List of Platform9 Public IPs and Repos to Whitelist in Firewall.
Problem
In environments having very restrictive firewall on both ingress/egress network traffic it is required to whitelist the list of Platform9 repos or public ips and to restrict other unnecessary traffic.
Otherwise the requirement is to allow the pf9ctl client to pull the correct packages from repos to successfully onboard the nodes.
Environment
- Platform9 Managed Kubernetes - v-5.4 and Higher.
Answer
List of Platform9 repos and [Endpoints] IP addresses:
| Item | IP | Type | Port | Domain | OS Flavor | Comments/Notes |
|---|---|---|---|---|---|---|
| SSH | Your Host IP to SSH VM | Inbound | 22 | |||
| Customer DNS resolve nameserver IP to resolve DU fqdn | Outbound | 443 | FQDN | |||
| Curl to install pf9ctl_setup, pf9ctl from s3 | 3.5.160.117, 52.219.120.209 | Outbound | 443 | pmkft-assets.s3-us-west-1.amazonaws.com | bash <(curl -sL https://pmkft-assets.s3-us-west-1.amazonaws.com/pf9ctl_setup), https://pmkft-assets.s3-us-west-1.amazonaws.com/pf9ctl | |
| Net-tools install, prep-node | 185.125.190.39, 91.189.91.38, 91.189.91.39, 185.125.190.36 | Outbound | 80 | archive.ubuntu.com:80 | Ubuntu | pf9ctl prep-node; packages installation (http://archive.ubuntu.com/ubuntu/pool/main/n/net-tools/net-tools_1.60+git20180626.aebd88e-1ubuntu1_amd64.deb) |
| Ntp install - prep-node | 35.180.43.213, 67.219.148.138, 85.236.43.108, 18.225.36.18 | Outbound | mirrorlist.centos.org | Centos | pf9ctl prepnode; ntp install | |
| Ntp install - prep-node | 108.170.47.61 | Outbound | centos-distro.cavecreek.net | Centos | pf9ctl prepnode; ntp install | |
| Ntp install - prep-node | 199.193.113.164 | Outbound | centos.hivelocity.net | Centos | pf9ctl prepnode; ntp install | |
| Ntp install - prep-node | 204.157.3.70 | Outbound | mirror.cogentco.com | Centos | pf9ctl prepnode; ntp install | |
| Ntp install - prep-node | 131.210.12.35 | Outbound | mirror.cs.uwp.edu | Centos | pf9ctl prepnode; ntp install | |
| download.docker.com - Container runtime configure. | 108.139.1.114,108.139.1.115, 108.139.1.117, 108.139.1.19 | Outbound | 443 | download.docker.com | During cluster creation (bootstrap) | |
| gcr.io port - Start etcd | 142.251.2.82 | Outbound | 443 | gcr.io | Start etcd step during cluster bootstraping | |
| Storage google apis accessing | 142.250.189.176, 142.251.214.144, 142.250.189.240, 142.250.191.48, 142.251.46.208, 142.250.72.208, 142.250.189.208, 142.251.32.48, 142.251.46.240 | Outbound | 443 | storage.googleapis.com | https://storage.googleapis.com/artifacts.etcd-development.appspot.com/containers/images/sha | |
| k8s gcr accessing- Configure and start kube-proxy | 74.125.137.82 | Outbound | 443 | k8s.gcr.io | Configure and start kube proxy (https://k8s.gcr.io/v2/kube-proxy/manifests/v1.24.7\) |
Additional Information
Most of the IPs can be dynamic, so can be fetched/whitelisted from the host domain.
Was this page helpful?