If the infrastructure where Deckhouse Kubernetes Platform is running has requirements to limit network communication, the following conditions must be met:
- Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
- If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
- Local network communication is fully allowed within each individual cluster node.
- Inter-node communication is allowed on the ports shown in the tables on the current page. Note that most ports are in the 4200-4299 range. When new platform components are added, they will be assigned ports from this range (if it is possible).
Master to master nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| 2379, 2380 | TCP | etcd replication |
| 4200 | TCP | Cluster API webhook handler |
| 4201 | TCP | VMware Cloud Director cloud provider webhook handler |
| 4223 | TCP | Deckhouse controller webhook handler |
Master to nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH for Static nodes bootstrapping by static provider |
| 10250 | TCP | kubelet |
| 4221 | TCP | bashible apiserver for delivering node configurations |
| 9680 | TCP | runtime-audit-engine webhook |
Nodes to masters traffic
| Port | Protocol | Purpose |
|---|---|---|
| 6443 | TCP | kube-apiserver for controllers working in node’s host network namespace |
| 4203 | TCP | machine-controller-manager metrics |
| 4219 | TCP | Proxy for registry packages registry-packages-proxy |
| 4222 | TCP | Deckhouse controller metrics |
Nodes to nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| ICMP | ICMP for node-to-node connectivity monitoring | |
| 123 | UDP | NTP for time synchronization between nodes |
| 7000-7999 | TCP | sds-replicated-volume DRBD replication |
| 8469, 8472 | UDP | VXLAN for pod-to-pod traffic encapsulation |
| 4204 | TCP | Deckhouse controller debug |
| 4205 | TCP | ebpf-exporter metrics |
| 4206 | TCP | node-exporter module metrics |
| 4207, 4208 | TCP | ingress-nginx controller metrics for HostWithFailover inlet |
| 4209 | TCP | Kubernetes control plane metrics |
| 4210 | TCP | kube-proxy metrics |
| 4211 | TCP | Cluster API metrics |
| 4212 | TCP | runtime-audit-engine module metrics |
| 4213 | TCP | kube-router metrics |
| 9695 | TCP | sds-node-configurator node agent metrics |
| 3367 | TCP | API of the sds-replicated-volume module node agent |
| 9942 | TCP | sds-replicated-volume node agent metrics |
| 49152, 49153 | TCP | Deckhouse Virtualization Platform VM live migration port |
| 4218 | TCP | metallb and l2-load-balancer speakers memberlist ports |
| 4218 | UDP | metallb and l2-load-balancer speakers memberlist ports |
| 4220 | TCP | metallb and l2-load-balancer speakers metrics |
| 4224 | TCP | node-local-dns metrics |
| 4240 | TCP | CNI Cilium agent node-to-node healthcheck |
| 4241 | TCP | CNI Cilium agent metrics |
| 4242 | TCP | CNI Cilium operator metrics |
| 4244 | TCP | cilium-hubble API |
External traffic to masters
| Port | Protocol | Purpose |
|---|---|---|
| 22, 22322 | TCP | SSH for Deckhouse Kubernetes Platform initialization |
| 6443 | TCP | kube-apiserver for local administrators |
External traffic to frontends
| Port | Protocol | Purpose |
|---|---|---|
| 80, 443 | TCP | Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in IngressNginxController resource and may vary in different setups |
| 5416 | UDP | OpenVPN |
| 5416 | TCP | OpenVPN |
| 10256 | TCP | healthcheck port for external balancers |
| 30000-32767 | TCP | NodePort range |
External traffic for all nodes
| Port | Protocol | Purpose |
|---|---|---|
| 53 | UDP | DNS |
| 53 | TCP | DNS |
| 123 | UDP | NTP for external time synchronization |
| 443 | TCP | Container registry |