Skip to content

feat(ec): document firewalld configuration #3064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 19, 2025
Merged

feat(ec): document firewalld configuration #3064

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c00e329
feat(ec): document firewalld configuration
emosbaugh Feb 19, 2025
ccee8a4
docs edits
paigecalvert Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions docs/enterprise/installing-embedded-requirements.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,52 @@ This topic lists the installation requirements for Replicated Embedded Cluster.
</table>

&#42; Required only if the application uses the [Replicated private registry](/vendor/private-images-replicated).

## About Firewalld Configuration
Copy link
Contributor

@paigecalvert paigecalvert Feb 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

^ Moved this over to the main Install Requirements topic as it's own "About" heading.

The ports section (where it was previously) has language that states: "This section lists the ports used by Embedded Cluster. These ports must be open and available for both single- and multi-node installations", and that didn't feel like it applied to the info about firewalld config.


When Firewalld is enabled in the installation environment, Embedded Cluster modifies the Firewalld config to allow traffic over the pod and service networks and to open the required ports on the host. No additional configuration is required.
Copy link
Contributor

@paigecalvert paigecalvert Feb 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No additional configuration is required.

Added this. Can remove if it's not helpful


The following rule is added to Firewalld:

```xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<interface name="cali+"/>
<interface name="tunl+"/>
<interface name="vxlan-v6.calico"/>
<interface name="vxlan.calico"/>
<interface name="wg-v6.cali"/>
<interface name="wireguard.cali"/>
<source address="[pod-network-cidr]"/>
<source address="[service-network-cidr]"/>
</zone>
```

The following ports are opened in the default zone:
Copy link
Contributor

@paigecalvert paigecalvert Feb 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just reformatted this list of ports into a table


<table>
<tr>
<th>Port</th>
<th>Protocol</th>
</tr>
<tr>
<td>6443</td>
<td>TCP</td>
</tr>
<tr>
<td>10250</td>
<td>TCP</td>
</tr>
<tr>
<td>9443</td>
<td>TCP</td>
</tr>
<tr>
<td>2380</td>
<td>TCP</td>
</tr>
<tr>
<td>4789</td>
<td>UDP</td>
</tr>
</table>
2 changes: 1 addition & 1 deletion docs/partials/embedded-cluster/_port-reqs.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,4 +40,4 @@ If port 30000 is occupied, you can select a different port for the Admin Console

In addition to the ports above, air gap installations also require that port 50000/TCP is open and available for the Local Artifact Mirror (LAM).

If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).
If port 50000 is occupied, you can select a different port for the LAM during installation. For more information, see [Embedded Cluster Install Command Options](/reference/embedded-cluster-install).