Ports used by Kubernetes for operation of fault-tolerant cluster main cluster nodes are displayed in the table:
Protocol | Search direction | Range of ports | Purpose | Use |
TCP |
inbound |
6443 | Kubernetes API server | all |
TCP |
inbound |
2379-2380 | etcd server client API | kube-apiserver, etcd |
TCP |
inbound |
10250 | kubelet API | self, control plane |
TCP |
inbound |
10251 | kube-scheduler | self |
TCP |
inbound |
10252 | kube-controller-manager | self |
Ports used by Kubernetes for cluster work nodes functioning are displayed in the table:
Protocol | Search direction | Range of ports | Purpose | Use |
TCP |
inbound |
10250 |
kubelet API |
self, control plane |
TCP |
inbound |
30000-32767 | nodePort Services |
all |
The ports used by the RKE (Rancher Kubernetes Engine) node for outgoing connections are given in the table:
Protocol | Source | Range of ports | Purpose | Description |
TCP |
RKE node |
22 |
all nodes specified in cluster configuration file |
setup of node via SSH executed by RKE |
TCP |
RKE node |
6443 |
controlling nodes |
Kubernetes API server |
NOTE. In this article, roles of main nodes and etcd nodes are combined.
Ports for incoming connections of controlling nodes are displayed in the table:
Protocol | Source | Range of ports | Description |
TCP |
any that consumes Ingress services | 80 | ingress controller (HTTP) |
TCP |
any that consumes Ingress services | 443 | ingress controller (HTTPS) |
TCP |
rancher nodes | 2376 | Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
TCP |
etcd nodes; control plane nodes; worker nodes |
6443 | Kubernetes API server |
UDP |
etcd nodes; |
8472 | canal/flannel VXLAN overlay networking |
TCP |
control plane node itself (local traffic, not across nodes) | 9099 | canal/flannel livenessProbe/readinessProbe |
TCP |
control plane nodes | 10250 | kubelet |
TCP |
control plane node itself (local traffic, not across nodes) | 10254 | ingress controller livenessProbe/readinessProbe |
TCP/UDP |
any source that consumes NodePort services | 30000-32767 | NodePort port range |
Ports for incoming connections of controlling nodes are displayed in the table:
Protocol | Purpose | Range of ports | Description |
TCP |
rancher nodes | 443 | rancher agent |
TCP |
etcd nodes | 2379 | etcd client requests |
TCP |
etcd nodes | 2380 | etcd peer communication |
UDP |
etcd nodes; control plane nodes; worker nodes |
8472 | canal/flannel VXLAN overlay networking |
TCP |
control plane node itself (local traffic, not across nodes) | 9099 | canal/flannel livenessProbe/readinessProbe |
TCP |
etcd nodes; control plane nodes; worker nodes |
10250 | kubelet |
TCP |
control plane node itself (local traffic, not across nodes) | 10254 | ingress controller livenessProbe/readinessProbe |
Ports for incoming connections of work nodes are displayed in the table:
Protocol | Source | Range of ports | Description |
TCP |
any network that you want to be able to remotely access this node from |
22 | remote access over SSH |
TCP |
any that consumes Ingress services | 80 | ingress controller (HTTP) |
TCP |
any that consumes Ingress services | 443 | ingress controller (HTTPS) |
TCP |
rancher nodes | 2376 | Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates) |
UDP |
etcd nodes; |
8472 | canal/flannel VXLAN overlay networking |
TCP |
worker node itself (local traffic, not across nodes) | 9099 | canal/flannel livenessProbe/readinessProbe |
TCP |
control plane nodes | 10250 | kubelet |
TCP |
worker node itself (local traffic, not across nodes) | 10254 | ingress controller livenessProbe/readinessProbe |
TCP/UDP |
any source that consumes NodePort services | 30000-32767 | NodePort port range |
Ports for incoming connections of work nodes are displayed in the table:
Protocol | Purpose | Range of ports | Description |
TCP |
rancher nodes | 443 | rancher agent |
TCP |
control plane nodes |
6443 |
Kubernetes API server |
UDP |
etcd nodes; control plane nodes; worker nodes |
8472 |
canal/flannel VXLAN overlay networking |
TCP |
worker node itself (local traffic, not across nodes) |
9099 |
canal/flannel livenessProbe/readinessProbe |
TCP |
worker node itself (local traffic, not across nodes) |
10254 |
ingress controller livenessProbe/readinessProbe |
See also:
Preparation and Deployment of Fault-Tolerant Cluster | Preparing Kubernetes Cluster