Registry Proxy Recommendations

To help secure your Kyma cluster and protect access to private container registries, follow these recommendations.

Exclude NodePort Range From VPC Peering Routes

The Registry Proxy module uses the Kubernetes NodePort service, accessible on ports 30000-32767 from all cluster nodes. If an attacker compromises the cluster network, they can use the NodePort service to potentially gain access to the private registry (provided they have the credentials to access it). You can mitigate this risk by excluding the NodePort range (30000-32767) from VPC Peering Routes.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Expose a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Expose and Secure a Workload

Use APIRule v2

Use APIRule v2alpha1

Use APIRule v1beta1

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

v2

v2alpha1

v1beta1

APIRule Migration

Technical Reference

Troubleshooting Guides

APIRule and Service Connection Issues

APIRule v2

APIRule v2alpha1

APIRule v1beta1

External DNS Management Errors

APIRule v2 Introduction

Resources

Tutorials

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Registry Proxy Recommendations ​

Exclude NodePort Range From VPC Peering Routes ​

Registry Proxy Recommendations

Exclude NodePort Range From VPC Peering Routes