To enable KKP behind a proxy environment, the following targets need to be reachable.
If you use the KKP offline mode, images will get pulled from the defined private registry (e.g. 172.20.0.2:5000) instead of the public registries. For more details see the KKP offline mode section.
Resources pulled on machine controller nodes
The machine controller is downloading a few components to install the kubelet, see download_binaries_script.go:
# Binaries for the Kubernetes kubelet Get Downloaded From:
https://storage.googleapis.com/kubernetes-release/release/
# CNI Plugins
https://github.com/containernetworking/plugins/releases/
# KKP Health-Monitor Script
# (Placed at pkg/userdata/scripts/health-monitor.sh)
https://raw.githubusercontent.com/kubermatic/machine-controller/
After kubelet starts, it needs a few more images to work in a proper way:
gcr.io:
# ContainerLinux Requires the Hyperkube Image
gcr.io/google_containers/hyperkube-amd64
# DNS Node Cache
gcr.io/google_containers/k8s-dns-node-cache
k8s.gcr.io:
# Every kubelet Requires the Pause Container:
k8s.gcr.io/pause
docker.io:
# Calico Overlay
calico/node
# DNS Addon
coredns/coredns
# Log Shipper Fluent-Bit
fluent/fluent-bit
quay.io:
# Util Container for Debugging or Custom Controller
quay.io/kubermatic/util
# Prometheus Metrics Scraping
quay.io/prometheus/node-exporter
# Core Os Container
quay.io/coreos/flannel
quay.io/coreos/kube-rbac-proxy
quay.io/coreos/container-linux-update-operator
Additional to the kubelet dependencies, the machine controller OS provider installs some os specific packages over cloud-init:
Init script: pkg/userdata/centos
download.docker.com/linux/centosInit script: pkg/userdata/coreos, pkg/userdata/flatcar, pkg/userdata/sles
Init script: pkg/userdata/ubuntu
download.docker.com/linux/ubuntuKKP interacts with the different cloud provider directly to provision the required infrastructure to manage Kubernetes clusters:
API endpoint documentation: AWS service endpoints
KKP interact in several ways with different cloud provider, e.g.:
# e.g. For Region Eu-Central-1
iam.amazonaws.com
s3.eu-central-1.amazonaws.com
ec2.eu-central-1.amazonaws.com
API endpoint documentation: Azure API Docs - Request URI
# Resource Manager API
management.azure.com
# Azure classic deployment API
management.core.windows.net
# Azure Authentication API
login.microsoftonline.com
API Endpoint URL of all targeted vCenters specified in seed cluster spec.datacenters.EXAMPLEDC.vsphere.endpoint, e.g. vcenter.example.com.
If KubeOne is used to setup the seed cluster, kubeone will use in addition to OS specific default repositories the following URIs (see os.go):
# debian / ubuntu
packages.cloud.google.com/apt
download.docker.com/linux/ubuntu
apt.kubernetes.io
## on azure VM's
azure.archive.ubuntu.com
# security packages ubuntu
security.ubuntu.com
# centos
packages.cloud.google.com/yum
download.docker.com/linux/centos
# CoreOS / Flatcar Linux
storage.googleapis.com/kubernetes-release/release
github.com/containernetworking/plugins/releases/download
# gobetween (if used, e.g. at vsphere terraform setup)
github.com/yyyar/gobetween/releases
At installer host / bastion server:
## terraform modules
registry.terraform.io
releases.hashicorp.com
## kubeone binary
https://github.com/kubermatic/kubeone/releases
For creating certificates with let’s encrypt we need access:
https://acme-v02.api.letsencrypt.org/directory
To download the elasticsearch artifacts (deprecated in flavor of Loki):
docker.elastic.co/elasticsearch/elasticsearch-oss
docker.elastic.co/kibana/kibana-oss