mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
27 lines
1.4 KiB
Plaintext
27 lines
1.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * hosted_control_planes/hcp-networking.adoc
|
|
|
|
:_mod-docs-content-type: CONCEPT
|
|
[id="hcp-proxy-cp-workloads_{context}"]
|
|
= Control plane workloads that need to access external services
|
|
|
|
Operators that run in the control plane need to access external services through the proxy that is configured for the hosted cluster. The proxy is usually accessible only through the data plane. The control plane workloads are as follows:
|
|
|
|
* The Control Plane Operator needs to validate and obtain endpoints from certain identity providers when it creates the OAuth server configuration.
|
|
|
|
* The OAuth server needs non-LDAP identity provider access.
|
|
|
|
* The OpenShift API server handles image registry metadata import.
|
|
|
|
* The Ingress Operator needs access to validate external canary routes.
|
|
|
|
* You must open the firewall port `53` on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) to allow the Domain Name Service (DNS) protocol to work as expected.
|
|
|
|
In a hosted cluster, you must send traffic that originates from the Control Plane Operator, Ingress Operator, OAuth server, and OpenShift API server pods through the data plane to the configured proxy and then to its final destination.
|
|
|
|
[NOTE]
|
|
====
|
|
Some operations are not possible when a hosted cluster is reduced to zero compute nodes; for example, when you import OpenShift image streams from a registry that requires proxy access.
|
|
====
|