Add firewall configuration requirements for Rancher and Rancher-managed clusters #1978
Conversation
skanakal
requested review from
btat,
LucasSaintarbor,
pmkovar and
sunilarjun
as code owners
|
Thanks for the PR. Can you also copy the content under the versioned docs for supported Rancher versions? https://github.com/rancher/rancher-docs/tree/main/versioned_docs/version-2.12/how-to-guides/advanced-user-guides And update he sidebars under https://github.com/rancher/rancher-docs/tree/main/versioned_sidebars. |
skanakal
force-pushed
the
config-your-firewall
branch
from
6d9c443 to
acf59f9
Compare
@pmkovar thank you for looking into it. I have updated the versioned_docs and respective sidebards... |
pmkovar
added
the
port/community-product
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | |
There was a problem hiding this comment.
I don't believe we want to actually "advertise" SUSE Prime Registry URLs in Community docs. registry.rancher.com /registry.suse.com values are even in secrets in our GH CI workflows.
It's not a security issue per se but also for users running Community Rancher there is no value in whitelisting these URLs.
And vice-versa if users are running Rancher Prime they don't generally need to whitelist docker.io as all images Rancher Prime needs should be coming from Rancher Prime Registry.
There was a problem hiding this comment.
@snasovich yeah, i want to keep this for SUSE Rancher Customer...
Can suggest me a place where i can this pr...
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | |
There was a problem hiding this comment.
Could you point to examples of these? May want to be more specific than *.suse.com here.
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | |
There was a problem hiding this comment.
Curious what dependencies are we using from ghcr.io directly? I was under the impression necessary images are mirrored to DockerHub's rancher org and SUSE Rancher Prime Registry for community/Prime.
Fixes #1849
Reminders
See the README for more details on how to work with the Rancher docs.
Verify if changes pertain to other versions of Rancher. If they do, finalize the edits on one version of the page, then apply the edits to the other versions.
If the pull request is dependent on an upcoming release, remember to add a "MERGE ON RELEASE" label and set the proper milestone.
Description
Add allow-list to firewall configuration requirements for Rancher and Rancher-managed clusters
Comments