etcd nodes:
Nodes with the role etcd
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 2376 |
|
Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
TCP | 2379 |
|
etcd client requests |
TCP | 2380 |
|
etcd peer communication |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 |
|
kubelet |
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 |
|
Rancher agent |
TCP | 2379 |
|
etcd client requests |
TCP | 2380 |
|
etcd peer communication |
TCP | 6443 |
|
Kubernetes apiserver |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
controlplane nodes:
Nodes with the role controlplane
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 80 |
|
Ingress controller (HTTP) |
TCP | 443 |
|
Ingress controller (HTTPS) |
TCP | 2376 |
|
Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
TCP | 6443 |
|
Kubernetes apiserver |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 |
|
kubelet |
TCP | 10254 |
|
Ingress controller livenessProbe/readinessProbe |
TCP/UDP | 30000-32767 |
|
NodePort port range |
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 |
|
Rancher agent |
TCP | 2379 |
|
etcd client requests |
TCP | 2380 |
|
etcd peer communication |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 |
|
kubelet |
TCP | 10254 |
|
Ingress controller livenessProbe/readinessProbe |
worker nodes:
Nodes with the role worker
Protocol | Port | Source | Description |
---|---|---|---|
TCP | 80 |
|
Ingress controller (HTTP) |
TCP | 443 |
|
Ingress controller (HTTPS) |
TCP | 2376 |
|
Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
TCP | 10250 |
|
kubelet |
TCP | 10254 |
|
Ingress controller livenessProbe/readinessProbe |
TCP/UDP | 30000-32767 |
|
NodePort port range |
Protocol | Port | Destination | Description |
---|---|---|---|
TCP | 443 |
|
Rancher agent |
TCP | 6443 |
|
Kubernetes apiserver |
UDP | 8472 |
|
Canal/Flannel VXLAN overlay networking |
TCP | 9099 |
|
Canal/Flannel livenessProbe/readinessProbe |
TCP | 10254 |
|
Ingress controller livenessProbe/readinessProbe |
Kubernetes healthchecks (livenessProbe
and readinessProbe
) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables
) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitely allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.