Bug 1887404 - [DOCS] Add section to open the firewall to the NTP servers
Summary: [DOCS] Add section to open the firewall to the NTP servers
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.5.z
Assignee: Sara Thomas
QA Contact: Johnny Liu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-12 11:43 UTC by Oscar Casal Sanchez
Modified: 2021-05-07 13:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-07 13:57:05 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Oscar Casal Sanchez 2020-10-12 11:43:01 UTC 
[Document URL] 
https://docs.openshift.com/container-platform/4.5/installing/install_config/configuring-firewall.html

[Section Number and Name]
Configuring your firewall for OpenShift Container Platform

[Describe the issue] 

It's not indicated that the firewall should be opened to the NTP servers when you are using your own DNS servers or the default NTP servers (clock.redhat.com) used by RHEL (https://access.redhat.com/solutions/63376).

By example, this configuration is commented for the Cloud Providers here:

"If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:"

But, now for when the user is using the Red Hat DNS (by default) or custom DNS, them, it's needed to indicate in the documentation that:

- If they are using the Red Hat default NTP servers, the list of them to be excluded in the firewall
- If they are using their own, to take in consideration to allow them in the firewall
Comment 1 Sara Thomas 2021-04-27 19:43:12 UTC 
Direct link to doc preview: (scroll to the bottom, steps 6 and 7) https://deploy-preview-31981--osdocs.netlify.app/openshift-enterprise/latest/installing/install_config/configuring-firewall.html

I think I added the requested information. Please let me know what feedback you have @ocasal
Comment 2 Sara Thomas 2021-04-27 19:59:02 UTC 
Ready for QA @jialiu@redhat.com
Comment 3 Johnny Liu 2021-04-28 04:14:12 UTC 
1. For setp 6, I am guess it is talking about *default* NTP servers, while clusters on different platform will set default NTP servers in different way per https://github.com/coreos/fedora-coreos-config/blob/faf387eac89d14924a1e2021d2093d0cdb8af8b3/overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony, e.g:
  AWS: 169.254.169.123
  GCP: metadata.google.internal
  Azure: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
  For other on-premise platforms, will be the same NTP servers as RHEL. 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org


2. For step 7, here is talking about custom NTP server, "allowlist URLs that provide the cloud provider API and DNS for that cloud", this statement is talking about API and DNS, they are different things.


3. "Operators require route access to perform health checks." line seem like missing indent.
Comment 9 Johnny Liu 2021-05-06 04:31:42 UTC 
> 3. Thanks, I removed a "+" which I think was causing this to look like part of step 7.

From the preview page, the item started with "Operators require route access to perform health checks" still look like a part to previous step, it should be a separated step, right?
Comment 10 Johnny Liu 2021-05-06 04:32:23 UTC 
Changed to wrong state, correct it now.
Comment 12 Johnny Liu 2021-05-07 02:28:40 UTC 
LGTM.
Comment 13 Sara Thomas 2021-05-07 13:57:05 UTC 
Link to live doc: https://docs.openshift.com/container-platform/4.7/installing/install_config/configuring-firewall.html

Thanks Oscar and Johnny for your help with this!
Note You need to log in before you can comment on or make changes to this bug.