Bug 1887404

Summary: [DOCS] Add section to open the firewall to the NTP servers
Product: OpenShift Container Platform Reporter: Oscar Casal Sanchez <ocasalsa>
Component: DocumentationAssignee: Sara Thomas <sarthoma>
Status: CLOSED CURRENTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 4.5CC: aos-bugs, jialiu, jokerman, kalexand
Target Milestone: ---   
Target Release: 4.5.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-07 13:57:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oscar Casal Sanchez 2020-10-12 11:43:01 UTC
[Document URL] 
https://docs.openshift.com/container-platform/4.5/installing/install_config/configuring-firewall.html

[Section Number and Name]
Configuring your firewall for OpenShift Container Platform

[Describe the issue] 

It's not indicated that the firewall should be opened to the NTP servers when you are using your own DNS servers or the default NTP servers (clock.redhat.com) used by RHEL (https://access.redhat.com/solutions/63376).

By example, this configuration is commented for the Cloud Providers here:

"If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:"

But, now for when the user is using the Red Hat DNS (by default) or custom DNS, them, it's needed to indicate in the documentation that:

- If they are using the Red Hat default NTP servers, the list of them to be excluded in the firewall
- If they are using their own, to take in consideration to allow them in the firewall

Comment 1 Sara Thomas 2021-04-27 19:43:12 UTC
Direct link to doc preview: (scroll to the bottom, steps 6 and 7) https://deploy-preview-31981--osdocs.netlify.app/openshift-enterprise/latest/installing/install_config/configuring-firewall.html

I think I added the requested information. Please let me know what feedback you have @ocasal

Comment 2 Sara Thomas 2021-04-27 19:59:02 UTC
Ready for QA @jialiu

Comment 3 Johnny Liu 2021-04-28 04:14:12 UTC
1. For setp 6, I am guess it is talking about *default* NTP servers, while clusters on different platform will set default NTP servers in different way per https://github.com/coreos/fedora-coreos-config/blob/faf387eac89d14924a1e2021d2093d0cdb8af8b3/overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony, e.g:
  AWS: 169.254.169.123
  GCP: metadata.google.internal
  Azure: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
  For other on-premise platforms, will be the same NTP servers as RHEL. 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org


2. For step 7, here is talking about custom NTP server, "allowlist URLs that provide the cloud provider API and DNS for that cloud", this statement is talking about API and DNS, they are different things.


3. "Operators require route access to perform health checks." line seem like missing indent.

Comment 9 Johnny Liu 2021-05-06 04:31:42 UTC
> 3. Thanks, I removed a "+" which I think was causing this to look like part of step 7.

From the preview page, the item started with "Operators require route access to perform health checks" still look like a part to previous step, it should be a separated step, right?

Comment 10 Johnny Liu 2021-05-06 04:32:23 UTC
Changed to wrong state, correct it now.

Comment 12 Johnny Liu 2021-05-07 02:28:40 UTC
LGTM.

Comment 13 Sara Thomas 2021-05-07 13:57:05 UTC
Link to live doc: https://docs.openshift.com/container-platform/4.7/installing/install_config/configuring-firewall.html

Thanks Oscar and Johnny for your help with this!