Networking
Read more to learn about networking.
Abstract
Chapter 1. Networking
Learn about network requirements for both the hub cluster and the managed cluster.
1.1. Hub cluster network configuration
You can refer to the configuration for your hub cluster network.
Important: The trusted CA bundle is available in the Red Hat Advanced Cluster Management namespace, but that enhancement requires changes to your network. The trusted CA bundle ConfigMap uses the default name of trusted-ca-bundle. You can change this name by providing it to the operator in an environment variable named TRUSTED_CA_BUNDLE. See Configuring the cluster-wide proxy in the Networking section of Red Hat OpenShift Container Platform for more information.
1.1.1. Hub cluster network configuration table
See the hub cluster network requirements in the following table:
| Direction | Protocol | Connection | Port (if specified) | Source address | Destination address |
|---|---|---|---|---|---|
| Outbound to the managed cluster | HTTPS |
Retrieval of logs dynamically from Search console for the pods of the managed cluster, uses the | 443 | None | IP address to access managed cluster route |
| Outbound to the managed cluster | HTTPS | Kubernetes API server of the managed cluster that is provisioned during installation to install the klusterlet | 6443 | None | IP of Kubernetes managed cluster API server |
| Outbound to the channel source | HTTPS | The channel source, including GitHub, Object Store, and Helm repository, which is only required when you are using Application lifecycle, OpenShift GitOps, or ArgoCD to connect | 443 | None | IP of the channel source |
| Inbound from the managed cluster | HTTPS | Managed cluster to push metrics and alerts that are gathered only for managed clusters that are running OpenShift Container Platform version 4.8, or later | 443 | None | IP address to hub cluster access route |
| Inbound from the managed cluster | HTTPS | Kubernetes API Server of hub cluster that is watched for changes from the managed cluster | 6443 | None | IP address of hub cluster Kubernetes API Server |
| Outbound to the ObjectStore | HTTPS | Sends Observability metric data for long term storage when the Cluster Backup Operator is running | 443 | None | IP address of ObjectStore |
| Outbound to the image repository | HTTPS | Access images for OpenShift Container Platform and Red Hat Advanced Cluster Management | 443 | None | IP address of image repository |
1.2. Managed cluster network configuration
You can refer to the configuration for your managed cluster network.
1.2.1. Managed cluster network configuration table
See the managed cluster network requirements in the following table:
| Direction | Protocol | Connection | Port (if specified) | Source address | Destination address |
|---|---|---|---|---|---|
| Inbound from the hub cluster | HTTPS |
Sending of logs dynamically from Search console for the pods of the managed cluster, uses the | 443 | None | IP address to access managed cluster route |
| Inbound from the hub cluster | HTTPS | Kubernetes API server of the managed cluster that is provisioned during installation to install the klusterlet | 6443 | None | IP of Kubernetes managed cluster API server |
| Outbound to the image repository | HTTPS | Access images for OpenShift Container Platform and Red Hat Advanced Cluster Management | 443 | None | IP address of image repository |
| Outbound to the hub cluster | HTTPS | Managed cluster to push metrics and alerts that are gathered only for managed clusters that are running OpenShift Container Platform version 4.8, or later | 443 | None | IP address to hub cluster access route |
| Outbound to the hub cluster | HTTPS | Watches the Kubernetes API server of the hub cluster for changes | 6443 | None | IP address of hub cluster Kubernetes API Server |
| Outbound to the channel source | HTTPS | The channel source, including GitHub, Object Store, and Helm repository, which is only required when you are using Application lifecycle, OpenShift GitOps, or ArgoCD to connect | 443 | None | IP of the channel source |
1.3. Advanced network configuration
- Additional networking requirements for infrastructure operator table
- Submariner networking requirements table
- Additional networking requirements for Hive table
- Hosted control planes networking requirements table (Technology Preview)
- Application deployment network requirements table
- Namespace connection network requirements table
1.3.1. Additional networking requirements for infrastructure operator table
When you are installing bare metal managed clusters with the Infrastructure Operator, see the following table for the additional networking requirements:
| Direction | Protocol | Connection | Port (if specified) |
|---|---|---|---|
| Hub cluster outbound to BMC interface at single node OpenShift Container Platform managed cluster | HTTPS (HTTP in disconnected environment) | Boot the OpenShift Container Platform cluster | 443 |
| Outbound from the OpenShift Container Platform managed cluster to the hub cluster | HTTPS |
Reports hardware information using the | 443 |
1.3.2. Submariner networking requirements table
Clusters that are using Submariner require three open ports. The following table shows which ports you might use:
| Direction | Protocol | Connection | Port (if specified) |
|---|---|---|---|
| Outbound and inbound | UDP | Each of the managed clusters | 4800 |
| Outbound and inbound | UDP | Each of the managed clusters | 4500, 500, and any other ports that are used for IPSec traffic on the gateway nodes |
| Inbound | TCP | Each of the managed clusters | 8080 |
1.3.3. Additional networking requirements for Hive table
When you are installing bare metal managed clusters with the Hive Operator, which includes using Central Infrastructure Management, you must configure a layer 2 or layer 3 port connection between the hub cluster and the libvirt provisioning host. This connection to the provisioning host is required during the creation of a base metal cluster with Hive. See the following table for more information:
| Direction | Protocol | Connection | Port (if specified) |
|---|---|---|---|
|
Hub cluster outbound and inbound to the | IP |
Connects the hub cluster, where the Hive operator is installed, to the |
Note: These requirements only apply when installing, and are not required when upgrading clusters that were installed with Infrastructure Operator.
1.3.4. Hosted control planes networking requirements table (Technology Preview)
When you use hosted control planes, the HypershiftDeployment resource must have connectivity to the endpoints listed in the following table:
| Direction | Connection | Port (if specified) |
|---|---|---|
| Outbound | OpenShift Container Platform control-plane and worker nodes | |
| Outbound | For hosted clusters on Amazon Web Services only: Outbound connection to AWS API and S3 API | |
| Outbound | For hosted clusters on Microsoft Azure cloud services only: Outbound connection to Azure API | |
| Outbound | OpenShift Container Platform image repositories that store the ISO images of the coreOS and the image registry for OpenShift Container Platform pods | |
| Outbound | Local API client of the klusterlet on the hosting cluster communicates with the API of the HyperShift hosted cluster |
1.3.5. Application deployment network requirements table
In general, the application deployment communication is one way from a managed cluster to the hub cluster. The connection uses kubeconfig, which is configured by the agent on the managed cluster. The application deployment on the managed cluster needs to access the following namespaces on the hub cluster:
- The namespace of the channel resource
- The namespace of the managed cluster
1.3.6. Namespace connection network requirements table
Application lifecycle connections:
-
The namespace
open-cluster-managementneeds to access the console API on port 4000. -
The namespace
open-cluster-managementneeds to expose the Application UI on port 3001.
-
The namespace
Application lifecycle backend components (pods):
On the hub cluster, all of the application lifecycle pods are installed in the
open-cluster-managementnamespace, including the following pods:- multicluster-operators-hub-subscription
- multicluster-operators-standalone-subscription
- multicluster-operators-channel
- multicluster-operators-application
multicluster-integrations
As a result of these pods being in the
open-cluster-managementnamespace:-
The namespace
open-cluster-managementneeds to access the Kube API on port 6443.
On the managed cluster, only the
klusterlet-addon-appmgrapplication lifecycle pod is installed in theopen-cluster-management-agent-addonnamespace:-
The namespace
open-cluster-management-agent-addonneeds to access the Kube API on port 6443.
Governance and risk:
On the hub cluster, the following access is required:
-
The namespace
open-cluster-managementneeds to access the Kube API on port 6443. -
The namespace
open-cluster-managementneeds to access the OpenShift DNS on port 5353.
On the managed cluster, the following access is required:
-
The namespace
open-cluster-management-addonneeds to access the Kube API on port 6443.
-
The namespace
