Docs indicate that it is responsibility of cluster administrator to properly secure ports 22623 and 22624. However, these ports are actually automatically blocked and are unreachable after installation time due to the following:

See KCS: https://access.redhat.com/solutions/7007012 describing issueSee code: 

#ovn:https://github.com/openshift/ovn-kubernetes/blob/14fb7c43a5b54e9be4063de628c996fcfcc3b5ad/go-controller/pkg/node/OCP_HACKS.go#L19

#sdn:https://github.com/openshift/sdn/blob/307a0b2cdd1d5e97830e940d95ba9985e80f5d19/pkg/network/node/iptables.go#L250

Therefore, the documentation should be updated to reflect that these ports are denied everywhere, and also, we should consider updating documentation when we discuss port ranges in specific OVN/SDN docs to list that these ports are denied after ignition.

4.12 and higher.

Docs should reflect that these ports are blocked by default and cannot be un-blocked. (hard-coded nftable/iptable rule engagement to drop traffic after ignition is completed). We have filed an RFE to determine if they can be un-blocked manually: https://issues.redhat.com/browse/RFE-6268