You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/configuring-firewall.adoc
+9-7Lines changed: 9 additions & 7 deletions
Original file line number
Diff line number
Diff line change
@@ -38,9 +38,13 @@ If your environment has a dedicated load balancer in front of your {product-titl
38
38
|443
39
39
|Provides core container images
40
40
41
-
|`access.redhat.com`^[1]^
41
+
|`access.redhat.com`
42
42
|443
43
-
|Hosts all the container images that are stored on the Red Hat Ecosytem Catalog, including core container images.
43
+
|Hosts a signature store that a container client requires for verifying images pulled from `registry.access.redhat.com`. In a firewall environment, ensure that this resource is on the allowlist.
44
+
45
+
|`registry.access.redhat.com`
46
+
|443
47
+
|Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images.
44
48
45
49
|`quay.io`
46
50
|443
@@ -79,11 +83,9 @@ If your environment has a dedicated load balancer in front of your {product-titl
79
83
|The `https://console.redhat.com` site uses authentication from `sso.redhat.com`
80
84
|===
81
85
+
82
-
--
83
-
1. In a firewall environment, ensure that the `access.redhat.com` resource is on the allowlist. This resource hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
84
-
--
85
-
+
86
-
You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist. When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`.
86
+
* You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist.
87
+
* You can use the wildcard `*.access.redhat.com` to simplify the configuration and ensure that all subdomains, including `registry.access.redhat.com`, are allowed.
88
+
* When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`.
87
89
88
90
. Set your firewall's allowlist to include any site that provides resources for a language or framework that your builds require.
0 commit comments