Needed ports for Kubernetes cluster

18

votes

Suppose I want to create a k8s cluster on bare metal servers, with 1 master and 2 nodes. What ports do I have to open in my firewall so that the master and nodes can communicate over the Internet? (I know I can just use VPN, but I just want to know which ports I need). I guess I need at least the following ports. Do I need more? How about if I'm using Flannel or Calico? I want to create a comprehensive list of all possible k8s services and needed ports. Thank you.

kubectl - 8080

ui - 80 or 443 or 9090

etcd - 2379, 2380

networkingkubernetesfirewall

25

votes

the ports for kubernetes are the following:

from the CoreOS docs.

23

votes

Kubernestes needs:

Master node(s):

TCP     6443*       Kubernetes API Server
TCP     2379-2380   etcd server client API
TCP     10250       Kubelet API
TCP     10251       kube-scheduler
TCP     10252       kube-controller-manager
TCP     10255       Read-Only Kubelet API

Worker nodes (minions):

TCP     10250       Kubelet API
TCP     10255       Read-Only Kubelet API
TCP     30000-32767 NodePort Services

2

votes

Providing that the API server, etcd, scheduler and controller manager run on the same machine, the ports you would need to open publicly in the absence of VPN are:

6443 (or 8080 if TLS is disabled)

Client connections to the API server from nodes (kubelet, kube-proxy, pods) and users (kubectl, ...)

10250 (insecure by default!)

Kubelet port, accepts connections from the API server (master).

Also nodes should be able to receive traffic from other nodes and from the master on pretty much any port, on the network fabric used for Kubernetes pods (flannel, weave, calico, ...)

If you expose applications using a NodePort service or Ingress resource, the corresponding ports should also be open on your nodes.

Needed ports for Kubernetes cluster

3 Answers