To install and run Tanzu Kubernetes Grid (TKG) in environment that is internet-restricted but not physically airgapped, you have two options:
This topic lists the domains that your proxy server (Layer 7) needs to allow in order to enable Tanzu Kubernetes Grid, for the first option above. It also lists second-option alternatives for copying and using images offline.
For the port and protocol firewall (Layer 4) rules required by Tanzu Kubernetes Grid, see Tanzu Kubernetes Grid Firewall Rules.
For how to install Tanzu Kubernetes Grid in an airgapped or internet-restricted environment, see Prepare an Internet-Restricted Environment.
Add the following domains to your proxy server’s allowlist to install Tanzu Kubernetes Grid and enable it to provision workload clusters.
||VMware Plugins Registry||Hosts images, binaries and configuration files used by the Tanzu Kubernetes Grid CLI to perform various core functions, including provisioning management and workload clusters and enabling OpenID and LDAP authentication with Pinniped.|
||VMware OCI Images Registry||Uses Harbor to host images that TKG uses to bootstrap management and workload clusters. Images in this registry are scanned for vulnerabilities and are safe to operate in all environments.|
||Docker Hub||Stores images for TKG packages such as Prometheus (for metrics gathering) and Grafana (for metricsvisualization).|
As an alternative to allowing the domains above, you can copy the images offline as follows:
All Images: Run the image copying scripts described in Prepare an Internet-Restricted Environment.
VMware Plugins Registry Images: Run
tanzu plugin sync from an internet-connected bootstrap machine and transfer its
$HOME/.tkg folder to the internet-restricted machine.
Docker Hub Images: Use the ytt tool to change the package source registry to your own private Docker registry or Helm Artifact Hub.