Skip to content

Latest commit

 

History

History
89 lines (73 loc) · 3.3 KB

installing-embedded-requirements.mdx

File metadata and controls

89 lines (73 loc) · 3.3 KB

import EmbeddedClusterRequirements from "../partials/embedded-cluster/_requirements.mdx" import EmbeddedClusterPortRequirements from "../partials/embedded-cluster/_port-reqs.mdx" import FirewallOpeningsIntro from "../partials/install/_firewall-openings-intro.mdx"

Embedded Cluster Installation Requirements

This topic lists the installation requirements for Replicated Embedded Cluster. Ensure that the installation environment meets these requirements before attempting to install.

System Requirements

Port Requirements

Firewall Openings for Online Installations with Embedded Cluster {#firewall}

Domain Description
`proxy.replicated.com`

Private Docker images are proxied through `proxy.replicated.com`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `proxy.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L52-L57) in GitHub.
`replicated.app`

Upstream application YAML and metadata is pulled from `replicated.app`. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to `replicated.app`. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.

For the range of IP addresses for `replicated.app`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L60-L65) in GitHub.
`registry.replicated.com` *

Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to `registry.replicated.com`. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.

For the range of IP addresses for `registry.replicated.com`, see [replicatedhq/ips](https://github.com/replicatedhq/ips/blob/main/ip_addresses.json#L20-L25) in GitHub.

* Required only if the application uses the Replicated private registry.

About Firewalld Configuration

When Firewalld is enabled in the installation environment, Embedded Cluster modifies the Firewalld config to allow traffic over the pod and service networks and to open the required ports on the host. No additional configuration is required.

The following rule is added to Firewalld:

<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
  <interface name="cali+"/>
  <interface name="tunl+"/>
  <interface name="vxlan-v6.calico"/>
  <interface name="vxlan.calico"/>
  <interface name="wg-v6.cali"/>
  <interface name="wireguard.cali"/>
  <source address="[pod-network-cidr]"/>
  <source address="[service-network-cidr]"/>
</zone>

The following ports are opened in the default zone:

Port Protocol
6443 TCP
10250 TCP
9443 TCP
2380 TCP
4789 UDP