OpenShift Commatrix CLI (`oc commatrix`) solves the problem of stale, manually maintained firewall rules in OpenShift clusters. Instead of relying on static documentation or spreadsheets, it inspects the live cluster using the Kubernetes EndpointSlice API to automatically discover exposed ports from LoadBalancer services, NodePort services, host-networked pods, and HostPort containers. It generates accurate ingress communication matrices and outputs them directly as nftables rules, with support for custom MachineConfigPools, multiple topologies (HA, SNO, MNO, HyperShift), platforms (AWS, bare metal), and IPv4/IPv6/dual-stack. A `--host-open-ports` flag deploys debug pods to run `ss` on each node and diffs actual listening ports against the generated matrix, making it easy to spot gaps between declared and actual firewall state.
Table of contents
How firewall rules were managed beforeWhat oc commatrix does differentlyKey improvements over the manual approachGetting startedSort: