If the infrastructure where Deckhouse Kubernetes Platform (DKP) is running has requirements to limit host-to-host network communications, the following conditions must be met:

  • Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
  • Traffic between podSubnetCIDR encapsulated within a VXLAN is allowed (if inspection and filtering of traffic within a VXLAN tunnel is performed).
  • If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
  • Local network communication is fully allowed within each individual cluster node.
  • Inter-node communication is allowed on the ports shown in the tables on the current page. Note that most ports are in the 4200-4299 range. When new platform components are added, they will be assigned ports from this range (if it is possible).

How to check the current VXLAN port…

d8 k -n d8-cni-cilium get cm cilium-config -o yaml | grep tunnel

Example output:

routing-mode: tunnel
tunnel-port: "4298"
tunnel-protocol: vxlan

Changes related to the addition, removal, or reassignment of ports in the tables are listed in the “Network” section of a respective DKP version on the Release notes page.

Traffic between master nodes

Port Protocol Purpose
2379, 2380 TCP

etcd replication
4200 TCP

Cluster API webhook handler
4201 TCP

Webhook handler for VMware Cloud Director cloud provider
4223 TCP

Deckhouse controller webhook handler

Traffic from master nodes to regular nodes

Port Protocol Purpose
22 TCP

SSH for static node bootstrapping by the static provider
10250 TCP

kubelet
4221 TCP

bashible apiserver for delivering node configurations
4227 TCP

runtime-audit-engine webhook handler

Traffic from nodes to master nodes

Port Protocol Purpose
4234 UDP

NTP for time synchronization between nodes
6443 TCP

kube-apiserver for controllers working in the node’s host network namespace
4203 TCP

machine-controller-manager metrics
4219 TCP

Proxy for registry packages registry-packages-proxy
4222 TCP

Deckhouse controller metrics

Traffic between nodes

Port Protocol Purpose
ICMP

ICMP for node-to-node connectivity monitoring
4202 TCP

sds-node-configurator node agent metrics
4204 TCP

Deckhouse controller debug
4205 TCP

ebpf-exporter module metrics
4206 TCP

node-exporter module metrics
4207 TCP

ingress-nginx controller metrics for the HostWithFailover inlet
4208 TCP

ingress-nginx controller metrics for the HostWithFailover inlet
4209 TCP

Kubernetes control plane metrics
4210 TCP

kube-proxy metrics
4211 TCP

Cluster API metrics
4212 TCP

runtime-audit-engine module metrics
4213 TCP

kube-router metrics
4214 TCP

API of the sds-replicated-volume module agent
4215 TCP

sds-replicated-volume agent metrics
4218 TCP/UDP

Synchronization of the speaker components in metallb modules via memberlist protocol
4220 TCP

Metrics of the speaker components in metallb modules
4224 TCP

node-local-dns metrics
4225 TCP/UDP

Synchronization of the speaker components in metallb modules via memberlist protocol
4226 TCP

Metrics of the speaker components in metallb modules
4229 TCP

csi-nfs CSI controller healthcheck
4230 TCP

csi-nfs CSI node healthcheck
4231 TCP

csi-hpe CSI controller healthcheck
4232 TCP

csi-hpe CSI node healthcheck
4235 TCP

csi-s3 CSI controller healthcheck
4236 TCP

csi-s3 CSI node healthcheck
4237 TCP

csi-scsi-generic CSI controller healthcheck
4238 TCP

csi-scsi-generic CSI node healthcheck
4240 TCP

CNI Cilium node-to-node healthcheck
4241 TCP

CNI Cilium agent metrics
4242 TCP

CNI Cilium operator metrics
4244 TCP

cilium-hubble module API
4245 TCP

chrony-exporter metrics
4246 TCP

csi-ceph CephFS CSI controller healthcheck
4247 TCP

csi-ceph RBD CSI controller healthcheck
4248 TCP

csi-yadro-tatlin-unified CSI controller healthcheck
4249 TCP

csi-yadro-tatlin-unified CSI node healthcheck
4250 TCP

sds-local-volume CSI controller healthcheck
4251 TCP

sds-local-volume CSI node healthcheck
4252 TCP

csi-ceph RBD CSI node healthcheck
4253 TCP

csi-ceph CephFS CSI node healthcheck
4254 TCP

csi-netapp CSI controller healthcheck
4255 TCP

csi-netapp CSI node healthcheck
4256 TCP

csi-netapp CSI controller metrics
4257 TCP

csi-netapp CSI controller API port
4258 TCP

csi-huawei CSI controller webhook port
4259 TCP

csi-huawei CSI node healthcheck
4260 TCP

csi-huawei CSI controller metrics
4261 TCP

sds-replicated-volume CSI controller healthcheck
4262 TCP

sds-replicated-volume CSI node healthcheck
4263 TCP

service-with-healthchecks module metrics
4269 TCP

sds-replicated-volume CSI node healthcheck
4270 TCP

sds-replicated-volume CSI node metrics
4286 TCP

Istio CNI metrics
4287 UDP

WireGuard port for traffic encryption in CNI Cilium
4288 TCP

monitoring-ping metrics
4289 TCP

monitoring-ping metrics
4295‑4297 UDP

Used by the cni-cilium module for VXLAN encapsulation of inter-pod traffic in multiple nested virtualization — when DKP with the virtualization module enabled is deployed inside virtual machines that are also created in DKP with the virtualization module enabled
4298 UDP

Used by the cni-cilium module for VXLAN encapsulation of traffic between pods if the cluster was deployed on DKP version starting from 1.71 (for clusters deployed on DKP versions up to 1.71, see the note for ports 4299/UDP, 8469/UDP, and 8472/UDP)
4299 UDP

For clusters deployed on DKP versions 1.64–1.70. Used by the cni-cilium module for VXLAN encapsulation of traffic between pods. Updating DKP to newer versions will not change the port used unless the virtualization module is enabled.

Note that in such clusters, enabling the virtualization module on DKP up to version 1.70 changes the port to 4298/UDP
7000‑7999 TCP

sds-replicated-volume DRBD replication
8469 UDP

For clusters deployed on DKP version 1.63 and below with the virtualization module enabled prior to DKP version 1.63. Used by the cni-cilium module for VXLAN encapsulation of traffic between pods. Updating DKP to newer versions will not change the occupied port
8472 UDP

For clusters deployed on DKP version 1.63 and below. Used by the cni-cilium module for VXLAN encapsulation of traffic between pods. Updating DKP to newer versions will not change the occupied port if the virtualization module is not enabled.

Note that in such clusters, enabling the virtualization module on DKP before version 1.70 changes the port:

  • Enabling the virtualization module on DKP version 1.63 and below will change it to 8469/UDP and will not change with subsequent DKP updates
  • Enabling the virtualization module on DKP starting from version 1.64 will change it to 4298/UDP and will not change with subsequent DKP updates

External traffic to master nodes

Port Protocol Purpose
22 TCP

SSH for initializing Deckhouse Kubernetes Platform
6443 TCP

Direct access to the apiserver

External traffic to frontend nodes

Port Protocol Purpose
80, 443 TCP

Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in the IngressNginxController resource and may vary across installations
5416 UDP

OpenVPN
5416 TCP

OpenVPN
10256 TCP

Healthcheck port for external balancers
30000-32767 TCP

NodePort range

External traffic for all nodes

Port Protocol Purpose
53 UDP

DNS
53 TCP

DNS
123 UDP

NTP for synchronization with external time servers
443 TCP

Container registry