Venafi Kubernetes Agent network requirements¶
Venafi Kubernetes agent needs to connect to the REST API of Venafi Control Plane, so you may have to configure your firewall or egress proxy accordingly.
Introduction¶
If your Kubernetes cluster is deployed in a secure environment that limits connection to external sites or services, you may need to configure your firewall with the following egress rule.
| Rule | Host | Protocol | Port |
|---|---|---|---|
| ALLOW | api.venafi.cloud | TCP | 443 |
| ALLOW | registry.venafi.cloud | TCP | 443 |
| Rule | Host | Protocol | Port |
|---|---|---|---|
| ALLOW | api.venafi.eu | TCP | 443 |
| ALLOW | registry.venafi.cloud | TCP | 443 |
Note
You require access to registry.venafi.cloud only if you are using you are using the Venafi registry. If you have replicated images to your own registry, then, of course, you need to allow access to that.
Tip
For more information on IP addresses to allow when communicating with api.venafi.cloud or api.venafi.eu, see Allowlist public NAT gateways.
If you use an egress proxy you can assign the proxy address to an environment variable called HTTPS_PROXY, in the environment of the Venafi Control Plane process. The Venafi Kubernetes agent uses the Go HTTP library which allows getting the proxy from the process environment.
Modifying network settings for Kubernetes¶
Egress using NetworkPolicy¶
Many Kubernetes clusters and most OpenShift clusters have NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Internet.
Learn more about network policies
Read the Kubernetes Network Policies documentation and about Network Policies on OpenShift clusters.
Here is an example of NetworkPolicy which will allow Venafi Kubernetes agent to connect to the REST API of Venafi Control Plane.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-venafi-agent
namespace: venafi
spec:
podSelector:
matchLabels:
app: venafi-agent
policyTypes:
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
- protocol: TCP
port: 443
Proxy Server Considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
- Add
api.venafi.cloudto the allowed domain list of your egress proxy. - Add an
HTTPS_PROXYenvironment variable to the PodTemplate of the Deployment resource of the Venafi Kubernetes agent.