If the infrastructure where Deckhouse Kubernetes Platform is running has requirements to limit network communication, the following conditions must be met:
- Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
- If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
- Local network communication is fully allowed within each individual cluster node.
- Inter-node communication is allowed on the ports shown in the tables on the current page.
Master to master nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| 2379, 2380 | TCP | etcd replication |
| 9443 | TCP | Cluster API webhook handler |
| 9444 | TCP | VMware Cloud Director cloud provider webhook handler |
Master to nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| 22 | TCP | SSH for Static nodes bootstrapping by static provider |
| 10250 | TCP | kubelet |
| 10423 | TCP | bashible apiserver for delivering node configurations |
| 9680 | TCP | runtime-audit-engine webhook |
| 8443 | TCP | ingress-nginx controller webhook for HostWithFailover inlet |
Nodes to masters traffic
| Port | Protocol | Purpose |
|---|---|---|
| 6443 | TCP | kube-apiserver for controllers working in node’s host network namespace |
| 8443 | TCP | machine-controller-manager metrics |
| 5443 | TCP | Proxy for registry packages registry-packages-proxy |
Nodes to nodes traffic
| Port | Protocol | Purpose |
|---|---|---|
| ICMP | ICMP for node-to-node connectivity monitoring | |
| 8469, 8472 | UDP | VXLAN for pod-to-pod traffic encapsulation |
| 123 | UDP | NTP for time synchronization between nodes |
| 4240 | TCP | CNI Cilium agent node-to-node healthcheck |
| 4244 | TCP | cilium-hubble API |
| 9734 | TCP | CNI Cilium agent metrics |
| 9735 | TCP | CNI Cilium operator metrics |
| 9889 | TCP | Deckhouse controller metrics |
| 9434 | TCP | ebpf-exporter metrics |
| 9101 | TCP | node-exporter module metrics |
| 10354, 10355 | TCP | ingress-nginx controller metrics for HostWithFailover inlet |
| 8008 | TCP | Kubernetes control plane metrics |
| 9255 | TCP | kube-proxy metrics |
| 8083 | TCP | Cluster API metrics |
| 8766 | TCP | runtime-audit-engine module metrics |
| 10445 | TCP | kube-router metrics |
| 9695 | TCP | sds-node-configurator node agent metrics |
| 3367 | TCP | API of the sds-replicated-volume module node agent |
| 9942 | TCP | sds-replicated-volume node agent metrics |
| 7000-7999 | TCP | sds-replicated-volume DRBD replication |
| 49152, 49153 | TCP | Deckhouse Virtualization Platform VM live migration port |
| 7946, 7947 | TCP | metallb and l2-load-balancer speakers memberlist ports |
| 7946, 7947 | UDP | metallb and l2-load-balancer speakers memberlist ports |
| 7473, 7475 | TCP | metallb and l2-load-balancer speakers metrics |
External traffic to masters
| Port | Protocol | Purpose |
|---|---|---|
| 6443 | TCP | kube-apiserver for local administrators |
| 22, 22322 | TCP | SSH for Deckhouse Kubernetes Platform initialization |
External traffic to frontends
| Port | Protocol | Purpose |
|---|---|---|
| 30000-32767 | TCP | NodePort range |
| 80, 443 | TCP | Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in IngressNginxController resource and may vary in different setups |
| 5416 | UDP | OpenVPN |
| 5416 | TCP | OpenVPN |
External traffic for all nodes
| Port | Protocol | Purpose |
|---|---|---|
| 443 | TCP | Container registry |
| 53 | UDP | DNS |
| 53 | TCP | DNS |
| 123 | UDP | NTP for external time synchronization |