Bug 1722775 - [DOCS] Configuring firewall section doesn't have all external URLs
Summary: [DOCS] Configuring firewall section doesn't have all external URLs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.1.z
Assignee: Andrea Hoffer
QA Contact: Johnny Liu
Vikram Goyal
URL:
Whiteboard:
: 1734045 1735694 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-21 09:00 UTC by Takayoshi Kimura
Modified: 2020-01-16 10:06 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-17 20:03:50 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Takayoshi Kimura 2019-06-21 09:00:47 UTC
Document URL: 

https://docs.openshift.com/container-platform/4.1/installing/install_config/configuring-firewall.html

Section Number and Name: 

Configuring your firewall

Describe the issue: 

The current doc only describes 3 URLs for Insights and there's no other URLs to be whitelisted.

Also I'm wondering if these 3 URLs are actually used:

> cert-api.access.redhat.com:443
> api.access.redhat.com:443
> infogw.api.openshift.com:443

The infogw is used by telemetry but I'm not sure the other 2 URLs.


Suggestions for improvement: 

At least we need to list all mandatory outbound URLs, and it would be great if it has some major optional outbound URLs section.

It think registry.redhat.io and quay.io are mandatory. There may be others, we need a double check by engineering team.


Additional information: 

We have basic knowledge article but it's not clear if each item are mandatory or optional, and what for.

OpenShift Outbound URLs to Whitelist
https://access.redhat.com/solutions/2998411

Comment 1 Timothy Rees 2019-07-30 12:26:06 UTC
At the moment the docs outline the urls need to be whitelisted for the insights rules, and for this is probably correct.  The problem is that more endpoints need to be opened up to a) Complete an install or b) Use different aspects of openshift after.

At the minimum the docs should be amended to outline the endpoints required to complete an install, this would include where container images or other artefacts are hosted.  Links to the FW page [1] such as (install pre-reqs) [2] also need to be checked to ensure it is obvious to the reader that FW ports need to be opened for more than just insights [2].

[1] https://docs.openshift.com/container-platform/4.1/installing/installing_vsphere/installing-vsphere.html
[2] https://docs.openshift.com/container-platform/4.1/installing/install_config/configuring-firewall.html

Comment 2 Vikram Goyal 2019-08-05 06:10:35 UTC
*** Bug 1735694 has been marked as a duplicate of this bug. ***

Comment 4 Vikram Goyal 2019-08-09 05:14:18 UTC
*** Bug 1734045 has been marked as a duplicate of this bug. ***

Comment 9 Andrea Hoffer 2019-12-17 20:03:50 UTC
Closing. This update was QE approved and is live: https://docs.openshift.com/container-platform/4.2/installing/install_config/configuring-firewall.html


Note You need to log in before you can comment on or make changes to this bug.