220.127.116.11. Configuring the cluster-wide proxy during installation
Production environments can deny direct access to the Internet and instead have an HTTP or HTTPS proxy available. You can configure a new OpenShift Container Platform cluster to use a proxy by configuring the proxy settings in the
For bare metal installations, if you do not assign node IP addresses from the range that is specified in the
networking.machineNetwork.cidr field in the
install-config.yaml file, you must include them in the
Review the sites that your cluster requires access to and determine whether any need to bypass the proxy. By default, all cluster egress traffic is proxied, including calls to hosting cloud provider APIs. Add sites to the
spec.noProxyfield to bypass the proxy if necessary.注記
status.noProxyfield is populated with the values of the
networking.serviceNetworkfields from your installation configuration.
For installations on Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, and Red Hat OpenStack Platform (RHOSP), the
status.noProxyfield is also populated with the instance metadata endpoint (
install-config.yamlfile and add the proxy settings. For example:
apiVersion: v1 baseDomain: my.domain.com proxy: httpProxy: http://<username>:<pswd>@<ip>:<port> 1 httpsProxy: http://<username>:<pswd>@<ip>:<port> 2 noProxy: example.com 3 additionalTrustBundle: | 4 -----BEGIN CERTIFICATE----- <MY_TRUSTED_CA_CERT> -----END CERTIFICATE----- ...
- A proxy URL to use for creating HTTP connections outside the cluster. The URL scheme must be
http. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an
- A proxy URL to use for creating HTTPS connections outside the cluster. If this field is not specified, then
httpProxyis used for both HTTP and HTTPS connections. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must not specify an
- A comma-separated list of destination domain names, domains, IP addresses, or other network CIDRs to exclude proxying. Preface a domain with
.to match subdomains only. For example,
x.y.com, but not
*to bypass proxy for all destinations.
- If provided, the installation program generates a config map that is named
openshift-confignamespace that contains one or more additional CA certificates that are required for proxying HTTPS connections. The Cluster Network Operator then creates a
trusted-ca-bundleconfig map that merges these contents with the Red Hat Enterprise Linux CoreOS (RHCOS) trust bundle, and this config map is referenced in the
additionalTrustBundlefield is required unless the proxy’s identity certificate is signed by an authority from the RHCOS trust bundle. If you use an MITM transparent proxy network that does not require additional proxy configuration but requires additional CAs, you must provide the MITM CA certificate.
The installation program does not support the proxy
- Save the file and reference it when installing OpenShift Container Platform.
The installation program creates a cluster-wide proxy that is named
cluster that uses the proxy settings in the provided
install-config.yaml file. If no proxy settings are provided, a
Proxy object is still created, but it will have a nil
Proxy object named
cluster is supported, and no additional proxies can be created.