If the infrastructure where Deckhouse Kubernetes Platform is running has requirements to limit host-to-host network communications, the following conditions must be met:

  • Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
  • Traffic between podSubnetCIDR encapsulated within a VXLAN is allowed (if inspection and filtering of traffic within a VXLAN tunnel is performed).
  • If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
  • Local network communication is fully allowed within each individual cluster node.
  • Inter-node communication is allowed on the ports shown in the tables on the current page. Note that most ports are in the 4200-4299 range. When new platform components are added, they will be assigned ports from this range (if it is possible).

Master to master nodes traffic

Port Protocol Purpose
2379, 2380 TCP etcd replication
4200 TCP Cluster API webhook handler
4201 TCP VMware Cloud Director cloud provider webhook handler
4223 TCP Deckhouse controller webhook handler

Master to nodes traffic

Port Protocol Purpose
22 TCP SSH for Static nodes bootstrapping by static provider
10250 TCP kubelet
4221 TCP bashible apiserver for delivering node configurations
4227 TCP runtime-audit-engine webhook handler

Nodes to masters traffic

Port Protocol Purpose
4234 UDP NTP for time synchronization between nodes
6443 TCP kube-apiserver for controllers working in node’s host network namespace
4203 TCP machine-controller-manager metrics
4219 TCP Proxy for registry packages registry-packages-proxy
4222 TCP Deckhouse controller metrics

Nodes to nodes traffic

Port Protocol Purpose
  ICMP ICMP for node-to-node connectivity monitoring
7000-7999 TCP sds-replicated-volume DRBD replication
8469, 8472, 4295-4299 UDP VXLAN for pod-to-pod traffic encapsulation
4204 TCP Deckhouse controller debug
4205 TCP ebpf-exporter metrics
4206 TCP node-exporter module metrics
4207, 4208 TCP ingress-nginx controller metrics for HostWithFailover inlet
4209 TCP Kubernetes control plane metrics
4210 TCP kube-proxy metrics
4211 TCP Cluster API metrics
4212 TCP runtime-audit-engine module metrics
4213 TCP kube-router metrics
4202 TCP sds-node-configurator node agent metrics
4214 TCP API of the sds-replicated-volume module node agent
4215 TCP sds-replicated-volume node agent metrics
49152, 49153 TCP Deckhouse Virtualization Platform VM live migration port
4218, 4225 TCP metallb speakers memberlist ports
4218, 4225 UDP metallb speakers memberlist ports
4220, 4226 TCP metallb and speakers metrics
4224 TCP node-local-dns metrics
4240 TCP CNI Cilium agent node-to-node healthcheck
4241 TCP CNI Cilium agent metrics
4242 TCP CNI Cilium operator metrics
4244 TCP cilium-hubble API
4245 TCP chrony-exporter metrics port
4287 UDP WireGuard’s port for traffic encryption in the CNI Cilium
4288, 4289 TCP monitoring-ping metrics
4286 TCP Istio CNI metrics port

External traffic to masters

Port Protocol Purpose
22 TCP SSH for Deckhouse Kubernetes Platform initialization
6443 TCP Direct access to the apiserver

External traffic to frontends

Port Protocol Purpose
80, 443 TCP Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in IngressNginxController resource and may vary in different setups
5416 UDP OpenVPN
5416 TCP OpenVPN
10256 TCP healthcheck port for external balancers
30000-32767 TCP NodePort range

External traffic for all nodes

Port Protocol Purpose
53 UDP DNS
53 TCP DNS
123 UDP NTP for external time synchronization
443 TCP Container registry