Bug 1722775

Summary: [DOCS] Configuring firewall section doesn't have all external URLs
Product: OpenShift Container Platform Reporter: Takayoshi Kimura <tkimura>
Component: DocumentationAssignee: Andrea Hoffer <ahoffer>
Status: CLOSED CURRENTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: high Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 4.1.0CC: acomabon, ahoffer, aos-bugs, dahernan, dcaldwel, jokerman, kalexand, mmccomas, sdodson, trees
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-17 20:03:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Takayoshi Kimura 2019-06-21 09:00:47 UTC 
Document URL: 

https://docs.openshift.com/container-platform/4.1/installing/install_config/configuring-firewall.html

Section Number and Name: 

Configuring your firewall

Describe the issue: 

The current doc only describes 3 URLs for Insights and there's no other URLs to be whitelisted.

Also I'm wondering if these 3 URLs are actually used:

> cert-api.access.redhat.com:443
> api.access.redhat.com:443
> infogw.api.openshift.com:443

The infogw is used by telemetry but I'm not sure the other 2 URLs.


Suggestions for improvement: 

At least we need to list all mandatory outbound URLs, and it would be great if it has some major optional outbound URLs section.

It think registry.redhat.io and quay.io are mandatory. There may be others, we need a double check by engineering team.


Additional information: 

We have basic knowledge article but it's not clear if each item are mandatory or optional, and what for.

OpenShift Outbound URLs to Whitelist
https://access.redhat.com/solutions/2998411
Comment 1 Timothy Rees 2019-07-30 12:26:06 UTC 
At the moment the docs outline the urls need to be whitelisted for the insights rules, and for this is probably correct.  The problem is that more endpoints need to be opened up to a) Complete an install or b) Use different aspects of openshift after.

At the minimum the docs should be amended to outline the endpoints required to complete an install, this would include where container images or other artefacts are hosted.  Links to the FW page [1] such as (install pre-reqs) [2] also need to be checked to ensure it is obvious to the reader that FW ports need to be opened for more than just insights [2].

[1] https://docs.openshift.com/container-platform/4.1/installing/installing_vsphere/installing-vsphere.html
[2] https://docs.openshift.com/container-platform/4.1/installing/install_config/configuring-firewall.html
Comment 2 Vikram Goyal 2019-08-05 06:10:35 UTC 
*** Bug 1735694 has been marked as a duplicate of this bug. ***
Comment 4 Vikram Goyal 2019-08-09 05:14:18 UTC 
*** Bug 1734045 has been marked as a duplicate of this bug. ***
Comment 9 Andrea Hoffer 2019-12-17 20:03:50 UTC 
Closing. This update was QE approved and is live: https://docs.openshift.com/container-platform/4.2/installing/install_config/configuring-firewall.html