OpenShift Outbound URLs to Allow

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 3
    • 4

Issue

  • To what URLs does an OpenShift cluster need to access?
  • Which URLs need to be allowed on the OCP HTTP proxy?

Resolution

For OpenShift 4, refer to Configuring your firewall section in addition to this article.

OpenShift depends on several registries, including the Red Hat registry, which provides the basic pod images, registry image and router image.

Below is the list of the recommended URLs to be allowed on firewall or proxy:

Registries:

     - registry.access.redhat.com (provides pod, registry, router, s2i, jboss and etc images)
     - registry.redhat.io 
     - registry.connect.redhat.com (provides third-party images)
     - quay.io
     - *.quay.io
     - storage.googleapis.com/openshift-release
     - sso.redhat.com
     - docker.io (images not in Red Hat's registry)
     - docker.com
     - hub.docker.com
     - index.docker.io

Note: It is possible to use cdn0[1-3].quay.io instead of *.quay.io

Depending on the firewall it could be needed to add the following ones to be able to download image blobs:

     - oso-rhc4tp-docker-registry.s3-us-west-2.amazonaws.com (CNAME)
     - s3-us-west-2-r-w.amazonaws.com
     - s3-us-east-1-r-w.amazonaws.com

The outbound depends also on the languages and frameworks used for the applications deployed in OpenShift.

Source code repositories (allow the ones that apply):

     - github.com
     - gitlab.com
     - Internal git repository hostnames

Language/framework related resources (allow the ones that apply)

*.maven.org
*.apache.org
*.npmjs.com
*.openshift.io
*.openshift.org
*.docker.io
*.docker.org
*.rubygems.org
*.cpan.org
*.githubusercontent.com
*.githubapp.com
*.cloudfront.net
*.fabric8.io
*.codehaus.org
*.sonatype.org
*.jboss.org
*.jenkins-ci.org
*.jenkins.io
*.bintray.com
*.spring.io
*.eclipse.org
*.fusesource.com
*.eclipse.org
*.quay.io

For OpenShift 3, when registering RHEL hosts with subscription manager, it needs to access the subscription url [1] and has to have access the Red Hat repos atomic-openshift-* and docker-*. OpenShift could be installed without connection to internet, but pod, registry and router images must be available in custom registry or available on hosts.

[1] How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy
[2] Public CIDR Lists for Red Hat (IP Addresses for cdn.redhat.com)

Root Cause

OpenShift depends on the Red Hat registry, which provides the basic pod images, registry image and router image.

The outbound depends also on the languages and frameworks used for the applications deployed in OpenShift.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments