If the machines you are using for bootstrap and cluster nodes use a proxy server to access the internet, you must:
- Configure proxying for the package manager on cluster nodes
- Configure proxy details in the cluster configuration file.
Prerequisites
Your proxy server must allow connections to the following addresses:
Address | Purpose |
---|---|
*.gcr.io |
Pull images from the Container Registry. |
accounts.google.com |
Process authorization requests for OpenID and discover public keys for verifying tokens. |
cloudresourcemanager.googleapis.com |
Resolve metadata regarding the Google Cloud project the cluster is being connected to. |
compute.googleapis.com |
Verify Cloud Logging and Cloud Monitoring resource region. |
dl.fedoraproject.org |
Install Extra Packages for Enterprise Linux (EPEL) when using Red Hat Enterprise Linux (RHEL) distributions. |
download.docker.com |
Add Docker repository. This is required if you run your admin workstation behind proxy. It is required for node machines that run behind a proxy when Docker is used for the container runtime. |
gkeconnect.googleapis.com |
Establish the channel used to receive requests from Google Cloud and issues responses. |
gkehub.googleapis.com |
Create Google Cloud-side Hub membership resources that correspond to the cluster you're connecting with Google Cloud. |
iam.googleapis.com |
Create service accounts, which you can use to authenticate to Google Cloud and make API calls. |
iamcredentials.googleapis.com |
Provides admission control and telemetry reporting for audit logging. |
logging.googleapis.com |
Write log entries and manage your Cloud Logging configuration. |
monitoring.googleapis.com |
Manage your Cloud Monitoring data and configurations. |
packages.cloud.google.com |
Download packages from the Google Cloud package mirror. |
oauth2.googleapis.com |
Authenticate through OAuth token exchange for account access. |
opsconfigmonitoring.googleapis.com |
Collect metadata for Kubernetes resources such as pods, deployments, or nodes to enrich metric queries. |
securetoken.googleapis.com |
Retrieve refresh tokens for workload identity authorization. |
servicecontrol.googleapis.com |
Write audit log entries into Cloud Audit Logs. |
serviceusage.googleapis.com |
Enable and validate services and APIs. |
stackdriver.googleapis.com |
Manage Google Cloud Observability metadata, such as Stackdriver accounts. |
storage.googleapis.com |
Manage object storage and buckets, such as Container Registry objects. |
sts.googleapis.com |
Exchange Google or third-party credentials for a short-lived access token to Google Cloud resources |
www.googleapis.com |
Authenticate service tokens from incoming Google Cloud service requests. |
In addition to these URLs, the proxy server must also allow any package mirrors your operating system's package manager requires. You can update the package manager configuration to use a more deterministic list, which is easier to manage.
Configure proxying for the package manager on cluster nodes
Google Distributed Cloud uses the APT package manager on Ubuntu and the DNF package manager on CentOS and Red Hat Linux. Ensure that the OS package manager has the correct proxy configuration.
Refer to your OS distribution's documentation for details about configuring the proxy. The following examples show one way to configure proxy settings:
APT
These commands demonstrate how to configure the proxy for APT:
sudo touch /etc/apt/apt.conf.d/proxy.conf
echo 'Acquire::http::Proxy "http://[username:password@]domain";' >> /etc/apt/apt.conf.d/proxy.conf
echo 'Acquire::https::Proxy "http://[username:password@]domain";' >> /etc/apt/apt.conf.d/proxy.conf
Replace [username:password@]domain with details specific to your configuration.
DNF
This command demonstrates how to configure the proxy for DNF:
echo "proxy=http://[username:password@]domain" >> /etc/dnf/dnf.conf
Replace [username:password@]domain with details specific to your configuration.
Configure proxy details in the cluster configuration file
In the cluster configuration file, set the following values to configure the cluster to use the proxy:
proxy.url
A string that specifies the proxy URL. The bootstrap and node machines use this proxy to access the internet.
proxy.noProxy
A list of IP addresses, hostnames, and domain names that should not go through the proxy server.
In most cases, you don't need to add any items to this list. Please don't add Service and Pod CIDR.
noProxy use cases:
Using a private package mirror, which located in the same private network (Don't need proxy to access)
Using a private registry mirror, which located in the same private network (Don't need proxy to access)
Example
The following is an example of the proxy settings in a cluster configuration file:
proxy:
url: http://[username:password@]domain
noProxy:
- example1.com
- example2.com
Override the proxy configuration
You can run your bootstrap machine behind a different proxy than the one used by your node machines by overriding the proxy settings in the cluster configuration file. To override the proxy settings, set the following environment variables on the bootstrap machine:
export HTTPS_PROXY=http://[username:password@]domain
Replace [username:password@]domain with details specific to your configuration.
export NO_PROXY=example1.com,example2.com
Replace example1.com,example2.com with IP addresses, hostnames, and domain names that should not go through the proxy server.
Side effects
When run as root, bmctl
updates the Docker proxy configuration on the
bootstrap machine. If you do not run bmctl
as root, configure the Docker proxy
manually.