Proxy Whitelisting

To enable KKP behind a proxy environment, the following targets need to be reachable.

If you use the KKP offline mode, images will get pulled from the defined private registry (e.g. instead of the public registries. For more details see the KKP offline mode section.

KKP Machine Controller

Resources pulled on machine controller nodes.

kubelet - Binary

The machine controller is downloading a few components to install the kubelet, see download_binaries_script.go:

# Binaries for the Kubernetes kubelet Get Downloaded From:

# CNI Plugins

# KKP Health-Monitor Script
# (Placed at pkg/userdata/scripts/

kubelet - Docker Images

After kubelet starts, it needs a few more images to work in a proper way:

# ContainerLinux Requires the Hyperkube Image

# DNS Node Cache

# Every kubelet Requires the Pause Container:

# Calico Overlay

# DNS Addon

# Log Shipper Fluent-Bit

# Util Container for Debugging or Custom Controller

# Prometheus Metrics Scraping

# Core Os Container

OS Resources

Additional to the kubelet dependencies, the machine controller OS provider installs some os specific packages over cloud-init:

CentOS 7/8

Init script: pkg/userdata/centos

  • default yum repositories
  • docker yum repository:

CoreOS / Flatcar Linux

Init script: pkg/userdata/coreos, pkg/userdata/flatcar

  • no additional targets

Ubuntu 18.04/20.04

Init script: pkg/userdata/ubuntu

  • default apt repositories
  • docker apt repository:

KKP Seed Cluster Setup

Cloud Provider API Endpoints

KKP interacts with the different cloud provider directly to provision the required infrastructure to manage Kubernetes clusters:


API endpoint documentation: AWS service endpoints

KKP interact in several ways with different cloud provider, e.g.:

  • creating EC2 instances
  • creating security groups
  • access instance profiles
# e.g. For Region Eu-Central-1


API endpoint documentation: Azure API Docs - Request URI

# Resource Manager API
# Azure classic deployment API
# Azure Authentication API


API Endpoint URL of all targeted vCenters specified in seed cluster spec.datacenters.EXAMPLEDC.vsphere.endpoint, e.g.

KubeOne Seed Cluster Setup

If KubeOne is used to setup the seed cluster, kubeone will use in addition to OS specific default repositories the following URIs (see os.go):

# debian / ubuntu
## on azure VM's
# security packages ubuntu

# centos

# CoreOS / Flatcar Linux

# gobetween (if used, e.g. at vsphere terraform setup)

At installer host / bastion server:

## terraform modules

## kubeone binary

cert-manager (if used)

For creating certificates with let’s encrypt we need access:

EFK Logging Stack (if used)

To download the elasticsearch artifacts (deprecated in flavor of Loki):