Skip to content

Commit 29458cf

Browse files
ShaunaDiazShaunaDiaz
authored
Merge pull request #69720 from rohennes/TELCODOCS-1670
TELCODOCS-1670: Network matrix flow
2 parents 5e5e486 + cc9257f commit 29458cf

File tree

3 files changed

+101
-1
lines changed

3 files changed

+101
-1
lines changed

installing/install_config/configuring-firewall.adoc

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,6 @@ include::modules/configuring-firewall.adoc[leveloffset=+1]
1414
[role="_additional-resources"]
1515
.Additional resources
1616

17-
* xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-auth-flow-aws-oidc_cco-short-term-creds[OpenID Connect requirements for AWS STS]
17+
* xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds-auth-flow-aws-oidc_cco-short-term-creds[OpenID Connect requirements for AWS STS]
18+
19+
include::modules/network-flow-matrix.adoc[leveloffset=+1]

modules/network-flow-matrix.adoc

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * installing/install_config/configuring-firewall.adoc
4+
5+
:_mod-docs-content-type: REFERENCE
6+
[id="network-flow-matrix_{context}"]
7+
= {product-title} network flow matrix
8+
9+
The network flow matrix describes the ingress flows to {product-title} services.
10+
The network information in the matrix is accurate for both bare-metal and cloud environments.
11+
Use the information in the network flow matrix to help you manage ingress traffic.
12+
You can restrict ingress traffic to essential flows to improve network security.
13+
14+
To view or download the raw CSV content, see link:https://raw.githubusercontent.com/openshift/openshift-docs/main/snippets/network-flow-matrix.csv[this resource].
15+
16+
Additionally, consider the following dynamic port ranges when managing ingress traffic:
17+
18+
* `9000-9999`: Host level services
19+
* `3000-32767`: Kubernetes node ports
20+
* `49152-65535`: Dynamic or private ports
21+
22+
[NOTE]
23+
====
24+
The network flow matrix describes ingress traffic flows for a base {product-title} installation. It does not describe network flows for additional components, such as optional Operators available from the Red Hat Marketplace. The matrix does not apply for Hosted-Control-Plane, MicroShift, or standalone clusters.
25+
====
26+
27+
.Network flow matrix
28+
[%header,format=csv]
29+
|===
30+
include::snippets/network-flow-matrix.csv[]
31+
|===

snippets/network-flow-matrix.csv

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
Direction,Protocol,Port,Namespace,Service,Pod,Container,Node Role,Optional
2+
Ingress,TCP,22,Host system service,sshd,,,master,TRUE
3+
Ingress,TCP,53,openshift-dns,dns-default,dnf-default,dns,master,FALSE
4+
Ingress,TCP,111,Host system service,rpcbind,,,master,TRUE
5+
Ingress,TCP,2379,openshift-etcd,etcd,etcd,etcdctl,master,FALSE
6+
Ingress,TCP,2380,openshift-etcd,healthz,etcd,etcd,master,FALSE
7+
Ingress,TCP,5050,openshift-machine-api,,ironic-proxy,ironic-proxy,master,FALSE
8+
Ingress,TCP,6080,openshift-kube-apiserver,,kube-apiserver,kube-apiserver-insecure-readyz,master,FALSE
9+
Ingress,TCP,6385,openshift-machine-api,,ironic-proxy,ironic-proxy,master,FALSE
10+
Ingress,TCP,6443,openshift-kube-apiserver,apiserver,kube-apiserver,kube-apiserver,master,FALSE
11+
Ingress,TCP,8080,openshift-network-operator ,,network-operator,network-operator,master,FALSE
12+
Ingress,TCP,8798,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,machine-config-daemon,master,FALSE
13+
Ingress,TCP,9001,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,kube-rbac-proxy,master,FALSE
14+
Ingress,TCP,9099,openshift-cluster-version,cluster-version-operator,cluster-version-operator,cluster-version-operator,master,FALSE
15+
Ingress,TCP,9100,openshift-monitoring,node-exporter,node-exporter,kube-rbac-proxy,master,FALSE
16+
Ingress,TCP,9103,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-node,master,FALSE
17+
Ingress,TCP,9104,openshift-network-operator,metrics,network-operator,network-operator,master,FALSE
18+
Ingress,TCP,9105,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-ovn-metrics,master,FALSE
19+
Ingress,TCP,9107,openshift-ovn-kubernetes,egressip-node-healthcheck,ovnkube-node,ovnkube-controller,master,FALSE
20+
Ingress,TCP,9108,openshift-ovn-kubernetes,ovn-kubernetes-control-plane,ovnkube-control-plane,kube-rbac-proxy,master,FALSE
21+
Ingress,TCP,9192,openshift-cluster-machine-approver,machine-approver,machine-approver,kube-rbac-proxy,master,FALSE
22+
Ingress,TCP,9258,openshift-cloud-controller-manager-operator,machine-approver,cluster-cloud-controller-manager,cluster-cloud-controller-manager,master,FALSE
23+
Ingress,TCP,9444,openshift-kni-infra,,haproxy,haproxy,master,FALSE
24+
Ingress,TCP,9445,openshift-kni-infra,,haproxy,haproxy,master,FALSE
25+
Ingress,TCP,9447,openshift-machine-api,,metal3-baremetal-operator,,master,FALSE
26+
Ingress,TCP,9537,Host system service,crio-metrics,,,master,FALSE
27+
Ingress,TCP,9637,openshift-machine-config-operator,kube-rbac-proxy-crio,kube-rbac-proxy-crio,kube-rbac-proxy-crio,master,FALSE
28+
Ingress,TCP,9978,openshift-etcd,etcd,etcd,etcd-metrics,master,FALSE
29+
Ingress,TCP,9979,openshift-etcd,etcd,etcd,etcd-metrics,master,FALSE
30+
Ingress,TCP,9980,openshift-etcd,etcd,etcd,etcd,master,FALSE
31+
Ingress,TCP,10250,Host system service,kubelet,,,master,FALSE
32+
Ingress,TCP,10256,openshift-ovn-kubernetes,ovnkube,ovnkube,ovnkube-controller,master,FALSE
33+
Ingress,TCP,10257,openshift-kube-controller-manager,kube-controller-manager,kube-controller-manager,kube-controller-manager,master,FALSE
34+
Ingress,TCP,10258,openshift-cloud-controller-manager-operator,cloud-controller,cloud-controller-manager,cloud-controller-manager,master,FALSE
35+
Ingress,TCP,10259,openshift-kube-scheduler,scheduler,openshift-kube-scheduler,kube-scheduler,master,FALSE
36+
Ingress,TCP,10260,openshift-cloud-controller-manager-operator,cloud-controller,cloud-controller-manager,cloud-controller-manager,master,FALSE
37+
Ingress,TCP,10300,openshift-cluster-csi-drivers,csi-livenessprobe,csi-driver-node,csi-driver,master,FALSE
38+
Ingress,TCP,10309,openshift-cluster-csi-drivers,csi-node-driver,csi-driver-node,csi-node-driver-registrar,master,FALSE
39+
Ingress,TCP,10357,openshift-kube-apiserver,openshift-kube-apiserver-healthz,kube-apiserver,kube-apiserver-check-endpoints,master,FALSE
40+
Ingress,TCP,17697,openshift-kube-apiserver,openshift-kube-apiserver-healthz,kube-apiserver,kube-apiserver-check-endpoints,master,FALSE
41+
Ingress,TCP,18080,openshift-kni-infra,,coredns,coredns,master,FALSE
42+
Ingress,TCP,22623,openshift-machine-config-operator,machine-config-server,machine-config-server,machine-config-server,master,FALSE
43+
Ingress,TCP,22624,openshift-machine-config-operator,machine-config-server,machine-config-server,machine-config-server,master,FALSE
44+
Ingress,UDP,53,openshift-dns,dns-default,dnf-default,dns,master,FALSE
45+
Ingress,UDP,111,Host system service,rpcbind,,,master,TRUE
46+
Ingress,UDP,6081,openshift-ovn-kubernetes,ovn-kubernetes geneve,,,master,FALSE
47+
Ingress,TCP,22,Host system service,sshd,,,worker,TRUE
48+
Ingress,TCP,53,openshift-dns,dns-default,dnf-default,dns,worker,FALSE
49+
Ingress,TCP,80,openshift-ingress,router-default,router-default,router,worker,FALSE
50+
Ingress,TCP,111,Host system service,rpcbind,,,worker,TRUE
51+
Ingress,TCP,443,openshift-ingress,router-default,router-default,router,worker,FALSE
52+
Ingress,TCP,8798,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,machine-config-daemon,worker,FALSE
53+
Ingress,TCP,9001,openshift-machine-config-operator,machine-config-daemon,machine-config-daemon,kube-rbac-proxy,worker,FALSE
54+
Ingress,TCP,9100,openshift-monitoring,node-exporter,node-exporter,kube-rbac-proxy,worker,FALSE
55+
Ingress,TCP,9103,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-node,worker,FALSE
56+
Ingress,TCP,9105,openshift-ovn-kubernetes,ovn-kubernetes-node,ovnkube-node,kube-rbac-proxy-ovn-metrics,worker,FALSE
57+
Ingress,TCP,9107,openshift-ovn-kubernetes,egressip-node-healthcheck,ovnkube-node,ovnkube-controller,worker,FALSE
58+
Ingress,TCP,9537,Host system service,crio-metrics,,,worker,FALSE
59+
Ingress,TCP,9637,openshift-machine-config-operator,kube-rbac-proxy-crio,kube-rbac-proxy-crio,kube-rbac-proxy-crio,worker,FALSE
60+
Ingress,TCP,10250,Host system service,kubelet,,,worker,FALSE
61+
Ingress,TCP,10256,openshift-ovn-kubernetes,ovnkube,ovnkube,ovnkube-controller,worker,TRUE
62+
Ingress,TCP,10300,openshift-cluster-csi-drivers,csi-livenessprobe,csi-driver-node,csi-driver,worker,FALSE
63+
Ingress,TCP,10309,openshift-cluster-csi-drivers,csi-node-driver-registrar,csi-driver-node,csi-node-driver-registrar,worker,FALSE
64+
Ingress,TCP,18080,openshift-kni-infra,,coredns,coredns,worker,FALSE
65+
Ingress,UDP,53,openshift-dns,dns-default,dnf-default,dns,worker,FALSE
66+
Ingress,UDP,111,Host system service,rpcbind,,,worker,TRUE
67+
Ingress,UDP,6081,openshift-ovn-kubernetes,ovn-kubernetes geneve,,,worker,FALSE

0 commit comments

Comments
 (0)