IP and FQDN Lists

FQDN Services for Kubernetes

There are some basic services that need to be defined as IP lists, such as docker.io or the Kubernetes API server. These FQDNs will be used later in the ring-fence policy for the Kubernetes cluster. The following FQDNs are commonly found to be dependencies for Kubernetes and should be defined inside Illumio Core's IP list policy objects:

  • docker.io
  • myregistry.example.com

The PCE FQDN is required for Kubelink for example, mypce.example.com.

IP Lists for Kubernetes

Additionally, the following subnets or IP addresses should be defined in the IP list policy objects:

  • Kubernetes Pod Network: Locate subnet in master node’s /etc/kubernetes/kubeadm-config.yaml file (Ubuntu) under networking: > podSubnet: section, for example, 10.200.0.0/16
  • Kubernetes Service Network: Locate subnet in master node’s /etc/kubernetes/kubeadm-config.yaml file (Ubuntu) under networking > serviceSubnet section, for example, 10.100.0.0/16

The screenshot below displays IP lists created for Kubernetes Infrastructure dependencies.

FQDN Services for OpenShift

There are some basic services that should be defined as IP lists such as docker.io or the Kubernetes API server. These FQDNs will be used later in the ring fence policy for the OpenShift cluster. The following FQDNs are commonly found to be dependencies for OpenShift and should be defined in Illumio IP list policy objects:

  • docker.io
  • registry.access.redhat.com
  • access.redhat.com
  • subscription.rhsm.redhat.com
  • github.com

The PCE FQDN is required for Kubelink, for example, mypce.example.com.

IP Lists for OpenShift

Additionally, the following subnets or IP addresses should be defined in IP list policy objects:

  • OpenShift Pod Network: Find subnet in master node's /etc/origin/master/master-config.yaml file under networkConfig > clusterNetworkCIDR section, for example, 10.128.0.0/14
  • OpenShift Service Network: Find subnet in master node's /etc/origin/master/master-config.yaml file under networkConfig > serviceNetworkCIDR section, for example, 172.30.0.0/16

The screenshot below displays IP lists created for OpenShift Infrastructure dependencies. It references the IP lists which automatically come with the Illumio Segmentation Template.

NOTE:

The IP lists mentioned above are for FQDNs and IP addresses that Illumio has found to be necessary for basic Kubernetes or OpenShift deployments. Each deployment varies and may have dependencies on additional FQDNs or IP addresses that are not mentioned in this document.

If your Kubernetes or OpenShift infrastructure needs to communicate with external services that are not mentioned here, then make sure you describe those in the IP lists.