Venafi Kubernetes Agent network requirements¶
Venafi Kubernetes agent needs to connect to the REST API of Venafi Control Plane, so you may have to configure your firewall or egress proxy accordingly.
If your Kubernetes cluster is deployed in a secure environment that limits connection to external sites or services, you may need to configure your firewall with the following egress rule.
You require access to
registry.venafi.cloud only if you are using you are using the Venafi registry. If you have replicated images to your own registry, then, of course, you need to allow access to that.
For more information on IP addresses to allow when communicating with
api.venafi.eu, see Allowlist public NAT gateways.
If you use an egress proxy you can assign the proxy address to an environment variable called
HTTPS_PROXY, in the environment of the Venafi Control Plane process. The Venafi Kubernetes agent uses the Go HTTP library which allows getting the proxy from the process environment.
Modifying network settings for Kubernetes¶
Many Kubernetes clusters and most OpenShift clusters have
NetworkPolicy enabled. NetworkPolicies allow you to limit how a Pod communicates over the network. NetworkPolicies apply to a connections between Pods in a cluster and also apply to connections between Pods and the Internet.
Learn more about network policies
Here is an example of
NetworkPolicy which will allow Venafi Kubernetes agent to connect to the REST API of Venafi Control Plane.
- protocol: TCP
Proxy Server Considerations¶
Some Kubernetes clusters are configured to only allow Internet connections via an HTTP(S) proxy. If that applies to you:
api.venafi.cloudto the allowed domain list of your egress proxy.
- Add an
HTTPS_PROXYenvironment variable to the PodTemplate of the Deployment resource of the Venafi Kubernetes agent.