You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/osd-aws-privatelink-firewall-prerequisites.adoc
+18-56Lines changed: 18 additions & 56 deletions
Original file line number
Diff line number
Diff line change
@@ -65,6 +65,18 @@ endif::[]
65
65
|443
66
66
|Provides core container images.
67
67
68
+
|`cdn04.quay.io`
69
+
|443
70
+
|Provides core container images.
71
+
72
+
|`cdn05.quay.io`
73
+
|443
74
+
|Provides core container images.
75
+
76
+
|`cdn06.quay.io`
77
+
|443
78
+
|Provides core container images.
79
+
68
80
|`sso.redhat.com`
69
81
|443
70
82
|Required. The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com` to download the pull secret and use Red{nbsp}Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
@@ -77,10 +89,6 @@ endif::[]
77
89
|443
78
90
|Provides core container images.
79
91
80
-
|`openshift.org`
81
-
|443
82
-
|Provides {op-system-first} images.
83
-
84
92
|`registry.access.redhat.com`
85
93
|443
86
94
|Hosts all the container images that are stored on the Red{nbsp}Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
@@ -105,50 +113,33 @@ endif::[]
105
113
|443
106
114
|Provides core container images as a fallback when quay.io is not available.
107
115
108
-
|`.q1w2.quay.rhcloud.com`
109
-
|443
110
-
|Provides core container images as a fallback when quay.io is not available.
111
-
112
-
|`www.okd.io`
113
-
|443
114
-
|The `openshift.org` site redirects through `www.okd.io`.
115
-
116
-
|`www.redhat.com`
117
-
|443
118
-
|The `sso.redhat.com` site redirects through `www.redhat.com`.
119
-
120
-
|`aws.amazon.com`
121
-
|443
122
-
|The `iam.amazonaws.com` and `sts.amazonaws.com` sites redirect through `aws.amazon.com`.
123
-
124
116
|`catalog.redhat.com`
125
117
|443
126
118
|The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`.
127
119
128
-
|`dvbwgdztaeq9o.cloudfront.net`^[1]^
120
+
|`oidc.op1.openshiftapps.com`
129
121
|443
130
122
|Used by ROSA for STS implementation with managed OIDC configuration.
131
123
132
124
ifdef::fedramp[]
133
125
|`time-a-g.nist.gov`
134
-
|123 ^[2]^
126
+
|123 ^[1]^
135
127
|Allows NTP traffic for FedRAMP.
136
128
137
129
|`time-a-wwv.nist.gov`
138
-
|123 ^[2]^
130
+
|123 ^[1]^
139
131
|Allows NTP traffic for FedRAMP.
140
132
141
133
|`time-a-b.nist.gov`
142
-
|123 ^[2]^
134
+
|123 ^[1]^
143
135
|Allows NTP traffic for FedRAMP.
144
136
endif::fedramp[]
145
137
|===
146
138
+
147
139
[.small]
148
140
--
149
-
1. The string of alphanumeric characters before `cloudfront.net` could change if there is a major cloudfront outage that requires redirecting the resource.
150
141
ifdef::fedramp[]
151
-
2. Both TCP and UDP ports.
142
+
1. Both TCP and UDP ports.
152
143
endif::fedramp[]
153
144
--
154
145
+
@@ -174,10 +165,6 @@ endif::fedramp[]
174
165
|443
175
166
|Required for telemetry and Red{nbsp}Hat Insights.
176
167
177
-
|`cloud.redhat.com/api/ingress`
178
-
|443
179
-
|Required for telemetry and Red{nbsp}Hat Insights.
180
-
181
168
|`observatorium-mst.api.openshift.com`
182
169
|443
183
170
|Required for managed OpenShift-specific telemetry.
@@ -259,11 +246,7 @@ Alternatively, if you choose to not use a wildcard for Amazon Web Services (AWS)
259
246
260
247
|`mirror.openshift.com`
261
248
|443
262
-
|Used to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator (CVO) needs only a single functioning source.
|Alternative site to mirror.openshift.com/. Used to download platform release signatures that are used by the cluster to know what images to pull from quay.io.
249
+
|Used to access mirrored installation content and images. This site is also a source of release image signatures.
267
250
268
251
|`api.openshift.com`
269
252
|443
@@ -320,27 +303,6 @@ OR
320
303
|The SFTP server used by `must-gather-operator` to upload diagnostic logs to help troubleshoot issues with the cluster.
321
304
|===
322
305
323
-
. Allowlist the following URLs for optional third-party content:
324
-
+
325
-
[cols="6,1,6",options="header"]
326
-
|===
327
-
|Domain | Port | Function
328
-
|`registry.connect.redhat.com`
329
-
| 443
330
-
| Required for all third-party-images and certified operators.
| Required for Sonatype Nexus, F5 Big IP operators.
339
-
|===
340
-
341
-
. Allowlist any site that provides resources for a language or framework that your builds require.
342
-
. Allowlist any outbound URLs that depend on the languages and frameworks used in OpenShift. See link:https://access.redhat.com/solutions/2998411[OpenShift Outbound URLs to Allow] for a list of recommended URLs to be allowed on the firewall or proxy.
0 commit comments