This documentation is for a release that is no longer maintained
See documentation for the latest supported version 3 or the latest supported version 4.Chapter 23. Configuring the cluster-wide proxy
			Production environments can deny direct access to the internet and instead have an HTTP or HTTPS proxy available. You can configure OpenShift Container Platform to use a proxy by modifying the Proxy object for existing clusters or by configuring the proxy settings in the install-config.yaml file for new clusters.
		
23.1. Prerequisites
- Review the sites that your cluster requires access to and determine whether any of them must bypass the proxy. By default, all cluster system egress traffic is proxied, including calls to the cloud provider API for the cloud that hosts your cluster. System-wide proxy affects system components only, not user workloads. Add sites to the Proxy object’s - spec.noProxyfield to bypass the proxy if necessary.Note- The Proxy object - status.noProxyfield is populated with the values of the- networking.machineNetwork[].cidr,- networking.clusterNetwork[].cidr, and- networking.serviceNetwork[]fields from your installation configuration.- For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the - Proxyobject- status.noProxyfield is also populated with the instance metadata endpoint (- 169.254.169.254).
23.2. Enabling the cluster-wide proxy
				The Proxy object is used to manage the cluster-wide egress proxy. When a cluster is installed or upgraded without the proxy configured, a Proxy object is still generated but it will have a nil spec. For example:
			
				A cluster administrator can configure the proxy for OpenShift Container Platform by modifying this cluster Proxy object.
			
					Only the Proxy object named cluster is supported, and no additional proxies can be created.
				
Prerequisites
- Cluster administrator permissions
- 
						OpenShift Container Platform ocCLI tool installed
Procedure
- Create a config map that contains any additional CA certificates required for proxying HTTPS connections. Note- You can skip this step if the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle. - Create a file called - user-ca-bundle.yamlwith the following contents, and provide the values of your PEM-encoded certificates:- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Create the config map from this file: - oc create -f user-ca-bundle.yaml - $ oc create -f user-ca-bundle.yaml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Use the - oc editcommand to modify the- Proxyobject:- oc edit proxy/cluster - $ oc edit proxy/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Configure the necessary fields for the proxy: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - 1
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must behttp.
- 2
- A proxy URL to use for creating HTTPS connections outside the cluster. The URL scheme must be eitherhttporhttps. Specify a URL for the proxy that supports the URL scheme. For example, most proxies will report an error if they are configured to usehttpsbut they only supporthttp. This failure message may not propagate to the logs and can appear to be a network connection failure instead. If using a proxy that listens forhttpsconnections from the cluster, you may need to configure the cluster to accept the CAs and certificates that the proxy uses.
- 3
- A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.Preface a domain with .to match subdomains only. For example,.y.commatchesx.y.com, but noty.com. Use*to bypass proxy for all destinations. If you scale up workers that are not included in the network defined by thenetworking.machineNetwork[].cidrfield from the installation configuration, you must add them to this list to prevent connection issues.This field is ignored if neither the httpProxyorhttpsProxyfields are set.
- 4
- One or more URLs external to the cluster to use to perform a readiness check before writing thehttpProxyandhttpsProxyvalues to status.
- 5
- A reference to the config map in theopenshift-confignamespace that contains additional CA certificates required for proxying HTTPS connections. Note that the config map must already exist before referencing it here. This field is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.
 
- Save the file to apply the changes.
23.3. Removing the cluster-wide proxy
				The cluster Proxy object cannot be deleted. To remove the proxy from a cluster, remove all spec fields from the Proxy object.
			
Prerequisites
- Cluster administrator permissions
- 
						OpenShift Container Platform ocCLI tool installed
Procedure
- Use the - oc editcommand to modify the proxy:- oc edit proxy/cluster - $ oc edit proxy/cluster- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Remove all - specfields from the Proxy object. For example:- apiVersion: config.openshift.io/v1 kind: Proxy metadata: name: cluster spec: {}- apiVersion: config.openshift.io/v1 kind: Proxy metadata: name: cluster spec: {}- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Save the file to apply the changes.