Communication requirements

Traffic and communication requirements of CAST AI.

Suggest Edits

This document outlines the communication requirements for CAST AI components to function properly within your Kubernetes environment. Ensuring these requirements are met is crucial for optimal performance and connectivity with CAST AI services.

Network requirements

CAST AI Deployments and DaemonSets

To allow CAST AI components to communicate with CAST AI SaaS, ensure that your network allows outbound connections to the following endpoints:

US Console:

  • api.cast.ai:443
  • grpc.cast.ai:443 (Pod pinner only)
  • api-grpc.cast.ai:443 (Kvisor security agent)

EU Console:

  • api.eu.cast.ai:443
  • grpc.eu.cast.ai:443 (Pod pinner only)
  • api-grpc.eu.cast.ai:443 (Kvisor security agent)

IP Addresses

If DNS allowlisting is not possible in your outbound infrastructure (firewall, NAT, Security Group, etc.), you can allowlist the following dedicated IP addresses:

104.16.81.56
104.16.82.56

Container registry

Allow outbound access to pull CAST AI images:

  • us-docker.pkg.dev/castai-hub:443

Helm charts

For Helm chart access, allow:

  • castai.github.io:443
  • objects.githubusercontent.com:443

Node binaries

Allow access to CAST AI node components:

Node startup logs upload

For uploading kubelet and driver errors:

Use CAST AI components behind a proxy

If your organization uses a proxy to access public network resources, configure the CAST AI components with the appropriate proxy settings.

Here's an example castai-agent deployment on a GKE cluster:

...
            containers:
                - env:
                    - name: API_URL
                      value: api.cast.ai
                    - name: PROVIDER
                      value: gke
                    - name: MONITOR_METADATA
                      value: /agent-metadata/metadata
                    - name: PPROF_PORT
                      value: "6060"
                    - name: HTTP_PROXY
                      value: "http://<proxyaddress>:<port-if-needed>"
                    - name: HTTPS_PROXY
                      value: "https://<proxyaddress>:<port-if-needed>"
                    - name: NO_PROXY
                      value: "localhost,<pod cidr><svc cidr>,*.cluster.local,googleapis.com,metadata.google.internal"
                  envFrom:
                    - secretRef:
                        name: castai-agent
                  image: us-docker.pkg.dev/castai-hub/library/agent:v0.48.1
...

Add the environment variables HTTP_PROXY, HTTPS_PROXY and NO_PROXY to the castai-agent deployment.

❗️

Important

Make sure that NO_PROXY has the correct settings that match your environment to prevent sending Kubernetes-internal traffic to the external proxy!

Special configurations

Istio on GKE requirement for CAST AI components

When using Istio on GKE, additional configuration is required for the CAST AI components to communicate with the CAST AI SaaS:

  • Include port ["15017"] in the cluster's firewall_inbound_ports.
  • Set add_master_webhook_firewall_rules to true.

Example GKE Terraform configuration:

add_master_webhook_firewall_rules = true  
firewall_inbound_ports            = ["15017"]

Troubleshooting

If you encounter connectivity issues:

  • Verify all required endpoints and IP addresses are allowlisted in your network configuration.
  • Check proxy settings if applicable.
  • Ensure correct NO_PROXY configuration to avoid routing internal cluster traffic through the proxy.
  • Review cluster logs for any connection errors.

Updated 17 days ago