From acf59f996c23dbf81626000475a53f6524ab1c5e Mon Sep 17 00:00:00 2001 From: Siva Kanakala Date: Thu, 28 Aug 2025 19:29:50 +0530 Subject: [PATCH] add firewall config --- .../configure-your-firewall.md | 38 +++++++++++++++++++ sidebars.js | 1 + .../configure-your-firewall.md | 38 +++++++++++++++++++ .../configure-your-firewall.md | 38 +++++++++++++++++++ .../configure-your-firewall.md | 38 +++++++++++++++++++ .../configure-your-firewall.md | 38 +++++++++++++++++++ versioned_sidebars/version-2.10-sidebars.json | 1 + versioned_sidebars/version-2.11-sidebars.json | 1 + versioned_sidebars/version-2.12-sidebars.json | 1 + versioned_sidebars/version-2.9-sidebars.json | 1 + 10 files changed, 195 insertions(+) create mode 100644 docs/how-to-guides/advanced-user-guides/configure-your-firewall.md create mode 100644 versioned_docs/version-2.10/how-to-guides/advanced-user-guides/configure-your-firewall.md create mode 100644 versioned_docs/version-2.11/how-to-guides/advanced-user-guides/configure-your-firewall.md create mode 100644 versioned_docs/version-2.12/how-to-guides/advanced-user-guides/configure-your-firewall.md create mode 100644 versioned_docs/version-2.9/how-to-guides/advanced-user-guides/configure-your-firewall.md diff --git a/docs/how-to-guides/advanced-user-guides/configure-your-firewall.md b/docs/how-to-guides/advanced-user-guides/configure-your-firewall.md new file mode 100644 index 00000000000..5645cc55610 --- /dev/null +++ b/docs/how-to-guides/advanced-user-guides/configure-your-firewall.md @@ -0,0 +1,38 @@ +--- +title: Configuring Your Firewall +--- + + + + + + +If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. + + + +## Outbound Internet Access Requirements + +Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. + +Set the following registry URLs for your firewall’s allowlist: + +| URL | Port | Function | +|------------------------------------|------|---------------------------------------------------------------------------| +| `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | +| `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | +| `docker.io` | 443 | Provides community container images used by optional Rancher features | +| `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | + + +## Inbound Access Requirements + +External clients and managed clusters require inbound access to the Rancher server. + +| Port | Protocol | Source | Purpose | +|------|----------|-------------------------|-------------------------------------------------| +| 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | +| 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | + + +- You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. \ No newline at end of file diff --git a/sidebars.js b/sidebars.js index 9e8047f1396..3124b75c55f 100644 --- a/sidebars.js +++ b/sidebars.js @@ -789,6 +789,7 @@ const sidebars = { ], }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", + "how-to-guides/advanced-user-guides/configure-your-firewall", "how-to-guides/advanced-user-guides/tune-etcd-for-large-installs", "how-to-guides/advanced-user-guides/enable-api-audit-log", "how-to-guides/advanced-user-guides/enable-api-audit-log-in-downstream-clusters", diff --git a/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/configure-your-firewall.md b/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/configure-your-firewall.md new file mode 100644 index 00000000000..5645cc55610 --- /dev/null +++ b/versioned_docs/version-2.10/how-to-guides/advanced-user-guides/configure-your-firewall.md @@ -0,0 +1,38 @@ +--- +title: Configuring Your Firewall +--- + + + + + + +If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. + + + +## Outbound Internet Access Requirements + +Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. + +Set the following registry URLs for your firewall’s allowlist: + +| URL | Port | Function | +|------------------------------------|------|---------------------------------------------------------------------------| +| `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | +| `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | +| `docker.io` | 443 | Provides community container images used by optional Rancher features | +| `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | + + +## Inbound Access Requirements + +External clients and managed clusters require inbound access to the Rancher server. + +| Port | Protocol | Source | Purpose | +|------|----------|-------------------------|-------------------------------------------------| +| 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | +| 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | + + +- You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. \ No newline at end of file diff --git a/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/configure-your-firewall.md b/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/configure-your-firewall.md new file mode 100644 index 00000000000..5645cc55610 --- /dev/null +++ b/versioned_docs/version-2.11/how-to-guides/advanced-user-guides/configure-your-firewall.md @@ -0,0 +1,38 @@ +--- +title: Configuring Your Firewall +--- + + + + + + +If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. + + + +## Outbound Internet Access Requirements + +Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. + +Set the following registry URLs for your firewall’s allowlist: + +| URL | Port | Function | +|------------------------------------|------|---------------------------------------------------------------------------| +| `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | +| `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | +| `docker.io` | 443 | Provides community container images used by optional Rancher features | +| `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | + + +## Inbound Access Requirements + +External clients and managed clusters require inbound access to the Rancher server. + +| Port | Protocol | Source | Purpose | +|------|----------|-------------------------|-------------------------------------------------| +| 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | +| 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | + + +- You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. \ No newline at end of file diff --git a/versioned_docs/version-2.12/how-to-guides/advanced-user-guides/configure-your-firewall.md b/versioned_docs/version-2.12/how-to-guides/advanced-user-guides/configure-your-firewall.md new file mode 100644 index 00000000000..5645cc55610 --- /dev/null +++ b/versioned_docs/version-2.12/how-to-guides/advanced-user-guides/configure-your-firewall.md @@ -0,0 +1,38 @@ +--- +title: Configuring Your Firewall +--- + + + + + + +If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. + + + +## Outbound Internet Access Requirements + +Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. + +Set the following registry URLs for your firewall’s allowlist: + +| URL | Port | Function | +|------------------------------------|------|---------------------------------------------------------------------------| +| `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | +| `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | +| `docker.io` | 443 | Provides community container images used by optional Rancher features | +| `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | + + +## Inbound Access Requirements + +External clients and managed clusters require inbound access to the Rancher server. + +| Port | Protocol | Source | Purpose | +|------|----------|-------------------------|-------------------------------------------------| +| 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | +| 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | + + +- You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. \ No newline at end of file diff --git a/versioned_docs/version-2.9/how-to-guides/advanced-user-guides/configure-your-firewall.md b/versioned_docs/version-2.9/how-to-guides/advanced-user-guides/configure-your-firewall.md new file mode 100644 index 00000000000..5645cc55610 --- /dev/null +++ b/versioned_docs/version-2.9/how-to-guides/advanced-user-guides/configure-your-firewall.md @@ -0,0 +1,38 @@ +--- +title: Configuring Your Firewall +--- + + + + + + +If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. + + + +## Outbound Internet Access Requirements + +Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. + +Set the following registry URLs for your firewall’s allowlist: + +| URL | Port | Function | +|------------------------------------|------|---------------------------------------------------------------------------| +| `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | +| `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | +| `docker.io` | 443 | Provides community container images used by optional Rancher features | +| `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | + + +## Inbound Access Requirements + +External clients and managed clusters require inbound access to the Rancher server. + +| Port | Protocol | Source | Purpose | +|------|----------|-------------------------|-------------------------------------------------| +| 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | +| 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | + + +- You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. \ No newline at end of file diff --git a/versioned_sidebars/version-2.10-sidebars.json b/versioned_sidebars/version-2.10-sidebars.json index de8f339d4bb..7125c71e8c7 100644 --- a/versioned_sidebars/version-2.10-sidebars.json +++ b/versioned_sidebars/version-2.10-sidebars.json @@ -755,6 +755,7 @@ ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", + "how-to-guides/advanced-user-guides/configure-your-firewall", "how-to-guides/advanced-user-guides/tune-etcd-for-large-installs", "how-to-guides/advanced-user-guides/enable-api-audit-log", "how-to-guides/advanced-user-guides/enable-api-audit-log-in-downstream-clusters", diff --git a/versioned_sidebars/version-2.11-sidebars.json b/versioned_sidebars/version-2.11-sidebars.json index 67fbc6761e2..ab7d87f183a 100644 --- a/versioned_sidebars/version-2.11-sidebars.json +++ b/versioned_sidebars/version-2.11-sidebars.json @@ -756,6 +756,7 @@ ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", + "how-to-guides/advanced-user-guides/configure-your-firewall", "how-to-guides/advanced-user-guides/tune-etcd-for-large-installs", "how-to-guides/advanced-user-guides/enable-api-audit-log", "how-to-guides/advanced-user-guides/enable-api-audit-log-in-downstream-clusters", diff --git a/versioned_sidebars/version-2.12-sidebars.json b/versioned_sidebars/version-2.12-sidebars.json index 8ecd9194881..5081a1d6818 100644 --- a/versioned_sidebars/version-2.12-sidebars.json +++ b/versioned_sidebars/version-2.12-sidebars.json @@ -756,6 +756,7 @@ ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", + "how-to-guides/advanced-user-guides/configure-your-firewall", "how-to-guides/advanced-user-guides/tune-etcd-for-large-installs", "how-to-guides/advanced-user-guides/enable-api-audit-log", "how-to-guides/advanced-user-guides/enable-api-audit-log-in-downstream-clusters", diff --git a/versioned_sidebars/version-2.9-sidebars.json b/versioned_sidebars/version-2.9-sidebars.json index 175b20f61e3..5d3a1ccef68 100644 --- a/versioned_sidebars/version-2.9-sidebars.json +++ b/versioned_sidebars/version-2.9-sidebars.json @@ -755,6 +755,7 @@ ] }, "how-to-guides/advanced-user-guides/open-ports-with-firewalld", + "how-to-guides/advanced-user-guides/configure-your-firewall", "how-to-guides/advanced-user-guides/tune-etcd-for-large-installs", "how-to-guides/advanced-user-guides/enable-api-audit-log", "how-to-guides/advanced-user-guides/enable-api-audit-log-in-downstream-clusters",