Proxy Server Allowlist

To install and run Tanzu Kubernetes Grid (TKG) in environment that is internet-restricted but not physically airgapped, you have two options:

  • Configure your proxy server and firewall to allow access from TKG’s subnets to the online sources for TKG images, the container images for TKG components.
  • Make offline copies of all the TKG images.

This topic lists the domains that your proxy server (Layer 7) needs to allow in order to enable Tanzu Kubernetes Grid, for the first option above. It also lists second-option alternatives for copying and using images offline.

For the port and protocol firewall (Layer 4) rules required by Tanzu Kubernetes Grid, see Tanzu Kubernetes Grid Firewall Rules.

For how to install Tanzu Kubernetes Grid in an airgapped or internet-restricted environment, see Prepare an Internet-Restricted Environment.

Domains to Allow

Add the following domains to your proxy server’s allowlist to install Tanzu Kubernetes Grid and enable it to provision workload clusters.

Domains Registry Purpose
VMware Plugins Registry Hosts images, binaries and configuration files used by the Tanzu Kubernetes Grid CLI to perform various core functions, including provisioning management and workload clusters and enabling OpenID and LDAP authentication with Pinniped.
VMware OCI Images Registry Uses Harbor to host images that TKG uses to bootstrap management and workload clusters. Images in this registry are scanned for vulnerabilities and are safe to operate in all environments.
Docker Hub Stores images for TKG packages such as Prometheus (for metrics gathering) and Grafana (for metricsvisualization).

Alternatives to Allowlisting

As an alternative to allowing the domains above, you can copy the images offline as follows:

  • All Images: Run the image copying scripts described in Prepare an Internet-Restricted Environment.

  • VMware Plugins Registry Images: Run tanzu plugin sync from an internet-connected bootstrap machine and transfer its $HOME/.tkg folder to the internet-restricted machine.

  • Docker Hub Images: Use the ytt tool to change the package source registry to your own private Docker registry or Helm Artifact Hub.

check-circle-line exclamation-circle-line close-line
Scroll to top icon