我的书签
添加书签
移除书签Configuring your firewall
Before you install OKD, you must configure your firewall to grant access to the sites that OKD requires.
There are no special configuration considerations for services running on only controller nodes versus worker nodes.
Procedure
Allowlist the following registry URLs:
When you add a site, such as
quay.io, to your allowlist, do not add a wildcard entry, such as*.quay.io, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, then image downloads are denied when the initial download request is redirected to a hostname such ascdn01.quay.io.CDN hostnames, such as
cdn01.quay.io, are covered when you add a wildcard entry, such as*.quay.io, in your allowlist.Allowlist any site that provides resources for a language or framework that your builds require.
If you use Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP) to host your cluster, you must grant access to the URLs that provide the cloud provider API and DNS for that cloud:
Allowlist the following URLs:
Operators require route access to perform health checks. Specifically, the authentication and web console Operators connect to two routes to verify that the routes work. If you are the cluster administrator and do not want to allow
*.apps.<cluster_name>.<base_domain>, then allow these routes:oauth-openshift.apps.<cluster_name>.<base_domain>
If you use a default Red Hat Network Time Protocol (NTP) server allow the following URLs:
1.rhel.pool.ntp.org2.rhel.pool.ntp.org
