If the infrastructure where Deckhouse Kubernetes Platform (DKP) is running has requirements to limit host-to-host network communications, the following conditions must be met:
- Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
- Traffic between podSubnetCIDR encapsulated within a VXLAN is allowed (if inspection and filtering of traffic within a VXLAN tunnel is performed).
- If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
- Local network communication is fully allowed within each individual cluster node.
- Inter-node communication is allowed on the ports shown in the tables on the current page. Note that most ports are in the 4200-4299 range. When new platform components are added, they will be assigned ports from this range (if it is possible).
Changes related to the addition, removal, or reassignment of ports in the tables are listed in the “Network” section of a respective DKP version on the Release notes page.
Traffic between master nodes
Port | Protocol | Purpose |
---|---|---|
2379, 2380 | TCP | etcd replication |
4200 | TCP | Cluster API webhook handler |
4201 | TCP | Webhook handler for VMware Cloud Director cloud provider |
4223 | TCP | Deckhouse controller webhook handler |
Traffic from master nodes to regular nodes
Port | Protocol | Purpose |
---|---|---|
22 | TCP | SSH for static node bootstrapping by the static provider |
10250 | TCP | kubelet |
4221 | TCP | bashible apiserver for delivering node configurations |
4227 | TCP | runtime-audit-engine webhook handler |
Traffic from nodes to master nodes
Port | Protocol | Purpose |
---|---|---|
4234 | UDP | NTP for time synchronization between nodes |
6443 | TCP | kube-apiserver for controllers working in the node’s host network namespace |
4203 | TCP | machine-controller-manager metrics |
4219 | TCP | Proxy for registry packages registry-packages-proxy |
4222 | TCP | Deckhouse controller metrics |
Traffic between nodes
Port | Protocol | Purpose |
---|---|---|
ICMP | ICMP for node-to-node connectivity monitoring | |
4202 | TCP | sds-node-configurator node agent metrics |
4204 | TCP | Deckhouse controller debug |
4205 | TCP | ebpf-exporter module metrics |
4206 | TCP | node-exporter module metrics |
4207 | TCP | ingress-nginx controller metrics for the HostWithFailover inlet |
4208 | TCP | ingress-nginx controller metrics for the HostWithFailover inlet |
4209 | TCP | Kubernetes control plane metrics |
4210 | TCP | kube-proxy metrics |
4211 | TCP | Cluster API metrics |
4212 | TCP | runtime-audit-engine module metrics |
4213 | TCP | kube-router metrics |
4214 | TCP | API of the sds-replicated-volume module agent |
4215 | TCP | sds-replicated-volume agent metrics |
4218 | TCP/UDP | Synchronization of the speaker components in metallb modules via memberlist protocol |
4220 | TCP | Metrics of the speaker components in metallb modules |
4224 | TCP | node-local-dns metrics |
4225 | TCP/UDP | Synchronization of the speaker components in metallb modules via memberlist protocol |
4226 | TCP | Metrics of the speaker components in metallb modules |
4229 | TCP | csi-nfs CSI controller healthcheck |
4230 | TCP | csi-nfs CSI node healthcheck |
4231 | TCP | csi-hpe CSI controller healthcheck |
4232 | TCP | csi-hpe CSI node healthcheck |
4235 | TCP | csi-s3 CSI controller healthcheck |
4236 | TCP | csi-s3 CSI node healthcheck |
4237 | TCP | csi-scsi-generic CSI controller healthcheck |
4238 | TCP | csi-scsi-generic CSI node healthcheck |
4240 | TCP | CNI Cilium node-to-node healthcheck |
4241 | TCP | CNI Cilium agent metrics |
4242 | TCP | CNI Cilium operator metrics |
4244 | TCP | cilium-hubble module API |
4245 | TCP | chrony-exporter metrics |
4246 | TCP | csi-ceph CephFS CSI controller healthcheck |
4247 | TCP | csi-ceph RBD CSI controller healthcheck |
4248 | TCP | csi-yadro-tatlin-unified CSI controller healthcheck |
4249 | TCP | csi-yadro-tatlin-unified CSI node healthcheck |
4250 | TCP | sds-local-volume CSI controller healthcheck |
4251 | TCP | sds-local-volume CSI node healthcheck |
4252 | TCP | csi-ceph RBD CSI node healthcheck |
4253 | TCP | csi-ceph CephFS CSI node healthcheck |
4254 | TCP | csi-netapp CSI controller healthcheck |
4255 | TCP | csi-netapp CSI node healthcheck |
4256 | TCP | csi-netapp CSI controller metrics |
4257 | TCP | csi-netapp CSI controller API port |
4258 | TCP | csi-huawei CSI controller webhook port |
4259 | TCP | csi-huawei CSI node healthcheck |
4260 | TCP | csi-huawei CSI controller metrics |
4261 | TCP | sds-replicated-volume CSI controller healthcheck |
4262 | TCP | sds-replicated-volume CSI node healthcheck |
4263 | TCP | service-with-healthchecks module metrics |
4269 | TCP | sds-replicated-volume CSI node healthcheck |
4270 | TCP | sds-replicated-volume CSI node metrics |
4286 | TCP | Istio CNI metrics |
4287 | UDP | WireGuard port for traffic encryption in CNI Cilium |
4288 | TCP | monitoring-ping metrics |
4289 | TCP | monitoring-ping metrics |
4295-4299 | UDP | VXLAN for pod-to-pod traffic encapsulation |
7000-7999 | TCP | sds-replicated-volume DRBD replication |
8469, 8472 | UDP | VXLAN for pod-to-pod traffic encapsulation |
External traffic to master nodes
Port | Protocol | Purpose |
---|---|---|
22 | TCP | SSH for initializing Deckhouse Kubernetes Platform |
6443 | TCP | Direct access to the apiserver |
External traffic to frontend nodes
Port | Protocol | Purpose |
---|---|---|
80, 443 | TCP | Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in the IngressNginxController resource and may vary across installations |
5416 | UDP | OpenVPN |
5416 | TCP | OpenVPN |
10256 | TCP | Healthcheck port for external balancers |
30000-32767 | TCP | NodePort range |
External traffic for all nodes
Port | Protocol | Purpose |
---|---|---|
53 | UDP | DNS |
53 | TCP | DNS |
123 | UDP | NTP for synchronization with external time servers |
443 | TCP | Container registry |