etcd nodes:
Nodes with the role etcd

etcd nodes - Inbound rules

Protocol Port Source Description
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 2379
  • etcd nodes
  • controlplane nodes
etcd client requests
TCP 2380
  • etcd nodes
  • controlplane nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet

etcd nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe

controlplane nodes:
Nodes with the role controlplane

controlplane nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 6443
  • etcd nodes
  • controlplane nodes
  • worker nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

controlplane nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • etcd nodes
  • controlplane nodes
  • worker nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

worker nodes:
Nodes with the role worker

worker nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

worker nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

Information on local node traffic

Kubernetes healthchecks (livenessProbe and readinessProbe) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitely allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.