[Section Number and Name]
Configuring your firewall for OpenShift Container Platform
[Describe the issue]
It's not indicated that the firewall should be opened to the NTP servers when you are using your own DNS servers or the default NTP servers (clock.redhat.com) used by RHEL (https://access.redhat.com/solutions/63376).
By example, this configuration is commented for the Cloud Providers here:
"If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:"
But, now for when the user is using the Red Hat DNS (by default) or custom DNS, them, it's needed to indicate in the documentation that:
- If they are using the Red Hat default NTP servers, the list of them to be excluded in the firewall
- If they are using their own, to take in consideration to allow them in the firewall
Direct link to doc preview: (scroll to the bottom, steps 6 and 7) https://deploy-preview-31981--osdocs.netlify.app/openshift-enterprise/latest/installing/install_config/configuring-firewall.html
I think I added the requested information. Please let me know what feedback you have @ocasal
Ready for QA @email@example.com
1. For setp 6, I am guess it is talking about *default* NTP servers, while clusters on different platform will set default NTP servers in different way per https://github.com/coreos/fedora-coreos-config/blob/faf387eac89d14924a1e2021d2093d0cdb8af8b3/overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony, e.g:
Azure: refclock PHC /dev/ptp0 poll 3 dpoll -2 offset 0
For other on-premise platforms, will be the same NTP servers as RHEL. 1.rhel.pool.ntp.org, 2.rhel.pool.ntp.org, 3.rhel.pool.ntp.org
2. For step 7, here is talking about custom NTP server, "allowlist URLs that provide the cloud provider API and DNS for that cloud", this statement is talking about API and DNS, they are different things.
3. "Operators require route access to perform health checks." line seem like missing indent.
> 3. Thanks, I removed a "+" which I think was causing this to look like part of step 7.
From the preview page, the item started with "Operators require route access to perform health checks" still look like a part to previous step, it should be a separated step, right?
Changed to wrong state, correct it now.
Link to live doc: https://docs.openshift.com/container-platform/4.7/installing/install_config/configuring-firewall.html
Thanks Oscar and Johnny for your help with this!