CNTRLPLANE-2700: docs: add HCP networking requirements documentation

[bryan-cox]

Summary

Add comprehensive documentation for HCP networking port requirements to help operators configure firewalls and security groups.

Details

This PR adds docs/content/how-to/common/hcp-networking-requirements.md covering:

• Common ingress ports: API server (6443)
• Service publishing strategy: How Route vs NodePort/LoadBalancer affects required ports
• Platform-specific ports: Azure (7443), IBM Cloud (2040), AWS/PowerVS/KubeVirt/OpenStack (9440 health checks), Agent/None (8443 ignition proxy)
• Private clusters: Ports 8080/8443 for AWS/Azure/GCP private router
• Worker node egress requirements: Ports workers need to reach the control plane
• Security considerations: TLS status, source IP restrictions, sensitive data warnings
• Firewall configuration example: Sample AWS security group rules

All port numbers include code references for verification.

Test plan

• Verify documentation renders correctly in mkdocs
• Spot-check code references are accurate

🤖 Generated with Claude Code

[openshift-ci-robot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds a new comprehensive documentation file detailing Hosted Control Plane (HCP) networking requirements, including ingress/egress port configurations across multiple platforms, security considerations, and network policy guidance. Updates the documentation site navigation to reference the new file.

Changes

Cohort / File(s)	Summary
HCP Networking Documentation docs/content/how-to/common/hcp-networking-requirements.md	New documentation file outlining HCP networking requirements: ingress/egress port references, platform-specific configurations (AWS, Azure, GCP, IBM Cloud, PowerVS, KubeVirt, OpenStack, Agent, None), Konnectivity architecture, private cluster considerations, worker node egress requirements, security guidelines, and network policy implications.
Documentation Navigation docs/mkdocs.yml	Added navigation entry linking to the new HCP Networking Requirements documentation file under the Common section.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/retitle CNTRLPLANE-2700: docs: add HCP networking requirements documentation

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-2700 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Add comprehensive documentation for HCP networking port requirements
• Document all platform-specific ports with code references for verification
• Include security considerations and firewall configuration examples

Details

This PR adds a new documentation page covering:

• Common ingress/egress ports for all platforms (6443, 8091, 9090, etc.)
• Platform-specific ports: AWS, Azure, IBM Cloud, PowerVS, KubeVirt, OpenStack, Agent, None
• Private cluster ports (8080/8443) for AWS/Azure/GCP
• Konnectivity architecture overview with link to reference docs
• Worker node egress requirements
• Security considerations: TLS encryption status, source IP restrictions, sensitive data warnings
• Firewall configuration examples for AWS deployments

All port references include code citations (file paths and constant names) for verification.

Test plan

• Verify documentation renders correctly in mkdocs
• Spot-check code references are accurate
• Review security considerations section for completeness

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-2700 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

• Add comprehensive documentation for HCP networking port requirements
• Clarify how service publishing strategy (Route vs NodePort) affects required ports
• Document all platform-specific ports with code references for verification
• Include security considerations and firewall configuration examples

Details

This PR adds a new documentation page covering:

• Common ingress port: 6443 (Kubernetes API Server)
• Service publishing strategy impact: Explains how Route (port 443) vs NodePort (8091, 8443) affects firewall requirements
• Platform-specific ports: AWS, Azure, IBM Cloud, GCP, PowerVS, KubeVirt, OpenStack, Agent, None
• Private cluster ports (8080/8443) for AWS/Azure/GCP
• Konnectivity architecture overview with link to reference docs
• Worker node egress requirements with conditional ports based on publishing strategy
• Security considerations: TLS encryption status, source IP restrictions, sensitive data warnings
• Firewall configuration examples for AWS deployments using Route publishing

Key clarifications:

• Ignition Server accessed via Route (443) or Ignition Proxy (8443), not directly on port 9090
• Konnectivity accessed via Route (443) or directly (8091) depending on publishing strategy
• IBM Cloud does not use ignition-server-proxy
• GCP uses standard common ports (no platform-specific ports)

All port references include code citations for verification.

Test plan

• Verify documentation renders correctly in mkdocs
• Spot-check code references are accurate
• Review security considerations section for completeness

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@bryan-cox: This pull request references CNTRLPLANE-2700 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the task to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Summary

Add comprehensive documentation for HCP networking port requirements to help operators configure firewalls and security groups.

Details

This PR adds docs/content/how-to/common/hcp-networking-requirements.md covering:

• Common ingress ports: API server (6443)
• Service publishing strategy: How Route vs NodePort/LoadBalancer affects required ports
• Platform-specific ports: Azure (7443), IBM Cloud (2040), AWS/PowerVS/KubeVirt/OpenStack (9440 health checks), Agent/None (8443 ignition proxy)
• Private clusters: Ports 8080/8443 for AWS/Azure/GCP private router
• Worker node egress requirements: Ports workers need to reach the control plane
• Security considerations: TLS status, source IP restrictions, sensitive data warnings
• Firewall configuration example: Sample AWS security group rules

All port numbers include code references for verification.

Test plan

• Verify documentation renders correctly in mkdocs
• Spot-check code references are accurate

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[devguyio]

/cc @devguyio

[jparrill]

Looks very nice, I think this will be very useful for multiple users and customers 👏 👏 👏 . Dropped some comments.

[jparrill]

I would say also that this should be allowing the traffic in TCP and UDP, otherwise it could cause intermittent issues and disconnections.

[bryan-cox]

Done. Added a Protocol column (TCP / TCP + UDP) to all port tables — Common Ingress, Common Egress, Worker Node Egress, and the firewall examples — so the required transport protocols are explicit throughout the document.

---

AI-assisted response via Claude Code

[jparrill]

Hey @bryan-cox I think it needs to execute verify in local and add the self-generated files from the execution to the commit :). Let me know for tagging 🙏 .

[bryan-cox]

/verified bypass

This is just docs

[openshift-ci-robot]

@bryan-cox: The verified label has been added.

Details

In response to this:

/verified bypass

This is just docs

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[jparrill]

/lgtm

[openshift-ci-robot]

Scheduling required tests:
/test verify-deps

[openshift-ci]

@bryan-cox: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/docs-preview	70259f7	link	false	/test docs-preview

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.