Firewall Whitelist

Purpose: For operators, provides required network endpoints for the connected build phase.

Overview

The Zone A build host requires outbound HTTPS access to download dependencies. No inbound connections are needed. This list covers every endpoint the opencenter-airgap build command contacts.

Container Registries

Endpoint	Port	Protocol	Purpose
`registry.k8s.io`	443	HTTPS	Kubernetes system images (kube-apiserver, kube-controller-manager, etc.)
`docker.io`	443	HTTPS	Docker Hub images (registry, nginx, etc.)
`registry-1.docker.io`	443	HTTPS	Docker Hub pull endpoint
`production.cloudflare.docker.com`	443	HTTPS	Docker Hub CDN layer downloads
`auth.docker.io`	443	HTTPS	Docker Hub authentication
`ghcr.io`	443	HTTPS	GitHub Container Registry (FluxCD, openCenter images)
`quay.io`	443	HTTPS	Quay.io images (Calico, Prometheus, etc.)
`docker.elastic.co`	443	HTTPS	Elastic images (if included)

Helm Chart Repositories

Endpoint	Port	Protocol	Purpose
`charts.jetstack.io`	443	HTTPS	cert-manager Helm chart
`kubernetes.github.io`	443	HTTPS	ingress-nginx Helm chart

Binary Downloads

Endpoint	Port	Protocol	Purpose
`dl.k8s.io`	443	HTTPS	Kubernetes binaries (kubectl, kubelet, kubeadm)
`storage.googleapis.com`	443	HTTPS	Kubernetes binary CDN
`get.helm.sh`	443	HTTPS	Helm CLI binary
`github.com`	443	HTTPS	Tool releases (k9s, stern, yq, jq, Zarf)
`objects.githubusercontent.com`	443	HTTPS	GitHub release asset downloads

Git Repositories

Endpoint	Port	Protocol	Purpose
`github.com`	443	HTTPS	Kubespray, openCenter-gitops-base cloning
`github.com`	22	SSH	Git clone over SSH (alternative)

Terraform Provider Registry

Endpoint	Port	Protocol	Purpose
`registry.terraform.io`	443	HTTPS	Provider metadata and download URLs
`releases.hashicorp.com`	443	HTTPS	Terraform provider binaries

Only required when building with --template openstack or when terraform-providers component is enabled.

OS Package Repositories

Endpoint	Port	Protocol	Purpose
`archive.ubuntu.com`	80/443	HTTP/HTTPS	Ubuntu package mirror
`security.ubuntu.com`	80/443	HTTP/HTTPS	Ubuntu security updates
`pypi.org`	443	HTTPS	Python package index
`files.pythonhosted.org`	443	HTTPS	Python package downloads

Zone C (Disconnected) — No Outbound Access

Zone C requires zero internet access. All traffic stays within the local network:

Source	Destination	Port	Purpose
Target nodes	Bastion	35000	Container image pulls
Target nodes	Bastion	80	OS packages, binaries, Python wheels
Bastion	Target nodes	22	SSH for Ansible/Kubespray

Firewall Rule Example (iptables)

For Zone A build host, allow outbound HTTPS and SSH:

# Allow outbound HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Allow outbound HTTP (Ubuntu repos)
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

# Allow outbound SSH (Git clone)
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

# Allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

For Zone C bastion, restrict to local subnet only:

# Allow inbound from target node subnet
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 35000 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j ACCEPT

# Allow SSH from bastion to target nodes
iptables -A OUTPUT -d 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

# Drop all other outbound
iptables -A OUTPUT -j DROP

Overview​

Container Registries​

Helm Chart Repositories​

Binary Downloads​

Git Repositories​

Terraform Provider Registry​

OS Package Repositories​

Zone C (Disconnected) — No Outbound Access​

Firewall Rule Example (iptables)​