Add firewall configuration requirements for Rancher and Rancher-managed clusters #1978
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Configuring Your Firewall | ||
| --- | ||
|
|
||
| <head> | ||
| <link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-your-firewall"/> | ||
| </head> | ||
|
|
||
|
|
||
| If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. | ||
|
|
||
|
|
||
|
|
||
| ## Outbound Internet Access Requirements | ||
|
|
||
| Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. | ||
|
|
||
| Set the following registry URLs for your firewall’s allowlist: | ||
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
|
There was a problem hiding this comment. Could you point to examples of these? May want to be more specific than |
||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | | ||
|
There was a problem hiding this comment. Curious what dependencies are we using from ghcr.io directly? I was under the impression necessary images are mirrored to DockerHub's |
||
|
|
||
|
|
||
| ## Inbound Access Requirements | ||
|
|
||
| External clients and managed clusters require inbound access to the Rancher server. | ||
|
|
||
| | Port | Protocol | Source | Purpose | | ||
| |------|----------|-------------------------|-------------------------------------------------| | ||
| | 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | | ||
| | 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | | ||
|
|
||
|
|
||
| - You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Configuring Your Firewall | ||
| --- | ||
|
|
||
| <head> | ||
| <link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-your-firewall"/> | ||
| </head> | ||
|
|
||
|
|
||
| If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. | ||
|
|
||
|
|
||
|
|
||
| ## Outbound Internet Access Requirements | ||
|
|
||
| Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. | ||
|
|
||
| Set the following registry URLs for your firewall’s allowlist: | ||
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | | ||
|
|
||
|
|
||
| ## Inbound Access Requirements | ||
|
|
||
| External clients and managed clusters require inbound access to the Rancher server. | ||
|
|
||
| | Port | Protocol | Source | Purpose | | ||
| |------|----------|-------------------------|-------------------------------------------------| | ||
| | 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | | ||
| | 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | | ||
|
|
||
|
|
||
| - You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Configuring Your Firewall | ||
| --- | ||
|
|
||
| <head> | ||
| <link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-your-firewall"/> | ||
| </head> | ||
|
|
||
|
|
||
| If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. | ||
|
|
||
|
|
||
|
|
||
| ## Outbound Internet Access Requirements | ||
|
|
||
| Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. | ||
|
|
||
| Set the following registry URLs for your firewall’s allowlist: | ||
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | | ||
|
|
||
|
|
||
| ## Inbound Access Requirements | ||
|
|
||
| External clients and managed clusters require inbound access to the Rancher server. | ||
|
|
||
| | Port | Protocol | Source | Purpose | | ||
| |------|----------|-------------------------|-------------------------------------------------| | ||
| | 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | | ||
| | 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | | ||
|
|
||
|
|
||
| - You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Configuring Your Firewall | ||
| --- | ||
|
|
||
| <head> | ||
| <link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-your-firewall"/> | ||
| </head> | ||
|
|
||
|
|
||
| If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. | ||
|
|
||
|
|
||
|
|
||
| ## Outbound Internet Access Requirements | ||
|
|
||
| Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. | ||
|
|
||
| Set the following registry URLs for your firewall’s allowlist: | ||
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | | ||
|
|
||
|
|
||
| ## Inbound Access Requirements | ||
|
|
||
| External clients and managed clusters require inbound access to the Rancher server. | ||
|
|
||
| | Port | Protocol | Source | Purpose | | ||
| |------|----------|-------------------------|-------------------------------------------------| | ||
| | 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | | ||
| | 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | | ||
|
|
||
|
|
||
| - You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Configuring Your Firewall | ||
| --- | ||
|
|
||
| <head> | ||
| <link rel="canonical" href="https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/configure-your-firewall"/> | ||
| </head> | ||
|
|
||
|
|
||
| If you use an external firewall, you must configure it so that Rancher and Rancher-managed clusters can access the sites and ports required to function correctly. This section provides the firewall rules and network access requirements for Rancher deployments in secure environments. | ||
|
|
||
|
|
||
|
|
||
| ## Outbound Internet Access Requirements | ||
|
|
||
| Rancher server nodes and managed cluster nodes require outbound HTTPS access to container registries and related services. | ||
|
|
||
| Set the following registry URLs for your firewall’s allowlist: | ||
|
|
||
| | URL | Port | Function | | ||
| |------------------------------------|------|---------------------------------------------------------------------------| | ||
| | `registry.rancher.com`, `registry.suse.com` | 443 | Provide Rancher system images, system-agent installer images, and RKE2/K3s artifacts. Both URLs resolve to the same SUSE registry backend, but either may appear in manifests or image references. | | ||
| | `*.suse.com` | 443 | Provides dynamic content and installation bundles required during RKE2/K3s provisioning | | ||
| | `docker.io` | 443 | Provides community container images used by optional Rancher features | | ||
| | `ghcr.io` | 443 | Provides Rancher dependencies stored in the GitHub Container Registry | | ||
|
|
||
|
|
||
| ## Inbound Access Requirements | ||
|
|
||
| External clients and managed clusters require inbound access to the Rancher server. | ||
|
|
||
| | Port | Protocol | Source | Purpose | | ||
| |------|----------|-------------------------|-------------------------------------------------| | ||
| | 80 | TCP | End users / clusters | HTTP access to Rancher (redirects to HTTPS) | | ||
| | 443 | TCP | End users / clusters | HTTPS access to Rancher UI and API | | ||
|
|
||
|
|
||
| - You can use the wildcard `*.suse.com` to simplify configuration and ensure that all required SUSE domains are allowed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't believe we want to actually "advertise" SUSE Prime Registry URLs in Community docs.
registry.rancher.com/registry.suse.comvalues are even in secrets in our GH CI workflows.It's not a security issue per se but also for users running Community Rancher there is no value in whitelisting these URLs.
And vice-versa if users are running Rancher Prime they don't generally need to whitelist
docker.ioas all images Rancher Prime needs should be coming from Rancher Prime Registry.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@snasovich yeah, i want to keep this for SUSE Rancher Customer...
Can suggest me a place where i can this pr...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just for posterity answered in DM