Skip to content

Commit

Permalink
docs: incorporate feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
@lennessyy
lennessyy committed Jan 31, 2025
1 parent bafe482 commit 6eb4f3d
Showing 1 changed file with 109 additions and 47 deletions.
156 changes: 109 additions & 47 deletions docs/docs-content/deployment-modes/agent-mode/install-agent-host.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,16 +93,17 @@ Palette. You will then create a cluster profile and use the registered host to d
:::

- If installing the FIPS version of Agent Mode on a Rocky Linux edge host, you must configure your SELinux policies to
grant rsync the required host permissions. If you are using Cilium, you must also configure the appropriate
firewalld rules. Follow the process below to apply the necessary configurations before installing Agent Mode.
grant rsync the required host permissions and ensure you enable cgroup V2. If you are using Cilium and have
firewalld enabled, you must also configure the appropriate firewalld rules. Follow the process below to apply the
necessary configurations before installing Agent Mode.

<br />

<details>

{" "}
<summary>Rocky Linux 8 Configurations</summary>

<summary>SELinux Policy Configuration</summary>
### Configure rsync

1. Enable SELinux to allow full rsync access.

Expand Down Expand Up @@ -154,87 +155,148 @@ Palette. You will then create a cluster profile and use the registered host to d
semodule --install rsync_dac_override.pp
```

7. (Optional) If you are using Cilium, issue the following commands to configure the appropriate firewalld rules.
### Enable cgroup V2

```shell
# Kubernetes API Server
firewall-cmd --permanent --zone="$1" --add-port=6443/tcp
7. Issue the following command to check if your kernel supports cgroup v2.

# Etcd
```shell
grep cgroup2 /proc/filesystems
```

firewall-cmd --permanent --zone="$1" --add-port=2379-2380/tcp
If the response is `nodev cgroup2`, your kernel supports cgroup v2 and you may proceed to the next step. If the
response does not match `nodev cgroup2`, then your kernel does not support cgroup v2. You need to upgrade to a
kernel that supports cgroup v2 to proceed.

# Kubelet API
8. Issue the following command to check if cgroup v2 is already enabled.

firewall-cmd --permanent --zone="$1" --add-port=10250/tcp
```shell
stat -fc %T /sys/fs/cgroup
```

# Scheduler and Controller Manager
If the output is `tmpfs` then cgroup v2 is not enabled. When cgroup v2 is enabled, the output is `cgroup2fs`. If
cgroup v2 is enabled, skip to step 12.

firewall-cmd --permanent --zone="$1" --add-port=10257-10259/tcp
9. Issue the following command to edit the GRUB file to enable cgroup v2.

# kube proxy health check
```shell
sudo vi /etc/default/grub
```

firewall-cmd --permanent --zone="$1" --add-port=10255/tcp
Find the line starting with `GRUB_CMDLINE_LINUX` and add the `systemd.unified_cgroup_hierarchy=1` parameter.

# Nodeport range
```
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release *$,,g' / etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto resume=/dev/mapper/rl-swap rd.lvm.lv=rl/root rd.lvm.lv=rl/swap systemd.unified_cgroup_hierarchy=1
systemd.unified_cgroup_hierarchv=1" GRUB_DISABLE_RECOVERY=" true"
GRUB_ENABLE_BLSCFG=true
```

firewall-cmd --permanent --zone="$1" --add-port=30000-32767/tcp
10. Save the file and regenerate the GRUB configuration.

############### Start Cilium Rules ##########################
```shell
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
```

# Cilium: VXLAN Overlay
11. Reboot the system.

firewall-cmd --permanent --zone="$1" --add-port=8472/udp
```shell
sudo reboot
```

# Cilium: Health Checks
### Configure firewalld (Cilium Only)

firewall-cmd --permanent --zone="$1" --add-port=4240/tcp
12. (Optional) If you are using Cilium and have firewalld enabled, put the the following commands into a shell script.

# Cilium: Geneve Overlay networking (if enabled)
```shell
cat << 'EOF' > firewalld-cilium.sh
#!/bin/bash
firewall-cmd --permanent --zone="$1" --add-port=6081/udp
if [ -z "$1" ]; then
echo "Usage: $0 <zone>"
exit 1
fi
# Cilium: WireGuard Encryption (if enabled)
ZONE="$1"
firewall-cmd --permanent --zone="$1" --add-port=51871/udp
# Kubernetes API Server
firewall-cmd --permanent --zone="$ZONE" --add-port=6443/tcp
# Cilium: IPsec Encryption (if enabled)
# Etcd
firewall-cmd --permanent --zone="$ZONE" --add-port=2379-2380/tcp
firewall-cmd --permanent --zone="$1" --add-protocol=esp
# Kubelet API
firewall-cmd --permanent --zone="$ZONE" --add-port=10250/tcp
# Cilium: Prometheus Observability
# Scheduler and Controller Manager
firewall-cmd --permanent --zone="$ZONE" --add-port=10257-10259/tcp
firewall-cmd --permanent --zone="$1" --add-port=9962/tcp firewall-cmd --permanent --zone="$1" --add-port=9963/tcp
# kube proxy health check
firewall-cmd --permanent --zone="$ZONE" --add-port=10255/tcp
# Cilium: Enable ICMP Type 8 (Echo request) and Type 0 (Echo Reply)
# Nodeport range
firewall-cmd --permanent --zone="$ZONE" --add-port=30000-32767/tcp
firewall-cmd --permanent --zone="$1" --add-icmp-block-inversion ############### End Cilium Rules
##########################
############### Start Cilium Rules ##########################
# DNS and service communications
# Cilium: VXLAN Overlay
firewall-cmd --permanent --zone="$ZONE" --add-port=8472/udp
# DNS (CoreDNS)
# Cilium: Health Checks
firewall-cmd --permanent --zone="$ZONE" --add-port=4240/tcp
firewall-cmd --permanent --zone="$1" --add-port=53/tcp firewall-cmd --permanent --zone="$1" --add-port=53/udp
# Cilium: Geneve Overlay networking (if enabled)
firewall-cmd --permanent --zone="$ZONE" --add-port=6081/udp
# Allow inbound/outbound traffic to port 443 (HTTPS)
# Cilium: WireGuard Encryption (if enabled)
firewall-cmd --permanent --zone="$ZONE" --add-port=51871/udp
firewall-cmd --permanent --zone="$1" --add-port=443/tcp
# Cilium: IPsec Encryption (if enabled)
firewall-cmd --permanent --zone="$ZONE" --add-protocol=esp
# Allow inbound/outbound traffic to port 4222 (NATS)
# Cilium: Prometheus Observability
firewall-cmd --permanent --zone="$ZONE" --add-port=9962/tcp
firewall-cmd --permanent --zone="$ZONE" --add-port=9963/tcp
firewall-cmd --permanent --zone="$1" --add-port=4222/tcp
# Cilium: Enable ICMP Type 8 (Echo request) and Type 0 (Echo Reply)
firewall-cmd --permanent --zone="$ZONE" --add-icmp-block-inversion
# Allow NAT traffic
############### End Cilium Rules ##########################
firewall-cmd --permanent --add-masquerade
# DNS and service communications
# Reload firewalld cache
# DNS (CoreDNS)
firewall-cmd --permanent --zone="$ZONE" --add-port=53/tcp
firewall-cmd --permanent --zone="$ZONE" --add-port=53/udp
firewall-cmd --reload
```
# Allow inbound/outbound traffic to port 443 (HTTPS)
firewall-cmd --permanent --zone="$ZONE" --add-port=443/tcp
# Allow inbound/outbound traffic to port 4222 (NATS)
firewall-cmd --permanent --zone="$ZONE" --add-port=4222/tcp
# Allow NAT traffic
firewall-cmd --permanent --add-masquerade
# Reload firewalld cache
firewall-cmd --reload
EOF
</details>
# Make the script executable
chmod +x firewalld-cilium.sh
```
13. Execute the script with the name of the firewalld zone. For example, the following script sets the rules in the
firewall zone `public`.
```shell
./firewalld-cilium.sh public
```
</details>
## Install Palette Agent
Expand Down

0 comments on commit 6eb4f3d

Please sign in to comment.