Communication requirements
Traffic and communication requirements of CAST AI.
This document outlines the communication requirements for CAST AI components to function properly within your Kubernetes environment. Ensuring these requirements are met is crucial for optimal performance and connectivity with CAST AI services.
Network requirements
CAST AI Deployments and DaemonSets
To allow CAST AI components to communicate with CAST AI SaaS, ensure that your network allows outbound connections to the following endpoints:
US Console:
api.cast.ai:443
grpc.cast.ai:443
(Pod pinner only)api-grpc.cast.ai:443
(Kvisor security agent)
EU Console:
api.eu.cast.ai:443
grpc.eu.cast.ai:443
(Pod pinner only)api-grpc.eu.cast.ai:443
(Kvisor security agent)
IP Addresses
If DNS allowlisting is not possible in your outbound infrastructure (firewall, NAT, Security Group, etc.), you can allowlist the following dedicated IP addresses:
104.16.81.56
104.16.82.56
Container registry
Allow outbound access to pull CAST AI images:
us-docker.pkg.dev/castai-hub:443
Helm charts
For Helm chart access, allow:
castai.github.io:443
objects.githubusercontent.com:443
Node binaries
Allow access to CAST AI node components:
Node startup logs upload
For uploading kubelet and driver errors:
Use CAST AI components behind a proxy
If your organization uses a proxy to access public network resources, configure the CAST AI components with the appropriate proxy settings.
Here's an example castai-agent
deployment on a GKE cluster:
...
containers:
- env:
- name: API_URL
value: api.cast.ai
- name: PROVIDER
value: gke
- name: MONITOR_METADATA
value: /agent-metadata/metadata
- name: PPROF_PORT
value: "6060"
- name: HTTP_PROXY
value: "http://<proxyaddress>:<port-if-needed>"
- name: HTTPS_PROXY
value: "https://<proxyaddress>:<port-if-needed>"
- name: NO_PROXY
value: "localhost,<pod cidr><svc cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
envFrom:
- secretRef:
name: castai-agent
image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1
...
Add the environment variables HTTP_PROXY
, HTTPS_PROXY
and NO_PROXY
to the castai-agent
deployment.
Important
Make sure that
NO_PROXY
has the correct settings that match your environment to prevent sending Kubernetes-internal traffic to the external proxy!
Special configurations
Istio on GKE requirement for CAST AI components
When using Istio on GKE, additional configuration is required for the CAST AI components to communicate with the CAST AI SaaS:
- Include port
["15017"]
in the cluster'sfirewall_inbound_ports
. - Set
add_master_webhook_firewall_rules
totrue
.
Example GKE Terraform configuration:
add_master_webhook_firewall_rules = true
firewall_inbound_ports = ["15017"]
Troubleshooting
If you encounter connectivity issues:
- Verify all required endpoints and IP addresses are allowlisted in your network configuration.
- Check proxy settings if applicable.
- Ensure correct
NO_PROXY
configuration to avoid routing internal cluster traffic through the proxy. - Review cluster logs for any connection errors.
Updated 17 days ago