From e3674909f3ff7e34bb8a18412e22aec88ce79dd1 Mon Sep 17 00:00:00 2001 From: Jamon Camisso Date: Fri, 8 Sep 2023 18:20:44 -0400 Subject: [PATCH] Consolidate images and enforce network requirements pages (#987) Signed-off-by: Jamon Camisso Co-authored-by: ltagliaferri --- config/_default/menus/menus.en.toml | 7 ++ .../chainguard-images/network-requirements.md | 51 ---------- .../reference => }/network-requirements.md | 93 ++++++++++++------- 3 files changed, 69 insertions(+), 82 deletions(-) delete mode 100644 content/chainguard/chainguard-images/network-requirements.md rename content/chainguard/{chainguard-enforce/reference => }/network-requirements.md (55%) diff --git a/config/_default/menus/menus.en.toml b/config/_default/menus/menus.en.toml index 2633419919..0187a55c49 100644 --- a/config/_default/menus/menus.en.toml +++ b/config/_default/menus/menus.en.toml @@ -35,6 +35,7 @@ [[main]] name = "Chainguard Images" + identifier = "chainguard-images" url = "/chainguard/chainguard-images/" parent = "menu-chainguard" weight = 15 @@ -45,6 +46,12 @@ parent = "menu-chainguard" weight = 20 +[[main]] + name = "Network Requirements" + url = "/chainguard/network-requirements/" + parent = "menu-chainguard" + weight = 25 + [[main]] name = "Sigstore" url = "/open-source/sigstore/" diff --git a/content/chainguard/chainguard-images/network-requirements.md b/content/chainguard/chainguard-images/network-requirements.md deleted file mode 100644 index 0d63eea367..0000000000 --- a/content/chainguard/chainguard-images/network-requirements.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: "Network Requirements for Chainguard Images" -linktitle: "Network Requirements" -lead: "Using Chainguard Images with firewalls, access control lists, and proxies" -type: "article" -description: "Using Chainguard Images with firewalls, access control lists, and proxies" -date: 2023-05-15T08:49:31+00:00 -lastmod: 2023-08-22T08:49:31+00:00 -draft: false -tags: ["Chainguard Images", "Product", "Reference"] -images: [] -menu: - docs: - parent: "chainguard-images" -weight: 400 -toc: true ---- - -This document provides an overview of network requirements for using [Chainguard Images](https://www.chainguard.dev/chainguard-images?utm_source=docs). To use Chainguard Images in environments with firewalls, VPNs, and IDS/IPS systems, you will need to add some rules to allow traffic into and out of your networks. - -## Chainguard Hosts - -This table lists the DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Images: - -| Hostname |Port |Protocol | Notes | -|----------|-----|---------|-------| -| cgr.dev | 443 | HTTPS | Main image registry| -| enforce.dev | 443 | HTTPS | Registry authentication | -| packages.wolfi.dev | 443 | HTTPS | Package repository| - -Note that to be able to authenticate with the `enforce.dev` domain, you will need to ensure access to and from the following CIDR ranges: - -{{< blurb/enforce-ips >}} - -## Third-party Hosts - -This table lists the third-party DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Images: - -|Hostname |Port |Protocol |Notes | -|---------|-----|---------|------| -| ghcr.io | 443 | HTTPS | Used for wolfi development| -| *.r2.cloudflarestorage.com | 443 | HTTPS | Blob storage for cgr.dev| -| 9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com | 443 | HTTPS | Blob storage for cgr.dev| - -Note: you can use either the single `9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com` host or the wildcard `*.rc.cloudflarestorage.com` hostname in your firewall and proxy configurations. However, the `9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com` hostname may change at some point in the future. - -## DNS Records and TTLs - -Many of the hosts listed on this page use multiple DNS A records or CNAME aliases. Additionally, many A records have a short time to live of 60 seconds, and the majority are less than an hour (3600s). - -If your network filters traffic based on IP addresses, ensure that any firewalls update their rules at an appropriate interval to match the TTL for each DNS record. diff --git a/content/chainguard/chainguard-enforce/reference/network-requirements.md b/content/chainguard/network-requirements.md similarity index 55% rename from content/chainguard/chainguard-enforce/reference/network-requirements.md rename to content/chainguard/network-requirements.md index b300109a84..7df91651b8 100644 --- a/content/chainguard/chainguard-enforce/reference/network-requirements.md +++ b/content/chainguard/network-requirements.md @@ -1,44 +1,73 @@ --- title: "Network Requirements" -aliases: -- /chainguard/chainguard-enforce/chainguard-enforce-kubernetes/network-requirements/ +linktitle: "Network Requirements" +lead: "Using Chainguard Images and Enforce with firewalls, access control lists, and proxies" type: "article" -description: "Ports and Protocols Required for Chainguard Enforce" -date: 2023-01-26T15:22:20 -lastmod: 2023-03-18T15:22:20 +description: "Using Chainguard Images and Enforce with firewalls, access control lists, and proxies" +date: 2023-09-08T08:49:31+00:00 +lastmod: 2023-09-08T08:49:31+00:00 draft: false -tags: ["Enforce", "Product", "Reference"] +aliases: +- /chainguard/chainguard-images/reference/network-requirements/ +- /chainguard/chainguard-enforce/reference/network-requirements/ +tags: ["Chainguard Images", "Chainguard Enforce", "Product", "Reference"] images: [] -menu: - docs: - parent: "reference" -weight: 020 toc: true --- -> _This document relates to Chainguard Enforce. In order to follow along, you will need access to Chainguard Enforce. You can request access through selecting **Chainguard Enforce** on the [inquiry form](https://www.chainguard.dev/contact?utm_source=docs)._ +This document provides an overview of network requirements for using [Chainguard Images](https://www.chainguard.dev/chainguard-images?utm_source=docs) and [Chainguard Enforce](https://www.chainguard.dev/chainguard-enforce?utm_source=docs). To use Chainguard products in environments with firewalls, VPNs, and IDS/IPS systems, you will need to add some rules to allow traffic into and out of your networks. + +## Chainguard Images + +### Images Hosts + +This table lists the DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Images: + +| Hostname |Port |Protocol | Notes | +|----------|-----|---------|-------| +| cgr.dev | 443 | HTTPS | Main image registry| +| enforce.dev | 443 | HTTPS | Registry authentication | +| packages.wolfi.dev | 443 | HTTPS | Package repository| + +Note that to be able to authenticate with the `enforce.dev` domain, you will need to ensure access to and from the following CIDR ranges: + +{{< blurb/enforce-ips >}} -This document provides an overview of network requirements and general guidance for using Chainguard Enforce for Kubenetes. To use Enforce in environments with firewalls, VPNs, and IDS/IPS systems, you will need to add some rules to allow traffic into and out of your networks. +### Images Third-party Hosts -## Enforce Agent Access +This table lists the third-party DNS hostnames, associated ports, and protocols that will need to be allowed through firewalls and proxies to use Chainguard Images: + +|Hostname |Port |Protocol |Notes | +|---------|-----|---------|------| +| ghcr.io | 443 | HTTPS | Used for wolfi development| +| *.r2.cloudflarestorage.com | 443 | HTTPS | Blob storage for cgr.dev| +| 9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com | 443 | HTTPS | Blob storage for cgr.dev| +| chainguardhelp.zendesk.com | 443 | HTTPS | Support access for customers | + +Note: you can use either the single `9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com` host or the wildcard `*.rc.cloudflarestorage.com` hostname in your firewall and proxy configurations. However, the `9236a389bd48b98df91adc1bc924620.r2.cloudflarestorage.com` hostname may change at some point in the future. + +## Chainguard Enforce + +### Enforce Agent Access Whether you are working with public or private registries, ensure that outbound connections from the Enforce agent (running in the `gulfstream` namespace) are permitted. Also be sure to allow the corresponding return traffic if you are using symmetric firewall rules. -## Enforce SaaS Access +### Enforce SaaS Access If you are using Enforce in agentless mode, you will need to ensure that your registry is publicly accessible to the agent. Refer to the [CIDR Ranges](#cidr-ranges) section of this page for a list of ranges to add to your firewall rules or access control lists. -## Image Registry Access +### Enforce Image Registry Access Enforce needs access to any registry or registries that are configured for your cluster or containers so that it can validate images and policies. Depending on your environment, you will need to configure your firewalls and access control lists to allow Enforce access. -## Chainguard Hosts +### Enforce Chainguard Hosts This table lists the DNS hostnames, associated ports, and protocols that will need to be allowed to communicate with your Kubernetes cluster or clusters. {{< blurb/enforce-domains >}} -## Third-party Hosts +### Enforce Third-party Hosts + | Hostname |Port |Protocol | |----------|-----|---------| | chainguard-cd-nvt30yluzzsmvk7t.edge.tenants.us.auth0.com | 443 | HTTPS | @@ -46,16 +75,30 @@ This table lists the DNS hostnames, associated ports, and protocols that will ne | raw.githubusercontent.com | 443 | HTTPS | | storage.googleapis.com | 443 | HTTPS | -## CIDR Ranges +### Enforce CIDR Ranges For cluster and workload discovery to work, and to be able to communicate effectively to and from Chainguard Enforce, you will need to ensure access to and from the following CIDR ranges. -If you are using Google GKE for your cluster, this page explains how to authorize our networks: [Add an authorized network to an existing cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#add). +If you are using Google GKE for your cluster, this page explains how to authorize our networks: [Add an authorized network to an existing cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#add). If you are using Amazon EKS then refer to [Amazon EKS cluster endpoint access control](https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html). {{< blurb/enforce-ips >}} +### Enforce JA3 Fingerprints + +Client traffic for each of the *.enforce.dev domains can be identified by the following JA3 fingerprint data: + +#### Fullstring +``` +771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,0-5-10-11-13-65281-16-18-43-51,29-23-24-25,0 +``` + +#### Fingerprint +``` +3fed133de60c35724739b913924b6c24 +``` + ## Ingress and Egress Connections to the hosts listed on this page are generally initiated as new outbound connections. If you are using stateful firewall rules, then you will need to add symmetric rules to ensure that traffic flows correctly. @@ -70,16 +113,4 @@ Many of the hosts listed on this page use multiple DNS A records or CNAME aliase If your network filters traffic based on IP addresses, ensure that any firewalls update their rules at an appropriate interval to match the TTL for each DNS record. -## JA3 Fingerprints -Client traffic for each of the *.enforce.dev domains can be identified by the following JA3 fingerprint data: - -### Fullstring -``` -771,49195-49199-49196-49200-52393-52392-49161-49171-49162-49172-156-157-47-53-49170-10-4865-4866-4867,0-5-10-11-13-65281-16-18-43-51,29-23-24-25,0 -``` - -### Fingerprint -``` -3fed133de60c35724739b913924b6c24 -```