Do I need to open ports in the firewall for the embedded registry mirror to work?

[vitobotta]

Hi, I am the author of a tool to quickly and easily create Kubernetes clusters in Hetzner Cloud (https://github.com/vitobotta/hetzner-k3s) and in what will be the next major version my tool also installs Spegel with Helm.

This is working fine and it seems I don't need to open any ports in the firewall if I am using only the public network for the communication between the nodes (Hetzner Cloud does have private networks but these support max 100 nodes per network so they cannot be used to create larger clusters).

However I am aware now that k3s also embeds Spegel, so I'd like to use the embedded registry mirror instead of installing Spegel via Helm.

Does the embedded registry mirror require me to open ports in the firewall (6443 and 5001) if I am using the public network?

Second question: from reading previous discussions I understood that the --embedded-registry flag is a server flag so there is no need to specify it also for agents. What about the registries.yaml file? Does it need to be created only on server nodes or agent nodes too?

Thanks in advance for any clarification.

Edit: found the answer to the second question in https://docs.k3s.io/installation/private-registry:

If you want to use a private registry as a mirror for a public registry such as docker.io, then you will need to configure registries.yaml on each node that you want to use the mirror.

[vitobotta]

An update as I am still investigating this. The embedded registry seems to be started on the server nodes (I can see with lsof that something is listening on port 5001), but not on any workers. So I think this is why embedded Spegel is not working for me. But we cannot use the --embedded-registry flag for agents, so what's the fix?

[brandond]

Reference the documentation at https://docs.k3s.io/installation/registry-mirror. This lists the required flags, ports, and steps necessary to enable upstream registries for mirroring.