If the infrastructure where Deckhouse Kubernetes Platform (DKP) is running has requirements to limit host-to-host network communications, the following conditions must be met:

  • Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
  • Traffic between podSubnetCIDR encapsulated within a VXLAN is allowed (if inspection and filtering of traffic within a VXLAN tunnel is performed).
  • If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
  • Local network communication is fully allowed within each individual cluster node.
  • Inter-node communication is allowed on the ports shown in the tables on the current page. Note that most ports are in the 4200-4299 range. When new platform components are added, they will be assigned ports from this range (if it is possible).

Changes related to the addition, removal, or reassignment of ports in the tables are listed in the “Network” section of a respective DKP version on the Release notes page.

Traffic between master nodes

Port Protocol Purpose
2379, 2380 TCP etcd replication
4200 TCP Cluster API webhook handler
4201 TCP Webhook handler for VMware Cloud Director cloud provider
4223 TCP Deckhouse controller webhook handler

Traffic from master nodes to regular nodes

Port Protocol Purpose
22 TCP SSH for static node bootstrapping by the static provider
10250 TCP kubelet
4221 TCP bashible apiserver for delivering node configurations
4227 TCP runtime-audit-engine webhook handler

Traffic from nodes to master nodes

Port Protocol Purpose
4234 UDP NTP for time synchronization between nodes
6443 TCP kube-apiserver for controllers working in the node’s host network namespace
4203 TCP machine-controller-manager metrics
4219 TCP Proxy for registry packages registry-packages-proxy
4222 TCP Deckhouse controller metrics

Traffic between nodes

Port Protocol Purpose
  ICMP ICMP for node-to-node connectivity monitoring
4202 TCP sds-node-configurator node agent metrics
4204 TCP Deckhouse controller debug
4205 TCP ebpf-exporter module metrics
4206 TCP node-exporter module metrics
4207 TCP ingress-nginx controller metrics for the HostWithFailover inlet
4208 TCP ingress-nginx controller metrics for the HostWithFailover inlet
4209 TCP Kubernetes control plane metrics
4210 TCP kube-proxy metrics
4211 TCP Cluster API metrics
4212 TCP runtime-audit-engine module metrics
4213 TCP kube-router metrics
4214 TCP API of the sds-replicated-volume module agent
4215 TCP sds-replicated-volume agent metrics
4218 TCP/UDP Synchronization of the speaker components in metallb modules via memberlist protocol
4220 TCP Metrics of the speaker components in metallb modules
4224 TCP node-local-dns metrics
4225 TCP/UDP Synchronization of the speaker components in metallb modules via memberlist protocol
4226 TCP Metrics of the speaker components in metallb modules
4229 TCP csi-nfs CSI controller healthcheck
4230 TCP csi-nfs CSI node healthcheck
4231 TCP csi-hpe CSI controller healthcheck
4232 TCP csi-hpe CSI node healthcheck
4235 TCP csi-s3 CSI controller healthcheck
4236 TCP csi-s3 CSI node healthcheck
4237 TCP csi-scsi-generic CSI controller healthcheck
4238 TCP csi-scsi-generic CSI node healthcheck
4240 TCP CNI Cilium node-to-node healthcheck
4241 TCP CNI Cilium agent metrics
4242 TCP CNI Cilium operator metrics
4244 TCP cilium-hubble module API
4245 TCP chrony-exporter metrics
4246 TCP csi-ceph CephFS CSI controller healthcheck
4247 TCP csi-ceph RBD CSI controller healthcheck
4248 TCP csi-yadro-tatlin-unified CSI controller healthcheck
4249 TCP csi-yadro-tatlin-unified CSI node healthcheck
4250 TCP sds-local-volume CSI controller healthcheck
4251 TCP sds-local-volume CSI node healthcheck
4252 TCP csi-ceph RBD CSI node healthcheck
4253 TCP csi-ceph CephFS CSI node healthcheck
4254 TCP csi-netapp CSI controller healthcheck
4255 TCP csi-netapp CSI node healthcheck
4256 TCP csi-netapp CSI controller metrics
4257 TCP csi-netapp CSI controller API port
4258 TCP csi-huawei CSI controller webhook port
4259 TCP csi-huawei CSI node healthcheck
4260 TCP csi-huawei CSI controller metrics
4261 TCP sds-replicated-volume CSI controller healthcheck
4262 TCP sds-replicated-volume CSI node healthcheck
4263 TCP service-with-healthchecks module metrics
4269 TCP sds-replicated-volume CSI node healthcheck
4270 TCP sds-replicated-volume CSI node metrics
4286 TCP Istio CNI metrics
4287 UDP WireGuard port for traffic encryption in CNI Cilium
4288 TCP monitoring-ping metrics
4289 TCP monitoring-ping metrics
4295-4299 UDP VXLAN for pod-to-pod traffic encapsulation
7000-7999 TCP sds-replicated-volume DRBD replication
8469, 8472 UDP VXLAN for pod-to-pod traffic encapsulation

External traffic to master nodes

Port Protocol Purpose
22 TCP SSH for initializing Deckhouse Kubernetes Platform
6443 TCP Direct access to the apiserver

External traffic to frontend nodes

Port Protocol Purpose
80, 443 TCP Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in the IngressNginxController resource and may vary across installations
5416 UDP OpenVPN
5416 TCP OpenVPN
10256 TCP Healthcheck port for external balancers
30000-32767 TCP NodePort range

External traffic for all nodes

Port Protocol Purpose
53 UDP DNS
53 TCP DNS
123 UDP NTP for synchronization with external time servers
443 TCP Container registry