openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/hcp-non-bm-firewall-port-svc-reqs.adoc
xenolinux dfe2a17817 Manage headings
2024-12-26 12:03:14 +00:00

46 lines
2.4 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * hosted-control-planes/hcp-deploy/hcp-deploy-non-bm.adoc
:_mod-docs-content-type: CONCEPT
[id="hcp-non-bm-firewall-port-svc-reqs_{context}"]
= Firewall, port, and service requirements for non-bare-metal agent machines
You must meet the firewall and port requirements so that ports can communicate between the management cluster, the control plane, and hosted clusters.
[NOTE]
====
Services run on their default ports. However, if you use the `NodePort` publishing strategy, services run on the port that is assigned by the `NodePort` service.
====
Use firewall rules, security groups, or other access controls to restrict access to only required sources. Avoid exposing ports publicly unless necessary. For production deployments, use a load balancer to simplify access through a single IP address.
A hosted control plane exposes the following services on non-bare-metal agent machines:
* `APIServer`
** The `APIServer` service runs on port 6443 by default and requires ingress access for communication between the control plane components.
** If you use MetalLB load balancing, allow ingress access to the IP range that is used for load balancer IP addresses.
* `OAuthServer`
** The `OAuthServer` service runs on port 443 by default when you use the route and ingress to expose the service.
** If you use the `NodePort` publishing strategy, use a firewall rule for the `OAuthServer` service.
* `Konnectivity`
** The `Konnectivity` service runs on port 443 by default when you use the route and ingress to expose the service.
** The `Konnectivity` agent establishes a reverse tunnel to allow the control plane to access the network for the hosted cluster. The agent uses egress to connect to the `Konnectivity` server. The server is exposed by using either a route on port 443 or a manually assigned `NodePort`.
** If the cluster API server address is an internal IP address, allow access from the workload subnets to the IP address on port 6443.
** If the address is an external IP address, allow egress on port 6443 to that external IP address from the nodes.
* `Ignition`
** The `Ignition` service runs on port 443 by default when you use the route and ingress to expose the service.
** If you use the `NodePort` publishing strategy, use a firewall rule for the `Ignition` service.
You do not need the following services on non-bare-metal agent machines:
* `OVNSbDb`
* `OIDC`
View Git Blame Copy Permalink