openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-06 06:46:26 +01:00
Code Issues Releases Activity
Files
eb21424e97d48118fd1ff8c8b4dff94de2dd3b1c
openshift-docs/modules/configuring-firewall.adoc

122 lines
4.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/install_config/configuring-firewall.adoc
[id="configuring-firewall_{context}"]
= Configuring your firewall for {product-title}
Before you install {product-title}, you must configure your firewall to grant access to the sites that {product-title} requires.
There are no special configuration considerations for services running on only controller nodes versus worker nodes.
.Procedure
. Allowlist the following registry URLs:
+
[cols="3,4",options="header"]
|===
|URL | Function
|`registry.redhat.io`
|Provides core container images
|`quay.io`
|Provides core container images
|`sso.redhat.com`
|The `https://cloud.redhat.com/openshift` site uses authentication from `sso.redhat.com`
|`openshift.org`
|Provides {op-system-first} images
|===
. Allowlist any site that provides resources for a language or framework that your builds require.
. If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
+
[cols="3,4",options="header"]
|===
|URL | Function
|`cert-api.access.redhat.com`
|Required for Telemetry
|`api.access.redhat.com`
|Required for Telemetry
|`infogw.api.openshift.com`
|Required for Telemetry
|`https://cloud.redhat.com/api/ingress`
|Required for Telemetry and for `insights-operator`
|===
. If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
+
[cols="2a,8a,8a",options="header"]
|===
|Cloud |URL |Function
.2+|AWS
|`*.amazonaws.com`
|Required to access AWS services and resources. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
|`oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com`
|Required to access AWS services and resources when using strict security requirements. Review the link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS Service Endpoints] in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
.2+|GCP
|`*.googleapis.com`
|Required to access GCP services and resources. Review link:https://cloud.google.com/endpoints/[Cloud Endpoints] in the GCP documentation to determine the endpoints to allow for your APIs.
|`accounts.google.com`
| Required to access your GCP account.
|Azure
|`management.azure.com`
|Required to access Azure services and resources. Review the link:https://docs.microsoft.com/en-us/rest/api/azure/[Azure REST API Reference] in the Azure documentation to determine the endpoints to allow for your APIs.
|===
. Allowlist the following URLs:
+
[cols="3,4",options="header"]
|===
|URL | Function
|`mirror.openshift.com`
|Required to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
|`storage.googleapis.com/openshift-release`
|A source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
|`*.apps.<cluster_name>.<base_domain>`
|Required to access the default cluster routes unless you set an ingress wildcard during installation.
|`quay-registry.s3.amazonaws.com`
|Required to access Quay image content in AWS.
|`api.openshift.com`
|Required to check if updates are available for the cluster.
|`art-rhcos-ci.s3.amazonaws.com`
|Required to download {op-system-first} images.
|`api.openshift.com`
|Required for your cluster token.
|`cloud.redhat.com/openshift`
|Required for your cluster token.
|`registry.access.redhat.com`
|Required for `odo` CLI .
|===
+
Operators require route access to perform health checks. Specifically, the
authentication and web console Operators connect to two routes to verify that
the routes work. If you are the cluster administrator and do not want to allow
`*.apps.<cluster_name>.<base_domain>`, then allow these routes:
+
* `oauth-openshift.apps.<cluster_name>.<base_domain>`
* `console-openshift-console.apps.<cluster_name>.<base_domain>`, or the host name
that is specified in the `spec.route.hostname` field of the
`consoles.operator/cluster` object if the field is not empty.
View Git Blame Copy Permalink