This topic describes how to secure the environment for VMware Tanzu Kubernetes Grid Integrated Edition Management Console (TKGI MC) and Ops Manager (Ops Manager).
Overview
Apps frequently require the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls.
To configure security for your TKGI MC environment, see Configure Security and Ports for TKGI and Ops Manager below.
Configure Security and Ports for TKGI and Ops Manager
Firewall rules are typically used to provide apps the ability to pass internal communication between system components on different networks and require one or more conduits through the environment’s firewalls. Firewall rules are also used to enable interfacing with external systems such as with enterprise apps or apps and data on the public Internet.
To configure security and ports for a TKGI MC environment on vSphere:
-
VMware recommends you deactivate security policies that filter traffic between the networks supporting the system.
-
Use one of the following methods to secure the environment and grant access between TKGI system components:
- Enable access to apps through standard Kubernetes load-balancers and ingress controller types. This enables you to designate specific ports and protocols as a firewall conduit.
- Enable access using the NSX load balancer and ingress. This enables you to configure external addresses and ports that are automatically mapped and resolved to internal/local addresses and ports.
- Manually Configure Ports for TKGI and Ops Manager.
Configure Ports for TKGI and Ops Manager
In a standard TKGI deployment, it is assumed that Ops Manager and BOSH are already deployed before you deploy TKGI.
This is not the case with TKGI MC deployments in which you do not know the IP addresses in the deployment network that will be assigned to TKGI API VM, BOSH VM, and Ops Manager VM.
VMware recommends you create a firewall rule that allows access by the TKGI MC VM to the entire deployment subnet.
The following table identifies the flows between the system components in an TKGI MC environment:
| Source Component | Destination Component | Destination Protocol | Destination Port | Service |
|---|---|---|---|---|
| Management Console VM | All System Components | TCP | 22 | SSH |
| Management Console VM | All System Components | TCP | 80 | http |
| Management Console VM | All System Components | TCP | 443 | https |
| Management Console VM | Cloud Foundry BOSH Director | TCP | 25555 | bosh director rest api |
| Management Console VM | DNS validation for Ops Manager | TCP | 53 | netcat |
| Management Console VM | Kubernetes Cluster API Server - LB VIP | TCP | 8443 | httpsca |
| Management Console VM | Pivotal Cloud Foundry Operations Manager | TCP | 22 | SSH |
| Management Console VM | Pivotal Cloud Foundry Operations Manager | TCP | 443 | https |
| Management Console VM | TKGI Controller | TCP | 9021 | tkgi api server |
| Management Console VM | vCenter Server | TCP | 443 | https |
The Source Component is the IP address of the TKGI Management Console VM.
