OpenShift Outbound URLs to Allow

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 3
    • 4

Issue

  • To what URLs does an OpenShift cluster need to access?
  • Which URLs need to be allowed on the OCP HTTP proxy?

Resolution

For OpenShift 4, review Configuring your firewall section in addition to this article.

The outbound depends on the language and frameworks used in OpenShift.

OpenShift depends on the Red Hat registry, which provides the basic pod images, registry image and router image.

Below is the list of the recommended URLs to be allowed on firewall or proxy:

Registries:

     - registry.access.redhat.com (provides pod, registry, router, s2i, jboss and etc images)
     - registry.redhat.io 
     - registry.connect.redhat.com (provides third-party images)
     - quay.io
     - *.quay.io
     - storage.googleapis.com/openshift-release
     - sso.redhat.com
     - docker.io (images not in Red Hat's registry)
     - docker.com
     - hub.docker.com
     - index.docker.io

Depending on your firewall you may need to add this to be able to download image blobs:

     - oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com (CNAME)
     - s3-us-west-2-r-w.amazonaws.com
     - s3-us-east-1-r-w.amazonaws.com

Source code repositories (allow the ones that apply):

     - github.com
     - gitlab.com
     - Internal git repository hostnames

Language/framework related resources (allow the ones that apply)

*.maven.org
*.apache.org
*.npmjs.com
*.openshift.io
*.openshift.org
*.docker.io
*.docker.org
*.rubygems.org
*.cpan.org
*.githubusercontent.com
*.githubapp.com
*.cloudfront.net
*.fabric8.io
*.codehaus.org
*.sonatype.org
*.jboss.org
*.jenkins-ci.org
*.jenkins.io
*.bintray.com
*.spring.io
*.eclipse.org
*.fusesource.com
*.eclipse.org
*.quay.io

When registering RHEL hosts with subscription manager, it needs to access the subscription url [1] and has to have access the redhat repos atomic-openshift-* and docker-*. The OpenShift could be installed without connection to internet, but pod, registry and router images must be available in custom registry or available on hosts.

[1] https://access.redhat.com/solutions/65300
[2] https://access.redhat.com/articles/1525183

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

12 Comments

Log in to comment
SW Red Hat Newbie 15 points
6 June 2019 6:07 PM

Not mentioned in the solution above: outbound connections are tcp/443 (aka HTTPS).

PC Red Hat Community Member 78 points
14 June 2019 9:39 PM

how come these are not on the list? cloud.redhat.com:443 cert-api.cloud.redhat.com:443 api.cloud.redhat.com:443 Infogw.api.openshift.com:443

PC Red Hat Community Member 78 points
20 June 2019 8:43 PM

confirmed that cert-api.cloud.redhat.com:443 api.cloud.redhat.com:443 are not needed. It was a documentation error.

AG Newbie 12 points
1 August 2019 11:46 AM

So is there any documentation/reference that can be used that lists required URLs to be opened for standing up OCP 4.1? I do appreciate above is list of recommended URLs, but for strict/security driven environments we need to justify every single one of them. We've opened up the ones from official documentation, which as per your comment appears to be documentation error? These were also not sufficient as installer require *.cloudfront.net and it failed on that. So really looking for minimum list required to stand up vanilla cluster - we can expand url's further based on development teams requirement.

PC Red Hat Community Member 78 points
20 June 2019 8:42 PM

IHAC asks why do we need *.cloudfront.net? Anyone knows?

SR Newbie 5 points
31 July 2019 8:04 PM

That's the first one we hit which wasn't in the docs. When the bootstrap node tries to download ocp-release from quay.io on the first boot, it accessed xxx.cloudfront.net when "parsing image configuration".

Walid Shaari's picture Guru 1357 points
27 September 2021 5:16 AM

its a cdn for image blobs

Walid Shaari's picture Guru 1357 points
11 October 2021 9:05 AM

Also, when you are installing operators, they might need extra URLs, for example just found out that NVidia operator requires nvidia.cn

Richard Vanderpool's picture Red Hat Active Contributor 157 points
2 July 2019 1:55 PM

It looks like mirror.openshift.com and storage.googleapis.com are required for the CVO to perform updates

Walid Shaari's picture Guru 1357 points
2 July 2020 8:03 AM

also akamaiedge.net is needed, can you please update, any redirection or CDN that is needed should be also in the list.

Also, which nodes on openshift would require such access? can we limit it only to master nodes if possible, or bastion host? we do not want to open access for all

TM Community Member 35 points
14 May 2021 8:27 PM

Hi Remember, that if you use proxy for install and update, manage etc you Openshift cluster, you should set on proxy bypassing SSL decryption for most of this URLs

HD Community Member 33 points
7 October 2021 8:20 PM

https://api.openshift.com is needed when run oc adm upgrade.