AWS
- Documentation
- OpenShift Container Platform
- Installing
- Installation configuration
- Configuring your firewall history
Soon, all Red Hat OpenShift documentation will only be available on docs.redhat.com, the official location of all Red Hat product documentation. Get familiar with the updated experience today!
- About
- Release notes
- Architecture
- Installing
- Installing on AWS
- Configuring an AWS account
- Installing a cluster quickly on AWS
- Installing a cluster on AWS with customizations
- Installing a cluster on AWS with network customizations
- Installing a cluster on AWS using CloudFormation templates
- Installing a cluster on AWS in a restricted network
- Uninstalling a cluster on AWS
- Installing on Azure
- Installing on GCP
- Installing on bare metal
- Installing on IBM Z and LinuxONE
- Installing on OpenStack
- Installing on vSphere
- Gathering installation logs
- Installation configuration
- Installing on AWS
- Updating clusters
- Support
- Web console
- Authentication
- Understanding authentication
- Configuring the internal OAuth server
- Understanding identity provider configuration
- Configuring identity providers
- Configuring an HTPasswd identity provider
- Configuring a Keystone identity provider
- Configuring an LDAP identity provider
- Configuring a basic authentication identity provider
- Configuring a request header identity provider
- Configuring a GitHub or GitHub Enterprise identity provider
- Configuring a GitLab identity provider
- Configuring a Google identity provider
- Configuring an OpenID Connect identity provider
- Configuring certificates
- Using RBAC to define and apply permissions
- Removing the kubeadmin user
- Configuring the user agent
- Understanding and creating service accounts
- Using service accounts in applications
- Using a service account as an OAuth client
- Scoping tokens
- Managing Security Context Constraints
- Impersonating the system:admin user
- Syncing LDAP groups
- Allowing JavaScript-based access to the API server from additional hosts
- Networking
- Understanding networking
- Accessing hosts
- Understanding the Cluster Network Operator (CNO)
- Understanding the DNS Operator
- Understanding the Ingress Operator
- Configuring network policy
- Multiple networks
- Understanding multiple networks
- Attaching a Pod to an additional network
- Removing a Pod from an additional network
- Configuring a bridge network
- Configuring a macvlan network
- Configuring an ipvlan network
- Configuring a host-device network
- Configuring SR-IOV
- Editing an additional network
- Removing an additional network
- OpenShift SDN
- Configuring Routes
- Configuring ingress cluster traffic
- Configuring the cluster-wide proxy
- Configuring a custom PKI
- Storage
- Understanding persistent storage
- Configuring persistent storage
- Persistent storage using Amazon EFS
- Persistent storage using AWS Elastic Block Store
- Persistent storage using Azure Disk
- Persistent storage using Azure File
- Persistent storage using Cinder
- Persistent storage using Container Storage Interface (CSI)
- Persistent storage using Fibre Channel
- Persistent storage using FlexVolume
- Persistent storage using GCE Persistent Disk
- Persistent storage using hostPath
- Persistent Storage using iSCSI
- Persistent storage using local volumes
- Persistent storage using NFS
- Persistent storage using Red Hat OpenShift Container Storage
- Persistent storage using VMware vSphere
- Persistent storage using volume snapshots
- Expanding persistent volumes
- Dynamic provisioning
- Registry
- Operators
- Understanding Operators
- Understanding the Operator Lifecycle Manager (OLM)
- Understanding the OperatorHub
- Adding Operators to a cluster
- Deleting Operators from a cluster
- Creating applications from installed Operators
- Viewing Operator status
- Creating policy for Operator installations and upgrades
- Configuring OLM for restricted networks
- CRDs
- Operator SDK
- Builds
- Understanding image builds
- Understanding build configurations
- Creating build inputs
- Managing build output
- Using build strategies
- Custom image builds with Buildah
- Performing basic builds
- Triggering and modifying builds
- Performing advanced builds
- Using Red Hat subscriptions in builds
- Securing builds by strategy
- Build configuration resources
- Troubleshooting builds
- Setting up additional trusted certificate authorities for builds
- Images
- Applications
- Machine management
- Nodes
- Working with pods
- Controlling pod placement onto nodes (scheduling)
- About pod placement using the scheduler
- Configuring the default scheduler to control pod placement
- Placing pods relative to other pods using pod affinity and anti-affinity rules
- Controlling pod placement on nodes using node affinity rules
- Placing pods onto overcommited nodes
- Controlling pod placement using node taints
- Placing pods on specific nodes using node selectors
- Using Jobs and DaemonSets
- Working with nodes
- Working with containers
- Using containers
- Using Init Containers to perform tasks before a pod is deployed
- Using volumes to persist container data
- Mapping volumes using projected volumes
- Allowing containers to consume API objects
- Copying files to or from a container
- Executing remote commands in a container
- Using port forwarding to access applications in a container
- Using sysctls in containers
- Working with clusters
- Logging
- About cluster logging
- About deploying cluster logging
- Deploying cluster logging
- Upgrading cluster logging
- Deploying and Configuring the Event Router
- Viewing cluster logs
- Viewing cluster logs using Kibana
- Configuring your cluster logging deployment
- About configuring cluster logging
- Changing cluster logging management state
- Configuring cluster logging
- Configuring Elasticsearch
- Configuring Kibana
- Configuring Curator
- Configuring the logging collector
- Using tolerations to control cluster logging pod placement
- Sending logs to external devices
- Configuring systemd-journald for cluster logging
- Viewing Elasticsearch status
- Viewing cluster logging status
- Moving the cluster logging resources with node selectors
- Manually rolling out Elasticsearch
- Troubleshooting Kibana
- Exported fields
- Uninstalling cluster logging
- Monitoring
- Metering
- Scalability and performance
- Backup and restore
- Migration
- Migrating from OpenShift Container Platform 3
- About migrating from OpenShift Container Platform 3 to 4
- Planning your migration from OpenShift Container Platform 3 to 4
- Migration tools and prerequisites
- Deploying the Cluster Application Migration tool
- Configuring a replication repository
- Migrating applications with the CAM web console
- Migrating control plane settings with the Control Plane Migration Assistant
- Troubleshooting
- Migrating from OpenShift Container Platform 4.1
- Migrating from Openshift Container Platform 4.2
- Migrating from OpenShift Container Platform 3
- CLI tools
- OpenShift CLI (oc)
- OpenShift Do developer CLI (odo)
- Understanding odo
- odo architecture
- Installing odo
- Using odo in a restricted environment
- Creating a single-component application with odo
- Creating a multicomponent application with odo
- Creating an application with a database
- Using sample applications
- Managing environment variables in odo
- Configuring the odo CLI
- odo CLI reference
- odo release notes
- Service Mesh
- Container-native virtualization
- Container-native virtualization installation
- Container-native virtualization user's guide
- Creating virtual machines
- TLS certificates for DataVolume imports
- Importing virtual machine images with DataVolumes
- Editing virtual machines
- Deleting virtual machines
- Controlling virtual machines states
- Accessing virtual machine consoles
- Using the CLI tools
- Automating management tasks
- Using the default Pod network with container-native virtualization
- Attaching a virtual machine to multiple networks
- Installing the QEMU guest agent on virtual machines
- Viewing the IP address of vNICs on a virtual machine
- Configuring PXE booting for virtual machines
- Managing guest memory
- Creating virtual machine templates
- Editing a virtual machine template
- Deleting a virtual machine template
- Cloning a virtual machine disk into a new DataVolume
- Cloning a virtual machine by using a DataVolumeTemplate
- Uploading local disk images by using the virtctl tool
- Uploading a local disk image to a block storage DataVolume
- Expanding virtual storage by adding blank disk images
- Preparing CDI scratch space
- Importing virtual machine images to block storage with DataVolumes
- Cloning a virtual machine disk into a new block storage DataVolume
- Virtual machine live migration
- Live migration limits and timeouts
- Migrating a virtual machine instance to another node
- Monitoring live migration of a virtual machine instance
- Cancelling the live migration of a virtual machine instance
- Configuring virtual machine eviction strategy
- Node maintenance mode
- Setting a node to maintenance mode
- Resuming a node from maintenance mode
- Manually refreshing TLS certificates
- Installing VirtIO driver on an existing Windows virtual machine
- Installing VirtIO driver on a new Windows virtual machine
- Viewing logs
- Viewing cluster information
- OpenShift cluster monitoring, logging, and Telemetry
- Collecting container-native virtualization data for Red Hat Support
- Container-native virtualization 2.1 release notes
- Serverless applications
- Getting started with OpenShift Serverless
- OpenShift Serverless product architecture
- Installing OpenShift Serverless
- Getting started with Knative services
- Monitoring OpenShift Serverless components
- Using metering with OpenShift Serverless
- Cluster logging with OpenShift Serverless
- Configuring Knative Serving autoscaling
- Getting started with Knative Client
- Release Notes
×
Configuring your firewall
If you use a firewall, you must configure it so that OpenShift Container Platform can access the sites that it requires to function. You must always grant access to some sites, and you grant access to more if you use Red Hat Insights, the Telemetry service, a cloud to host your cluster, and certain build strategies.
Configuring your firewall for OpenShift Container Platform
Before you install OpenShift Container Platform, you must configure your firewall to grant access to the sites that OpenShift Container Platform requires.
Procedure
-
Whitelist the following registry URLs:
URL Function registry.redhat.ioProvides core container images
quay.ioProvides core container images
sso.redhat.comThe
https://cloud.redhat.com/openshiftsite uses authentication fromsso.redhat.com -
Whitelist any site that provides resources for a language or framework that your builds require.
-
If you do not disable Telemetry, you must grant access to the following URLs to access Red Hat Insights:
URL Function cert-api.access.redhat.comRequired for Telemetry
api.access.redhat.comRequired for Telemetry
infogw.api.openshift.comRequired for Telemetry
Required for Telemetry and for
insights-operator -
If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
Cloud URL Function *.amazonaws.comRequired to access AWS services and resources. Review the AWS Service Endpoints in the AWS documentation to determine the exact endpoints to allow for the regions that you use.
GCP
*.googleapis.comRequired to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.
accounts.google.comRequired to access your GCP account.
Azure
management.azure.comRequired to access Azure services and resources. Review the Azure REST API Reference in the Azure documentation to determine the endpoints to allow for your APIs.
-
Whitelist the following URLs:
URL Function mirror.openshift.comRequired to access mirrored installation content and images. This site is also a source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
storage.googleapis.com/openshift-releaseA source of release image signatures, although the Cluster Version Operator needs only a single functioning source.
*.apps.<cluster_name>.<base_domain>Required to access the default cluster routes unless you set an ingress wildcard during installation.
quay-registry.s3.amazonaws.comRequired to access Quay image content in AWS.
api.openshift.comRequired to check if updates are available for the cluster.
art-rhcos-ci.s3.amazonaws.comRequired to download Red Hat Enterprise Linux CoreOS (RHCOS) images.
api.openshift.comRequired for your cluster token.
cloud.redhat.com/openshiftRequired for your cluster token.