Configuring the cluster-wide proxy

• Review the sites that your cluster requires access to and determine whether any of them must bypass the proxy. By default, all cluster system egress traffic is proxied, including calls to the cloud provider API for the cloud that hosts your cluster. System-wide proxy affects system components only, not user workloads. Add sites to the Proxy object’s spec.noProxy field to bypass the proxy if necessary.

The Proxy object is used to manage the cluster-wide egress proxy. When a cluster is installed or upgraded without the proxy configured, a Proxy object is still generated but it will have a nil spec. For example:

A cluster administrator can configure the proxy for OKD by modifying this cluster Proxy object.

Prerequisites

• Cluster administrator permissions

Procedure

1. Create a ConfigMap that contains any additional CA certificates required for proxying HTTPS connections.

   1. Create a file called user-ca-bundle.yaml with the following contents, and provide the values of your PEM-encoded certificates:

        ca-bundle.crt: | (1)
          <MY_PEM_ENCODED_CERTS> (2)
      kind: ConfigMap
      metadata:
        name: user-ca-bundle (3)
        namespace: openshift-config (4)

      1	This data key must be named ca-bundle.crt.
      2	One or more PEM-encoded X.509 certificates used to sign the proxy’s identity certificate.
      3	The ConfigMap name that will be referenced from the Proxy object.
      4	The ConfigMap must be in the openshift-config namespace.

   2. Create the ConfigMap from this file:

2. Configure the necessary fields for the proxy:

3. Save the file to apply the changes.

The cluster Proxy object cannot be deleted. To remove the proxy from a cluster, remove all spec fields from the Proxy object.

Prerequisites

• Cluster administrator permissions

• OKD oc CLI tool installed

Procedure

1. Use the oc edit command to modify the proxy:

   $ oc edit proxy/cluster