Merge pull request openshift#79926 from stevsmit/37868-OCPBUGS

Adds registry.access.redhat.com to firewall allowlist list
jldohmann · Aug 7, 2024 · 82ef771 · 82ef771
2 parents 756223d + 651f9fe
commit 82ef771
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc
@@ -38,9 +38,13 @@ If your environment has a dedicated load balancer in front of your {product-titl
 |443
 |Provides core container images
 
-|`access.redhat.com` ^[1]^
+|`access.redhat.com`
 |443
-|Hosts all the container images that are stored on the Red Hat Ecosytem Catalog, including core container images.
+|Hosts a signature store that a container client requires for verifying images pulled from `registry.access.redhat.com`. In a firewall environment, ensure that this resource is on the allowlist.
+
+|`registry.access.redhat.com` 
+|443
+|Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images. 
 
 |`quay.io`
 |443
@@ -79,11 +83,9 @@ If your environment has a dedicated load balancer in front of your {product-titl
 |The `https://console.redhat.com` site uses authentication from `sso.redhat.com`
 |===
 +
---
-1. In a firewall environment, ensure that the `access.redhat.com` resource is on the allowlist. This resource hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`.
---
-+
-You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist. When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`.
+* You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist.
+* You can use the wildcard `*.access.redhat.com` to simplify the configuration and ensure that all subdomains, including `registry.access.redhat.com`, are allowed.
+* When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`.
 
 . Set your firewall's allowlist to include any site that provides resources for a language or framework that your builds require.