Skip to content

Venafi Kubernetes Agent network requirements

Venafi Kubernetes agent needs to connect to the REST API of Venafi Control Plane, so you may have to configure your firewall or egress proxy accordingly.

Introduction

If your Kubernetes cluster is deployed in a secure environment that limits connection to external sites or services, you may need to configure your firewall with the following egress rule.

Rule Host Protocol Port
ALLOW api.venafi.cloud TCP 443
ALLOW registry.venafi.cloud TCP 443
Rule Host Protocol Port
ALLOW api.eu.venafi.cloud TCP 443
ALLOW registry.venafi.cloud TCP 443

Note

You require access to registry.venafi.cloud only if you are using you are using the Venafi registry. If you have replicated images to your own registry, then, of course, you need to allow access to that.

Tip

For more information on IP addresses to allow when communicating with api.venafi.cloud or api.venafi.eu, see Allowlist public NAT gateways.

If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Venafi Control Plane process. The Venafi Kubernetes agent uses the Go HTTP library which allows getting the proxy from the process environment.

Modifying network settings for Kubernetes

Egress using NetworkPolicy

Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Internet.

Learn more about network policies

Read the Kubernetes Network Policies documentation and about Network Policies on OpenShift clusters.

Here is an example of NetworkPolicy which will allow Venafi Kubernetes agent to connect to the REST API of Venafi Control Plane.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-venafi-agent
  namespace: venafi
spec:
  podSelector:
    matchLabels:
      app: venafi-agent
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 0.0.0.0/0
    ports:
    - protocol: TCP
      port: 443

Proxy Server Considerations

Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:

  1. Add api.venafi.cloud to the allowed domain list of your egress proxy.
  2. Add an HTTPS_PROXY environment variable to the PodTemplate of the Deployment resource of the Venafi Kubernetes agent.