If the infrastructure where Deckhouse Kubernetes Platform is running has requirements to limit network communication, the following conditions must be met:
- Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
- If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
- Local network communication is fully allowed within each individual cluster node.
- Inter-node communication is allowed on the ports shown in the tables on the current page.
Master to master nodes traffic
Port | Protocol | Purpose |
---|---|---|
2379, 2380 | TCP | etcd replication |
9443 | TCP | Cluster API webhook handler |
9444 | TCP | VMware Cloud Director cloud provider webhook handler |
Master to nodes traffic
Port | Protocol | Purpose |
---|---|---|
22 | TCP | SSH for Static nodes bootstrapping by static provider |
10250 | TCP | kubelet |
10423 | TCP | bashible apiserver for delivering node configurations |
9680 | TCP | runtime-audit-engine webhook |
8443 | TCP | ingress-nginx controller webhook for HostWithFailover inlet |
Nodes to masters traffic
Port | Protocol | Purpose |
---|---|---|
6443 | TCP | kube-apiserver for controllers working in node’s host network namespace |
8443 | TCP | machine-controller-manager metrics |
5443 | TCP | Proxy for registry packages registry-packages-proxy |
Nodes to nodes traffic
Port | Protocol | Purpose |
---|---|---|
ICMP | ICMP for node-to-node connectivity monitoring | |
8469, 8472 | UDP | VXLAN for pod-to-pod traffic encapsulation |
123 | UDP | NTP for time synchronization between nodes |
4240 | TCP | CNI Cilium agent node-to-node healthcheck |
4244 | TCP | cilium-hubble API |
9734 | TCP | CNI Cilium agent metrics |
9735 | TCP | CNI Cilium operator metrics |
9889 | TCP | Deckhouse controller metrics |
9434 | TCP | ebpf-exporter metrics |
9101 | TCP | node-exporter module metrics |
10354, 10355 | TCP | ingress-nginx controller metrics for HostWithFailover inlet |
8008 | TCP | Kubernetes control plane metrics |
9255 | TCP | kube-proxy metrics |
8083 | TCP | Cluster API metrics |
8766 | TCP | runtime-audit-engine module metrics |
10445 | TCP | kube-router metrics |
9695 | TCP | sds-node-configurator node agent metrics |
3367 | TCP | API of the sds-replicated-volume module node agent |
9942 | TCP | sds-replicated-volume node agent metrics |
7000-7999 | TCP | sds-replicated-volume DRBD replication |
49152, 49153 | TCP | Deckhouse Virtualization Platform VM live migration port |
7946, 7947 | TCP | metallb and l2-load-balancer speakers memberlist ports |
7946, 7947 | UDP | metallb and l2-load-balancer speakers memberlist ports |
7473, 7475 | TCP | metallb and l2-load-balancer speakers metrics |
External traffic to masters
Port | Protocol | Purpose |
---|---|---|
6443 | TCP | kube-apiserver for local administrators |
22, 22322 | TCP | SSH for Deckhouse Kubernetes Platform initialization |
External traffic to frontends
Port | Protocol | Purpose |
---|---|---|
30000-32767 | TCP | NodePort range |
80, 443 | TCP | Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in IngressNginxController resource and may vary in different setups |
5416 | UDP | OpenVPN |
5416 | TCP | OpenVPN |
External traffic for all nodes
Port | Protocol | Purpose |
---|---|---|
443 | TCP | Container registry |
53 | UDP | DNS |
53 | TCP | DNS |
123 | UDP | NTP for external time synchronization |