Since OpenShift 4.12, Open Virtual Network (OVN) is the default CNI network provider [1]. OVN requires TCP ingress ports 6641 and 6642 to be open, as per OpenStack documentation [2].

There is no listing for these two ports to be opened within the formal "Network connectivity requirements" section of the OpenShift "Installing a cluster on any platform" chapter for OCP 4.12 or above, even though this would need to be open by default.

Specifically for ROSA/OSD/HCP products, the OpenShift installer will automatically create AWS Security Group ingress rules opening ports 6641 and 6642 for OVN.

Please consider adding in an additional entry for ports 6641-6642 into the tables for "Network connectivity requirements" for documentation of currently supported OpenShift versions.

[1] https://access.redhat.com/solutions/5843571
[2] https://docs.redhat.com/en/documentation/red_hat_openstack_platform/17.1/html-single/configuring_red_hat_openstack_platform_networking/index#ovn-list-of-components_work-ovn

    4.12 and above

    N/A - missing documentation

    N/A - missing documentation   

    N/A - missing documentation

    N/A - missing documentation

    This lack of documentation issue was observed by a Product Security Compliance team Systems Engineer performing a quarterly review of Security Group Rules for OpenShift on AWS clusters used by our Software-as-a-Service products, OSD, HCP, Quay.io and ACS CS. The engineer attempted to correlate the AWS Security Group Rules in the exported files with formal Red Hat documentation for auditing purposes, but found ports 6641-6642 were not listed as OCP required ports in any publicly accessible OpenShift guides.