Customer Cloud Subscriptions on GCP | Planning your environment

OpenShift Dedicated provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage clusters in a customer’s existing Google Cloud Platform (GCP) account.

Understanding Customer Cloud Subscriptions on GCP

Red Hat OpenShift Dedicated provides a Customer Cloud Subscription (CCS) model that allows Red Hat to deploy and manage OpenShift Dedicated into a customer’s existing Google Cloud Platform (GCP) account. Red Hat requires several prerequisites be met in order to provide this service.

Red Hat recommends the usage of GCP project, managed by the customer, to organize all of your GCP resources. A project consists of a set of users and APIs, as well as billing, authentication, and monitoring settings for those APIs.

It is recommended for the OpenShift Dedicated cluster using a CCS model to be hosted in a GCP project within a GCP organization. The Organization resource is the root node of the GCP resource hierarchy and all resources that belong to an organization are grouped under the organization node. Customers have the choice of using service account keys or Workload Identity Federation when creating the roles and credentials necessary to access Google Cloud resources within a GCP project.

Unless specified, the information provided in this topic is applicable to OpenShift Dedicated on Google Cloud Platform (GCP) clusters that use service account keys or Workload Identity Federation (WIF) to grant the required necessary credentials.

Customer requirements

OpenShift Dedicated clusters using a Customer Cloud Subscription (CCS) model on Google Cloud Platform (GCP) must meet several prerequisites before they can be deployed.

Account

The customer ensures that Google Cloud limits are sufficient to support OpenShift Dedicated provisioned within the customer-provided GCP account.
The customer-provided GCP account should be in the customer’s Google Cloud Organization.
The customer-provided GCP account must not be transferable to Red Hat.
The customer may not impose GCP usage restrictions on Red Hat activities. Imposing restrictions severely hinders Red Hat’s ability to respond to incidents.
Red Hat deploys monitoring into GCP to alert Red Hat when a highly privileged account, such as a root account, logs into the customer-provided GCP account.
The customer can deploy native GCP services within the same customer-provided GCP account.

Customers are encouraged, but not mandated, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting OpenShift Dedicated and other Red Hat supported services.

Access requirements

To appropriately manage the OpenShift Dedicated service, Red Hat must have the AdministratorAccess policy applied to the administrator role at all times.

This policy only provides Red Hat with permissions and capabilities to change resources in the customer-provided GCP account.
Red Hat must have GCP console access to the customer-provided GCP account. This access is protected and managed by Red Hat.
The customer must not utilize the GCP account to elevate their permissions within the OpenShift Dedicated cluster.
Actions available in the OpenShift Cluster Manager must not be directly performed in the customer-provided GCP account.

Support requirements

Red Hat recommends that the customer have at least Enhanced Support from GCP.
Red Hat has authority from the customer to request GCP support on their behalf.
Red Hat has authority from the customer to request GCP resource limit increases on the customer-provided account.
Red Hat manages the restrictions, limitations, expectations, and defaults for all OpenShift Dedicated clusters in the same manner, unless otherwise specified in this requirements section.

Security requirements

The customer-provided IAM credentials must be unique to the customer-provided GCP account and must not be stored anywhere in the customer-provided GCP account.
Volume snapshots will remain within the customer-provided GCP account and customer-specified region.

To manage, monitor, and troubleshoot OpenShift Dedicated clusters, Red Hat must have direct access to the cluster’s API server. You must not restrict or otherwise prevent Red Hat’s access to the OpenShift Dedicated cluster’s API server.

SRE uses various methods to access clusters, depending on network configuration. Access to private clusters is restricted to Red Hat trusted IP addresses only. These access restrictions are managed automatically by Red Hat.

OpenShift Dedicated requires egress access to certain endpoints over the internet. Only clusters deployed with Private Service Connect can use a firewall to control egress traffic. For additional information, see the GCP firewall prerequisites section.

Required customer procedure

The Customer Cloud Subscription (CCS) model allows Red Hat to deploy and manage OpenShift Dedicated into a customer’s Google Cloud Platform (GCP) project. Red Hat requires several prerequisites to provide these services.

The following requirements in this topic apply to OpenShift Dedicated on Google Cloud Platform (GCP) clusters created using both the service account and Workload Identity Federation authentication type. For additional requirements that apply to the service account authentication type only, see Service account authentication type procedure. For additional requirements that apply to the Workload Identity Federation authentication type only, see Workload Identity Federation authentication type procedure.

To use OpenShift Dedicated in your GCP project, the following GCP organizational policy constraints cannot be in place:

constraints/iam.allowedPolicyMemberDomains (This policy constraint is supported only if Red Hat’s DIRECTORY_CUSTOMER_ID C02k0l5e8 is included in the allow list. Use this policy constraint with caution).
constraints/compute.restrictLoadBalancerCreationForTypes
constraints/compute.requireShieldedVm (This policy constraint is supported only if the cluster is installed with "Enable Secure Boot support for Shielded VMs" selected during the initial cluster creation).
constraints/compute.vmExternalIpAccess (This policy constraint is supported only after installation).

Procedure

Create a Google Cloud project to host the OpenShift Dedicated cluster.

Enable the following required APIs in the project that hosts your OpenShift Dedicated cluster:

Table 1. Required API services
API service	Console service name
Cloud Deployment Manager V2 API	`deploymentmanager.googleapis.com`
Compute Engine API	`compute.googleapis.com`
Google Cloud APIs	`cloudapis.googleapis.com`
Cloud Resource Manager API	`cloudresourcemanager.googleapis.com`
Google DNS API	`dns.googleapis.com`
Network Security API	`networksecurity.googleapis.com`
IAM Service Account Credentials API	`iamcredentials.googleapis.com`
Identity and Access Management (IAM) API	`iam.googleapis.com`
Service Management API	`servicemanagement.googleapis.com`
Service Usage API	`serviceusage.googleapis.com`
Google Cloud Storage JSON API	`storage-api.googleapis.com`
Cloud Storage	`storage-component.googleapis.com`
Organization Policy API	`orgpolicy.googleapis.com`
Cloud Identity-Aware Proxy API	`iap.googleapis.com` ^[*]

*Required for clusters deployed with Private Service Connect.

To ensure that Red Hat can perform necessary actions, you must create an osd-ccs-admin IAM service account user within the GCP project.

The following roles must be granted to the service account:

Table 2. Required roles
Role	Console role name
Compute Admin	`roles/compute.admin`
DNS Administrator	`roles/dns.admin`
Organization Policy Viewer	`roles/orgpolicy.policyViewer`
Service Management Administrator	`roles/servicemanagement.admin`
Service Usage Admin	`roles/serviceusage.serviceUsageAdmin`
Storage Admin	`roles/storage.admin`
Compute Load Balancer Admin	`roles/compute.loadBalancerAdmin`
Role Viewer	`roles/viewer`
Role Administrator	`roles/iam.roleAdmin`
Security Admin	`roles/iam.securityAdmin`
Service Account Key Admin	`roles/iam.serviceAccountKeyAdmin`
Service Account Admin	`roles/iam.serviceAccountAdmin`
Service Account User	`roles/iam.serviceAccountUser`
IAP-Secured Tunnel User	`roles/iap.tunnelResourceAccessor`^[*]

*Required for clusters deployed with Private Service Connect.

Create the service account key for the osd-ccs-admin IAM service account. Export the key to a file named osServiceAccount.json; this JSON file will be uploaded in Red Hat OpenShift Cluster Manager when you create your cluster.

Service account authentication type procedure

Besides the required customer procedures listed in Required customer procedure, there are other specific actions that you must take when creating an OpenShift Dedicated cluster on Google Cloud Platform (GCP) using a service account as the authentication type.

Procedure

To ensure that Red Hat can perform necessary actions, you must create an osd-ccs-admin IAM service account user within the GCP project.

The following roles must be granted to the service account:

Table 3. Required roles
Role	Console role name
Compute Admin	`roles/compute.admin`
DNS Administrator	`roles/dns.admin`
Organization Policy Viewer	`roles/orgpolicy.policyViewer`
Service Management Administrator	`roles/servicemanagement.admin`
Service Usage Admin	`roles/serviceusage.serviceUsageAdmin`
Storage Admin	`roles/storage.admin`
Compute Load Balancer Admin	`roles/compute.loadBalancerAdmin`
Role Viewer	`roles/viewer`
Role Administrator	`roles/iam.roleAdmin`
Security Admin	`roles/iam.securityAdmin`
Service Account Key Admin	`roles/iam.serviceAccountKeyAdmin`
Service Account Admin	`roles/iam.serviceAccountAdmin`
Service Account User	`roles/iam.serviceAccountUser`

Create the service account key for the osd-ccs-admin IAM service account. Export the key to a file named osServiceAccount.json; this JSON file will be uploaded in Red Hat OpenShift Cluster Manager when you create your cluster.

Workload Identity Federation authentication type procedure

Procedure

Assign the following roles to the service account of the user implementing the Workload Identity Federation authentication type:

Table 4. Required roles
Role	Console role name	Role purpose
Role Administrator	`roles/iam.roleAdmin`	Required by the GCP client in the OCM CLI for creating custom roles.
Service Account Admin	`roles/iam.serviceAccountAdmin`	Required to pre-create the services account required by the OSD deployer, support and operators.
Workload Identity Pool Admin	`roles/iam.workloadIdentityPoolAdmin`	Required to create and configure the workload identity pool.
Project IAM Admin	`roles/resourcemanager.projectIamAdmin`	Required for assigning roles to the service account and giving permissions to those roles that are necessary to perform operations on cloud resources.

Install the OpenShift Cluster Manager API command-line interface (ocm).

To use the OCM CLI, you must authenticate against your Red Hat OpenShift Cluster Manager account. This is accomplished with the OpenShift Cluster Manager API token.

You can obtain your token here.

To authenticate against your Red Hat OpenShift Cluster Manager account, run the following command:

$ ocm login --token <token> (1)

1	Replace `<token>` with your OpenShift Cluster Manager API token.

OpenShift Cluster Manager API command-line interface (ocm) is a Technology Preview feature only. For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Install the gcloud CLI.
Authenticate the gcloud CLI with the Application Default Credentials (ADC).

Red Hat managed Google Cloud resources

Red Hat is responsible for creating and managing the following IAM Google Cloud Platform (GCP) resources.

The IAM service account and roles and IAM group and roles topics are only applicable to clusters created using the service account authentication type.

IAM service account and roles

The osd-managed-admin IAM service account is created immediately after taking control of the customer-provided GCP account. This is the user that will perform the OpenShift Dedicated cluster installation.

The following roles are attached to the service account:

Table 5. IAM roles for osd-managed-admin
Role	Console role name	Description
Compute Admin	`roles/compute.admin`	Provides full control of all Compute Engine resources.
DNS Administrator	`roles/dns.admin`	Provides read-write access to all Cloud DNS resources.
Security Admin	`roles/iam.securityAdmin`	Security admin role, with permissions to get and set any IAM policy.
Storage Admin	`roles/storage.admin`	Grants full control of objects and buckets. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
Service Account Admin	`roles/iam.serviceAccountAdmin`	Create and manage service accounts.
Service Account Key Admin	`roles/iam.serviceAccountKeyAdmin`	Create and manage (and rotate) service account keys.
Service Account User	`roles/iam.serviceAccountUser`	Run operations as the service account.
Role Administrator	`roles/iam.roleAdmin`	Provides access to all custom roles in the project.

IAM group and roles

The sd-sre-platform-gcp-access Google group is granted access to the GCP project to allow Red Hat Site Reliability Engineering (SRE) access to the console for emergency troubleshooting purposes.

For information regarding the roles within the sd-sre-platform-gcp-access group that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see managed-cluster-config.
For information about creating a cluster using the Workload Identity Federation authentication type, see Additional resources.

The following roles are attached to the group:

Table 6. IAM roles for sd-sre-platform-gcp-access
Role	Console role name	Description
Compute Admin	`roles/compute.admin`	Provides full control of all Compute Engine resources.
Editor	`roles/editor`	Provides all viewer permissions, plus permissions for actions that modify state.
Organization Policy Viewer	`roles/orgpolicy.policyViewer`	Provides access to view Organization Policies on resources.
Project IAM Admin	`roles/resourcemanager.projectIamAdmin`	Provides permissions to administer IAM policies on projects.
Quota Administrator	`roles/servicemanagement.quotaAdmin`	Provides access to administer service quotas.
Role Administrator	`roles/iam.roleAdmin`	Provides access to all custom roles in the project.
Service Account Admin	`roles/iam.serviceAccountAdmin`	Create and manage service accounts.
Service Usage Admin	`roles/serviceusage.serviceUsageAdmin`	Ability to enable, disable, and inspect service states, inspect operations, and consume quota and billing for a consumer project.
Tech Support Editor	`roles/cloudsupport.techSupportEditor`	Provides full read-write access to technical support cases.

Provisioned GCP Infrastructure

This is an overview of the provisioned Google Cloud Platform (GCP) components on a deployed OpenShift Dedicated cluster. For a more detailed listing of all provisioned GCP components, see the OpenShift Container Platform documentation.

Compute instances

GCP compute instances are required to deploy the control plane and data plane functions of OpenShift Dedicated in GCP. Instance types might vary for control plane and infrastructure nodes depending on worker node count.

Single availability zone
- 2 infra nodes (custom machine type: 4 vCPU and 32 GB RAM)
- 3 control plane nodes (custom machine type: 8 vCPU and 32 GB RAM)
- 2 worker nodes (custom machine type: 4 vCPU and 16 GB RAM)
Multiple availability zones
- 3 infra nodes (custom machine type: 4 vCPU and 32 GB RAM)
- 3 control plane nodes (custom machine type: 8 vCPU and 32 GB RAM)
- 3 worker nodes (custom machine type: 4 vCPU and 16 GB RAM)

Storage

Infrastructure volumes:
- 300 GB SSD persistent disk (deleted on instance deletion)
- 110 GB Standard persistent disk (kept on instance deletion)
Worker volumes:
- 300 GB SSD persistent disk (deleted on instance deletion)
Control plane volumes:
- 350 GB SSD persistent disk (deleted on instance deletion)

VPC

Subnets: One master subnet for the control plane workloads and one worker subnet for all others.
Router tables: One global route table per VPC.
Internet gateways: One internet gateway per cluster.
NAT gateways: One master NAT gateway and one worker NAT gateway per cluster.

Services

The following services must be enabled on a GCP CCS cluster:

deploymentmanager
compute
cloudapis
cloudresourcemanager
dns
iamcredentials
iam
servicemanagement
serviceusage
storage-api
storage-component
orgpolicy
networksecurity

GCP account limits

The OpenShift Dedicated cluster uses a number of Google Cloud Platform (GCP) components, but the default quotas do not affect your ability to install an OpenShift Dedicated cluster.

A standard OpenShift Dedicated cluster uses the following resources. Note that some resources are required only during the bootstrap process and are removed after the cluster deploys.

Table 7. GCP resources used in a default cluster
Service	Component	Location	Total resources required	Resources removed after bootstrap
Service account	IAM	Global	5	0
Firewall Rules	Compute	Global	11	1
Forwarding Rules	Compute	Global	2	0
In-use global IP addresses	Compute	Global	4	1
Health checks	Compute	Global	3	0
Images	Compute	Global	1	0
Networks	Compute	Global	2	0
Static IP addresses	Compute	Region	4	1
Routers	Compute	Global	1	0
Routes	Compute	Global	2	0
Subnetworks	Compute	Global	2	0
Target Pools	Compute	Global	3	0
CPUs	Compute	Region	28	4
Persistent Disk SSD (GB)	Compute	Region	896	128

If any of the quotas are insufficient during installation, the installation program displays an error that states both which quota was exceeded and the region.

Be sure to consider your actual cluster size, planned cluster growth, and any usage from other clusters that are associated with your account. The CPU, Static IP addresses, and Persistent Disk SSD (Storage) quotas are the ones that are most likely to be insufficient.

If you plan to deploy your cluster in one of the following regions, you will exceed the maximum storage quota and are likely to exceed the CPU quota limit:

asia-east2
asia-northeast2
asia-south1
australia-southeast1
europe-north1
europe-west2
europe-west3
europe-west6
northamerica-northeast1
southamerica-east1
us-west2

You can increase resource quotas from the GCP console, but you might need to file a support ticket. Be sure to plan your cluster size early so that you can allow time to resolve the support ticket before you install your OpenShift Dedicated cluster.

GCP firewall prerequisites

If you are using a firewall to control egress traffic from OpenShift Dedicated on Google Cloud Platform (GCP), you must configure your firewall to grant access to certain domains and port combinations listed in the tables below. OpenShift Dedicated requires this access to provide a fully managed OpenShift service.

Only OpenShift Dedicated on Google Cloud Platform (GCP) clusters deployed with Private Service Connect can use a firewall to control egress traffic.

Procedure

Add the following URLs that are used to install and download packages and tools to an allowlist:

Domain Port Function

Domain	Port	Function
`registry.redhat.io`	443	Provides core container images.
`quay.io`	443	Provides core container images.
`cdn01.quay.io` `cdn02.quay.io` `cdn03.quay.io` `cdn04.quay.io` `cdn05.quay.io` `cdn06.quay.io`	443	Provides core container images.
`sso.redhat.com`	443	Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.
`quayio-production-s3.s3.amazonaws.com`	443	Provides core container images.
`pull.q1w2.quay.rhcloud.com`	443	Provides core container images.
`registry.access.redhat.com`	443	Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the `odo` CLI tool that helps developers build on OpenShift and Kubernetes.
`registry.connect.redhat.com`	443	Required for all third-party images and certified Operators.
`console.redhat.com`	443	Required. Allows interactions between the cluster and Red Hat OpenShift Cluster Manager to enable functionality, such as scheduling upgrades.
`sso.redhat.com`	443	The `https://console.redhat.com/openshift` site uses authentication from `sso.redhat.com`.
`catalog.redhat.com`	443	The `registry.access.redhat.com` and `https://registry.redhat.io` sites redirect through `catalog.redhat.com`.

registry.redhat.io

443

Provides core container images.

quay.io

443

Provides core container images.

cdn01.quay.io

cdn02.quay.io

cdn03.quay.io

cdn04.quay.io

cdn05.quay.io

cdn06.quay.io

443

Provides core container images.

sso.redhat.com

443

Required. The https://console.redhat.com/openshift site uses authentication from sso.redhat.com to download the pull secret and use Red Hat SaaS solutions to facilitate monitoring of your subscriptions, cluster inventory, chargeback reporting, and so on.

quayio-production-s3.s3.amazonaws.com

443

Provides core container images.

pull.q1w2.quay.rhcloud.com

443

Provides core container images.

registry.access.redhat.com

443

Hosts all the container images that are stored on the Red Hat Ecosytem Catalog. Additionally, the registry provides access to the odo CLI tool that helps developers build on OpenShift and Kubernetes.

registry.connect.redhat.com

443

Required for all third-party images and certified Operators.

console.redhat.com

443

Required. Allows interactions between the cluster and Red Hat OpenShift Cluster Manager to enable functionality, such as scheduling upgrades.

sso.redhat.com

443

The https://console.redhat.com/openshift site uses authentication from sso.redhat.com.

catalog.redhat.com

443

The registry.access.redhat.com and https://registry.redhat.io sites redirect through catalog.redhat.com.

Add the following telemetry URLs to an allowlist:

Domain Port Function

Domain	Port	Function
`cert-api.access.redhat.com`	443	Required for telemetry.
`api.access.redhat.com`	443	Required for telemetry.
`infogw.api.openshift.com`	443	Required for telemetry.
`console.redhat.com`	443	Required for telemetry and Red Hat Insights.
`observatorium-mst.api.openshift.com`	443	Required for managed OpenShift-specific telemetry.
`observatorium.api.openshift.com`	443	Required for managed OpenShift-specific telemetry.

cert-api.access.redhat.com

443

Required for telemetry.

api.access.redhat.com

443

Required for telemetry.

infogw.api.openshift.com

443

Required for telemetry.

console.redhat.com

443

Required for telemetry and Red Hat Insights.

observatorium-mst.api.openshift.com

443

Required for managed OpenShift-specific telemetry.

observatorium.api.openshift.com

443

Required for managed OpenShift-specific telemetry.

Managed clusters require the enabling of telemetry to allow Red Hat to react more quickly to problems, better support the customers, and better understand how product upgrades impact clusters. For more information about how remote health monitoring data is used by Red Hat, see About remote health monitoring in the Additional resources section.

Add the following OpenShift Dedicated URLs to an allowlist:

Domain Port Function

Domain	Port	Function
`mirror.openshift.com`	443	Used to access mirrored installation content and images. This site is also a source of release image signatures.
`api.openshift.com`	443	Used to check if updates are available for the cluster.

mirror.openshift.com

443

Used to access mirrored installation content and images. This site is also a source of release image signatures.

api.openshift.com

443

Used to check if updates are available for the cluster.

Add the following site reliability engineering (SRE) and management URLs to an allowlist:

Domain Port Function

Domain	Port	Function
`api.pagerduty.com`	443	This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
`events.pagerduty.com`	443	This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.
`api.deadmanssnitch.com`	443	Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.
`nosnch.in`	443	Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.
`*.osdsecuritylogs.splunkcloud.com` OR `inputs1.osdsecuritylogs.splunkcloud.com` `inputs2.osdsecuritylogs.splunkcloud.com` `inputs4.osdsecuritylogs.splunkcloud.com` `inputs5.osdsecuritylogs.splunkcloud.com` `inputs6.osdsecuritylogs.splunkcloud.com` `inputs7.osdsecuritylogs.splunkcloud.com` `inputs8.osdsecuritylogs.splunkcloud.com` `inputs9.osdsecuritylogs.splunkcloud.com` `inputs10.osdsecuritylogs.splunkcloud.com` `inputs11.osdsecuritylogs.splunkcloud.com` `inputs12.osdsecuritylogs.splunkcloud.com` `inputs13.osdsecuritylogs.splunkcloud.com` `inputs14.osdsecuritylogs.splunkcloud.com` `inputs15.osdsecuritylogs.splunkcloud.com`	9997	Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.
`http-inputs-osdsecuritylogs.splunkcloud.com`	443	Used by the `splunk-forwarder-operator` as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.
`sftp.access.redhat.com` (Recommended)	22	The SFTP server used by `must-gather-operator` to upload diagnostic logs to help troubleshoot issues with the cluster.

api.pagerduty.com

443

This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

events.pagerduty.com

443

This alerting service is used by the in-cluster alertmanager to send alerts notifying Red Hat SRE of an event to take action on.

api.deadmanssnitch.com

443

Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.

nosnch.in

443

Alerting service used by OpenShift Dedicated to send periodic pings that indicate whether the cluster is available and running.

*.osdsecuritylogs.splunkcloud.com

inputs1.osdsecuritylogs.splunkcloud.com

inputs2.osdsecuritylogs.splunkcloud.com

inputs4.osdsecuritylogs.splunkcloud.com

inputs5.osdsecuritylogs.splunkcloud.com

inputs6.osdsecuritylogs.splunkcloud.com

inputs7.osdsecuritylogs.splunkcloud.com

inputs8.osdsecuritylogs.splunkcloud.com

inputs9.osdsecuritylogs.splunkcloud.com

inputs10.osdsecuritylogs.splunkcloud.com

inputs11.osdsecuritylogs.splunkcloud.com

inputs12.osdsecuritylogs.splunkcloud.com

inputs13.osdsecuritylogs.splunkcloud.com

inputs14.osdsecuritylogs.splunkcloud.com

inputs15.osdsecuritylogs.splunkcloud.com

9997

Used by the splunk-forwarder-operator as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.

http-inputs-osdsecuritylogs.splunkcloud.com

443

Used by the splunk-forwarder-operator as a logging forwarding endpoint to be used by Red Hat SRE for log-based alerting.

sftp.access.redhat.com (Recommended)

The SFTP server used by must-gather-operator to upload diagnostic logs to help troubleshoot issues with the cluster.

Add the following URLs for the Google Cloud Platform (GCP) API endpoints to an allowlist:

Domain Port Function

Domain	Port	Function
`accounts.google.com`	443	Used to access your GCP account.
`*.googleapis.com` OR `storage.googleapis.com` `iam.googleapis.com` `serviceusage.googleapis.com` `cloudresourcemanager.googleapis.com` `compute.googleapis.com` `oauth2.googleapis.com` `dns.googleapis.com` `iamcredentials.googleapis.com`	443	Used to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.

accounts.google.com

443

Used to access your GCP account.

*.googleapis.com

storage.googleapis.com

iam.googleapis.com

serviceusage.googleapis.com

cloudresourcemanager.googleapis.com

compute.googleapis.com

oauth2.googleapis.com

dns.googleapis.com

iamcredentials.googleapis.com

443

Used to access GCP services and resources. Review Cloud Endpoints in the GCP documentation to determine the endpoints to allow for your APIs.

Required Google APIs can be exposed using the Private Google Access restricted virtual IP (VIP), with the exception of the Service Usage API (serviceusage.googleapis.com). To circumvent this, you must expose the Service Usage API using the Private Google Access private VIP.

Additional resources

About remote health monitoring
For more information about creating an OpenShift Dedicated cluster with the Workload Identity Federation (WIF) authentication type, see Creating a WIF configuration.
For more information about the specific roles and permissions that are specific to clusters created when using the Workload Identity Federation (WIF) authentication type, see managed-cluster-config.