com`
|443
|Allows the assignment of metadata about AWS resources in the form of tags.
|`*.cloudfront.net`
|443
|Used to provide access to CloudFront. If you use the AWS Security Token Service (STS) and the private S3 bucket, you must provide access to CloudFront.
.2+|GCP
|`*.googleapis.com`
|443
|Required to access {gcp-short} services and resources. Review link:https://cloud.google.com/endpoints/[Cloud Endpoints] in the {gcp-short} documentation to find the endpoints to allow for your APIs.
|`accounts.google.com`
|443
| Required to access your {gcp-short} account.
.3+|Microsoft Azure
|`management.azure.com`
|443
|Required to access Microsoft Azure services and resources. Review the link:https://docs.microsoft.com/en-us/rest/api/azure/[Microsoft Azure REST API reference] in the Microsoft Azure documentation to find the endpoints to allow for your APIs.
|`*.blob.core.windows.net`
|443
|Required to download Ignition files.
|`login.microsoftonline.com`
|443
|Required to access Microsoft Azure services and resources. Review the link:https://docs.microsoft.com/en-us/rest/api/azure/[Azure REST API reference] in the Microsoft Azure documentation to find the endpoints to allow for your APIs.
|===
. Allowlist the following URLs:
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`*.apps.<cluster_name>.<base_domain>`
|443
|Required to access the default cluster routes unless you set an ingress wildcard during installation.
|`api.openshift.com`
|443
|Required both for your cluster token and to check if updates are available for the cluster.
|`console.redhat.com`
|443
|Required for your cluster token.
|`mirror.openshift.com`
|443
|Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
|`quayio-production-s3.s3.amazonaws.com`
|443
|Required to access Quay image content in AWS.
// |`registry.access.redhat.com`
// |443
// |Required for `odo` CLI.
|`rhcos.mirror.openshift.com`
|443
|Required to download {op-system-first} images.
|`sso.redhat.com`
|443
|The `https://console.redhat.com` site uses authentication from `sso.redhat.com`
|`storage.googleapis.com/openshift-release`
|443
|A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
|===
+
Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow `*.apps.<cluster_name>.<base_domain>`, then allow these routes:
+
* `oauth-openshift.apps.<cluster_name>.<base_domain>`
* `canary-openshift-ingress-canary.apps.<cluster_name>.<base_domain>`
* `console-openshift-console.apps.<cluster_name>.<base_domain>`, or the hostname
that is specified in the `spec.route.hostname` field of the
`consoles.operator/cluster` object if the field is not empty.
. Allowlist the following URL for optional third-party content:
+
[cols="3,2,4",options="header"]
|===
|URL | Port | Function
|`registry.connect.redhat.com`
|443
|Required for all third-party images and certified operators.
|===
+
. If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:
* `1.rhel.pool.ntp.org`
* `2.rhel.pool.ntp.org`
* `3.rhel.pool.ntp.org`
[NOTE]
====
If you do not use a default Red Hat NTP server, verify the NTP server for your platform and allow it in your firewall.
====
endif::oci-agent[]
ifeval::["{context}" == "installing-oci-agent-based-installer"]
:!oci-agent:
endif::[]
View Git Blame Copy Permalink