Open ports to incoming traffic¶
When installing MKE on a host, you need to open specific ports to incoming traffic. Each port listens for incoming traffic from a particular set of hosts, known as the port scope.
MKE uses the following scopes:
Scope |
Description |
---|---|
External |
Traffic arrives from outside the cluster through end-user interaction. |
Internal |
Traffic arrives from other hosts in the same cluster. |
Self |
Traffic arrives to Self ports only from processes on the same host. These ports, however, do not need to be open to outside traffic. |
Open the following ports for incoming traffic on each host type:
Hosts |
Port |
Scope |
Purpose |
---|---|---|---|
Managers, workers |
TCP 179 |
Internal |
BGP peers, used for Kubernetes networking |
Managers |
TCP 443 (configurable) |
External, internal |
MKE web UI and API |
Managers |
TCP 2376 (configurable) |
Internal |
Docker swarm manager, used for backwards compatibility |
Managers |
TCP 2377 (configurable) |
Internal |
Control communication between swarm nodes |
Managers, workers |
UDP 4789 |
Internal |
Overlay networking |
Managers |
TCP 6443 (configurable) |
External, internal |
Kubernetes API server endpoint |
Managers, workers |
TCP 6444 |
Self |
Kubernetes API reverse proxy |
Managers, workers |
TCP, UDP 7946 |
Internal |
Gossip-based clustering |
Managers |
TCP 9055 |
Internal |
|
Managers, workers |
TCP 9091 |
Internal |
Felix Prometheus |
Managers |
TCP 9094 |
Self |
Felix Prometheus |
Managers, workers |
TCP 9099 |
Self |
Calico health check |
Managers, workers |
TCP 9100 |
Internal |
|
Managers, workers |
TCP 10248 |
Self |
Kubelet health check |
Managers, workers |
TCP 10250 |
Internal |
Kubelet |
Managers, workers |
TCP 12376 |
Internal |
TLS authentication proxy that provides access to MCR |
Managers, workers |
TCP 12378 |
Self |
etcd reverse proxy |
Managers |
TCP 12379 |
Internal |
etcd Control API |
Managers |
TCP 12380 |
Internal |
etcd Peer API |
Managers |
TCP 12381 |
Internal |
MKE cluster certificate authority |
Managers |
TCP 12382 |
Internal |
MKE client certificate authority |
Managers |
TCP 12383 |
Internal |
Authentication storage backend |
Managers |
TCP 12384 |
Internal |
Authentication storage backend for replication across managers |
Managers |
TCP 12385 |
Internal |
Authentication service API |
Managers |
TCP 12386 |
Internal |
Authentication worker |
Managers |
TCP 12387 |
Internal |
Prometheus server |
Managers |
TCP 12388 |
Internal |
Kubernetes API server |
Managers, workers |
TCP 12389 |
Self |
Hardware Discovery API |
Managers |
TCP 12391 |
Internal |
|
Managers |
TCP 12392 |
Internal |
MKE etcd certificate authority |