Venafi Kubernetes Agent network requirements¶
Venafi Kubernetes agent needs to connect to the REST API of Venafi Control Plane, so you may have to configure your firewall or egress proxy accordingly.
Introduction¶
If your Kubernetes cluster is deployed in a secure environment that limits connection to external sites or services, you may need to configure your firewall with the following egress rule.
| Rule | Host | Protocol | Port |
|---|---|---|---|
| ALLOW | api.venafi.cloud | TCP | 443 |
| ALLOW | registry.venafi.cloud | TCP | 443 |
| Rule | Host | Protocol | Port |
|---|---|---|---|
| ALLOW | api.venafi.eu | TCP | 443 |
| ALLOW | registry.venafi.cloud | TCP | 443 |
Note
You require access to registry.venafi.cloud only if you are using you are using the Venafi registry. If you have replicated images to your own registry, then, of course, you need to allow access to that.
Tip
For more information on IP addresses to allow when communicating with api.venafi.cloud or api.venafi.eu, see Allowlist public NAT gateways.
If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Venafi Control Plane process. The Venafi Kubernetes agent uses the Go HTTP library which allows getting the proxy from the process environment.
Modifying network settings for Kubernetes¶
Egress using NetworkPolicy¶
Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Internet.
Learn more about network policies
Read the Kubernetes Network Policies documentation and about Network Policies on OpenShift clusters.
Here is an example of NetworkPolicy which will allow Venafi Kubernetes agent to connect to the REST API of Venafi Control Plane.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-venafi-agent
namespace: venafi
spec:
podSelector:
matchLabels:
app: venafi-agent
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
Proxy Server Considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
- Add
api.venafi.cloudto the allowed domain list of your egress proxy if you are using the US region. If you are using the EU Venafi Control Plane region, addapi.venafi.euinstead. -
If using a Helm chart to install Venafi Kubernetes Agent, you can use of the following Helm values.
Configures the HTTP_PROXY environment variable where a HTTP proxy is required. For example:
http_proxy: "http://<proxy server>:<port>"Configure the HTTPS_PROXY environment variable where a HTTP proxy is required. For example:
https_proxy: "https://<proxy server>:<port>"Configure the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded. For example:
no_proxy: 127.0.0.1,localhost,kubernetes.default.svc,kubernetes.default.svc.cluster.local
For more information about proxy server Helm values for Venafi Kubernetes Agent, see the Venafi Kubernetes Agent Helm values reference page.
Also, when the Venafi Kubernetes Agent requires a proxy for outbound connections, and the proxy uses a certificate issued by a private certificate authority, you can now add the certificate authority to a custom CA bundle that the agent will trust. The Helm chart supports specifying volumes and volume mounts to streamline this process. For more information, see the Venafi Kubernetes Agent Helm values reference page.