Configuring the cluster-wide proxy

Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. You can configure OKD to use a proxy by modifying the Proxy object for existing clusters or by configuring the proxy settings in the install-config.yaml file for new clusters.

Prerequisites

  • Review the sites that your cluster requires access to and determine whether any of them must bypass the proxy. By default, all cluster system egress traffic is proxied, including calls to the cloud provider API for the cloud that hosts your cluster. System-wide proxy affects system components only, not user workloads. Add sites to the Proxy object’s spec.noProxy field to bypass the proxy if necessary.

    The Proxy object status.noProxy field is populated with the values of the networking.machineNetwork[].cidr, networking.clusterNetwork[].cidr, and networking.serviceNetwork[] fields from your installation configuration.

    For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the Proxy object status.noProxy field is also populated with the instance metadata endpoint (169.254.169.254).

Enabling the cluster-wide proxy

The Proxy object is used to manage the cluster-wide egress proxy. When a cluster is installed or upgraded without the proxy configured, a Proxy object is still generated but it will have a nil spec. For example:

  1. apiVersion: config.openshift.io/v1
  2. kind: Proxy
  3. metadata:
  4.   name: cluster
  5. spec:
  6.   trustedCA:
  7.     name: ""
  8. status:

A cluster administrator can configure the proxy for OKD by modifying this cluster Proxy object.

Only the Proxy object named cluster is supported, and no additional proxies can be created.

Prerequisites

  • Cluster administrator permissions

  • OKD oc CLI tool installed

Procedure

  1. Create a ConfigMap that contains any additional CA certificates required for proxying HTTPS connections.

    You can skip this step if the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.

    1. Create a file called user-ca-bundle.yaml with the following contents, and provide the values of your PEM-encoded certificates:

      1. apiVersion: v1
      2. data:
      3.   ca-bundle.crt: | (1)
      4.     <MY_PEM_ENCODED_CERTS> (2)
      5. kind: ConfigMap
      6. metadata:
      7.   name: user-ca-bundle (3)
      8.   namespace: openshift-config (4)
      1This data key must be named ca-bundle.crt.
      2One or more PEM-encoded X.509 certificates used to sign the proxy’s identity certificate.
      3The ConfigMap name that will be referenced from the Proxy object.
      4The ConfigMap must be in the openshift-config namespace.

    2. Create the ConfigMap from this file:

      1. $ oc create -f user-ca-bundle.yaml

  2. Use the oc edit command to modify the Proxy object:

    1. $ oc edit proxy/cluster

  3. Configure the necessary fields for the proxy:

    1. apiVersion: config.openshift.io/v1
    2. kind: Proxy
    3. metadata:
    4.   name: cluster
    5. spec:
    6.   httpProxy: http://<username>:<pswd>@<ip>:<port> (1)
    7.   httpsProxy: http://<username>:<pswd>@<ip>:<port> (2)
    8.   noProxy: example.com (3)
    9.   readinessEndpoints:
    10.   - http://www.google.com (4)
    11.   - https://www.google.com
    12.   trustedCA:
    13.     name: user-ca-bundle (5)
    1A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be http.
    2A proxy URL to use for creating HTTPS connections outside the cluster.
    3A comma-separated list of destination domain names, domains, IP addresses or other network CIDRs to exclude proxying.

    Preface a domain with . to match subdomains only. For example, .y.com matches x.y.com, but not y.com. Use * to bypass proxy for all destinations. If you scale up workers that are not included in the network defined by the networking.machineNetwork[].cidr field from the installation configuration, you must add them to this list to prevent connection issues.

    This field is ignored if neither the httpProxy or httpsProxy fields are set.

    4One or more URLs external to the cluster to use to perform a readiness check before writing the httpProxy and httpsProxy values to status.
    5A reference to the ConfigMap in the openshift-config namespace that contains additional CA certificates required for proxying HTTPS connections. Note that the ConfigMap must already exist before referencing it here. This field is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle.

  4. Save the file to apply the changes.

The URL scheme must be http. The https scheme is currently not supported.

Removing the cluster-wide proxy

The cluster Proxy object cannot be deleted. To remove the proxy from a cluster, remove all spec fields from the Proxy object.

Prerequisites

  • Cluster administrator permissions

  • OKD oc CLI tool installed

Procedure

  1. Use the oc edit command to modify the proxy:

    1. $ oc edit proxy/cluster

  2. Remove all spec fields from the Proxy object. For example:

    1. apiVersion: config.openshift.io/v1
    2. kind: Proxy
    3. metadata:
    4.   name: cluster
    5. spec: {}
    6. status: {}

  3. Save the file to apply the changes.