Red Hat OpenShift Container Platform Additional outbound URLs to allow at firewall and proxy level.

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 3
    • 4

Issue

  • What URLs require access for a Red Hat OpenShift Container Platform cluster?
  • Which URLs must be permitted through the OCP HTTP proxy?
  • Are there additional domain considerations or subdomains necessary for access to Red Hat or third-party services (e.g., registries, specific pull images)?

Resolution

For Red Hat OpenShift Container Platform 4, refer to Configuring your firewall section in addition to this article.

Red Hat OpenShift Container Platform depends on several registries, including the Red Hat registry, which provides the basic pod images, registry image and router image.

Below is the list of the recommended URLs to be allowed on firewall or proxy:

Registries:

     - registry.access.redhat.com (provides pod, registry, router, s2i, jboss and etc images)
     - registry.redhat.io 
     - registry.connect.redhat.com (provides third-party images)
     - quay.io
     - *.quay.io
     - storage.googleapis.com/openshift-release
     - sso.redhat.com
     - docker.io (images not in Red Hat's registry)
     - docker.com
     - hub.docker.com
     - index.docker.io

Note: It is possible to use cdn0[1-3].quay.io instead of *.quay.io.

Depending on the firewall it could be needed to add the following ones to be able to download image blobs:

     - oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com (CNAME)
     - s3-us-west-2-r-w.amazonaws.com
     - s3-us-east-1-r-w.amazonaws.com
     - *.us-east-1.amazonaws.com
     - *.akamaiedge.net
     - *.akamaitechnologies.com
     - *.cloudflare.net

The outbound depends also on the languages and frameworks used for the applications deployed in Red Hat OpenShift Container Platform.

Source code repositories (allow the ones that apply):

     - github.com
     - gitlab.com
     - Internal git repository hostnames

Language/framework related resources (allow the ones that apply):

*.maven.org
*.apache.org
*.npmjs.com
*.openshift.io
*.openshift.org
*.docker.io
*.docker.org
*.rubygems.org
*.cpan.org
*.githubusercontent.com
*.githubapp.com
*.cloudfront.net
*.fabric8.io
*.codehaus.org
*.sonatype.org
*.jboss.org
*.jenkins-ci.org
*.jenkins.io
*.bintray.com
*.spring.io
*.eclipse.org
*.fusesource.com
*.eclipse.org
*.quay.io

For OpenShift 3, when registering RHEL hosts with subscription manager, it needs to access the subscription url [1] and has to have access the Red Hat repos atomic-openshift-* and docker-*. OpenShift could be installed without connection to internet, but pod, registry and router images must be available in custom registry or available on hosts.

[1] How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy
[2] Public CIDR Lists for Red Hat (IP Addresses for cdn.redhat.com)

Root Cause

Red Hat OpenShift Container Platform depends on the Red Hat registry, which provides the basic pod images, registry image and router image.

The outbound depends also on the languages and frameworks used for the applications deployed in Red Hat OpenShift Container Platform.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments