If the infrastructure where Deckhouse Kubernetes Platform is running has requirements to limit network communication, the following conditions must be met:

  • Tunneling mode for traffic between pods is enabled (configuration for CNI Cilium, configuration for CNI Flannel).
  • If there is integration with external systems (e.g. LDAP, SMTP or other external APIs), it is required to allow network communication with them.
  • Local network communication is fully allowed within each individual cluster node.
  • Inter-node communication is allowed on the ports shown in the tables on the current page.

Master to master nodes traffic

Port Protocol Purpose
2379, 2380 TCP etcd replication
9443 TCP Cluster API webhook handler
9444 TCP VMware Cloud Director cloud provider webhook handler

Master to nodes traffic

Port Protocol Purpose
22 TCP SSH for Static nodes bootstrapping by static provider
10250 TCP kubelet
10423 TCP bashible apiserver for delivering node configurations
9680 TCP runtime-audit-engine webhook
8443 TCP ingress-nginx controller webhook for HostWithFailover inlet

Nodes to masters traffic

Port Protocol Purpose
6443 TCP kube-apiserver for controllers working in node’s host network namespace
8443 TCP machine-controller-manager metrics
5443 TCP Proxy for registry packages registry-packages-proxy

Nodes to nodes traffic

Port Protocol Purpose
  ICMP ICMP for node-to-node connectivity monitoring
8469, 8472 UDP VXLAN for pod-to-pod traffic encapsulation
123 UDP NTP for time synchronization between nodes
4240 TCP CNI Cilium agent node-to-node healthcheck
4244 TCP cilium-hubble API
9734 TCP CNI Cilium agent metrics
9735 TCP CNI Cilium operator metrics
9889 TCP Deckhouse controller metrics
9434 TCP ebpf-exporter metrics
9101 TCP node-exporter module metrics
10354, 10355 TCP ingress-nginx controller metrics for HostWithFailover inlet
8008 TCP Kubernetes control plane metrics
9255 TCP kube-proxy metrics
8083 TCP Cluster API metrics
8766 TCP runtime-audit-engine module metrics
10445 TCP kube-router metrics
9695 TCP sds-node-configurator node agent metrics
3367 TCP API of the sds-replicated-volume module node agent
9942 TCP sds-replicated-volume node agent metrics
7000-7999 TCP sds-replicated-volume DRBD replication
49152, 49153 TCP Deckhouse Virtualization Platform VM live migration port
7946, 7947 TCP metallb and l2-load-balancer speakers memberlist ports
7946, 7947 UDP metallb and l2-load-balancer speakers memberlist ports
7473, 7475 TCP metallb and l2-load-balancer speakers metrics

External traffic to masters

Port Protocol Purpose
6443 TCP kube-apiserver for local administrators
22, 22322 TCP SSH for Deckhouse Kubernetes Platform initialization

External traffic to frontends

Port Protocol Purpose
30000-32767 TCP NodePort range
80, 443 TCP Application ports for requests to Ingress controllers over HTTP and HTTPS. Note that these ports are configurable in IngressNginxController resource and may vary in different setups
5416 UDP OpenVPN
5416 TCP OpenVPN

External traffic for all nodes

Port Protocol Purpose
443 TCP Container registry
53 UDP DNS
53 TCP DNS
123 UDP NTP for external time synchronization