diff --git a/modules/configuring-firewall.adoc b/modules/configuring-firewall.adoc index 5195a4bbb363..456847977c15 100644 --- a/modules/configuring-firewall.adoc +++ b/modules/configuring-firewall.adoc @@ -38,9 +38,13 @@ If your environment has a dedicated load balancer in front of your {product-titl |443 |Provides core container images -|`access.redhat.com` ^[1]^ +|`access.redhat.com` |443 -|Hosts all the container images that are stored on the Red Hat Ecosytem Catalog, including core container images. +|Hosts a signature store that a container client requires for verifying images pulled from `registry.access.redhat.com`. In a firewall environment, ensure that this resource is on the allowlist. + +|`registry.access.redhat.com` +|443 +|Hosts all the container images that are stored on the Red Hat Ecosystem Catalog, including core container images. |`quay.io` |443 @@ -79,11 +83,9 @@ If your environment has a dedicated load balancer in front of your {product-titl |The `https://console.redhat.com` site uses authentication from `sso.redhat.com` |=== + --- -1. In a firewall environment, ensure that the `access.redhat.com` resource is on the allowlist. This resource hosts a signature store that a container client requires for verifying images when pulling them from `registry.access.redhat.com`. --- -+ -You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist. When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`. +* You can use the wildcards `\*.quay.io` and `*.openshiftapps.com` instead of `cdn.quay.io` and `cdn0[1-6].quay.io` in your allowlist. +* You can use the wildcard `*.access.redhat.com` to simplify the configuration and ensure that all subdomains, including `registry.access.redhat.com`, are allowed. +* When you add a site, such as `quay.io`, to your allowlist, do not add a wildcard entry, such as `*.quay.io`, to your denylist. In most cases, image registries use a content delivery network (CDN) to serve images. If a firewall blocks access, image downloads are denied when the initial download request redirects to a hostname such as `cdn01.quay.io`. . Set your firewall's allowlist to include any site that provides resources for a language or framework that your builds require.