Online Environment
An online environment can have a limited egress, however at a minimum access to container images and deployment manifest files from the below public registries are required.
| Host | Existing Cluster | Embedded Cluster | Notes |
|---|---|---|---|
| Docker Hub | Required | Required | Some dependencies of KOTS are hosted as public images in Docker Hub. The required domains for this service include index.docker.io and the domains listed at Allowlist for Docker Desktop. |
replicated.appapp.selfhost.credo.ai | Required | Required | Upstream application YAML and metadata is pulled from replicated.app. The current running version of the application (if any), as well as a license ID and application ID to authenticate, are all sent to replicated.app. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.( app.selfhost.credo.ai is a CNAME for replicated.app) |
proxy.replicated.comproxy.selfhost.credo.ai | Required | Required | Private Docker images are proxied through proxy.replicated.com. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.For the range of IP addresses for proxy.replicated.com, see replicatedhq/ips in GitHub.( proxy.selfhost.credo.ai is a CNAME for proxy.replicated.com) |
proxy-auth.replicated.com | Required | Required | To pull private images through proxy.replicated.com, the on-prem Docker client must authenticate with this service using a license ID. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.For the range of IP addresses for proxy-auth.replicated.com, see replicatedhq/ips in GitHub. |
registry.selfhost.credo.airegistry.selfhost.credo.ai | Required | Required | Some applications host private images in the Replicated registry at this domain. The on-prem docker client uses a license ID to authenticate to registry.replicated.com. This domain is owned by Replicated, Inc which is headquartered in Los Angeles, CA.For the range of IP addresses for registry.replicated.com, see replicatedhq/ips in GitHub. ( registry.selfhost.credo.ai is a CNAME for registry.replicated.com) |
k8s.kurl.shs3.kurl.sh | Not Required | Required | Embedded cluster installation scripts and artifacts are served from kurl.sh. An application identifier is sent in a URL path, and bash scripts and binary executables are served from kurl.sh. This domain is owned by Replicated, Inc., which is headquartered in Los Angeles, CA.For the range of IP addresses for k8s.kurl.sh, see replicatedhq/ips in GitHub.The range of IP addresses for s3.kurl.sh are the same as IP addresses for the kurl.sh domain. For the range of IP address for kurl.sh, see replicatedhq/ips in GitHub. |
k8s.gcr.ioregistry.k8s.io | Not Required | Required | Images for the Kubernetes control plane are downloaded from the Google Container Registry repository used to publish official container images for Kubernetes. Starting March 20, 2023, these requests are proxied to the new address registry.k8s.io. Both of these URLs must be allowed network traffic using firewall rules. For more information on the Kubernetes control plane components, see the Kubernetes documentation. |
amazonaws.com | Not Required | Required | tar.gz packages are downloaded from Amazon S3 during embedded cluster installations. For information about dynamically scraping the IP ranges to allowlist for accessing these packages, see AWS IP address ranges in the AWS documentation. |
info
The Credo AI application images are hosted under registry.selfhost.credo.ai.
Refer to the Replicated documentation for more detailed requirements.