Open ports to incoming traffic#
When installing MKE 4k on a host, you must open specific ports to incoming traffic.
| Protocol | Port | Process | Usage | Comments |
|---|---|---|---|---|
| TCP | 22 | etcd peers | Install node <-> (controller, worker) | |
| TCP | 2380 | etcd peers | controller <-> controller | |
| TCP | 6443 | kube-apiserver | Worker node, CLI => controller | Authenticated kube API using kube TLS client certs, ServiceAccount tokens with RBAC. |
| UDP | 4789 | Calico | Worker node | Calico VXLAN overlay. |
| TCP | 10250 | kubelet | Master, Worker => Host * | Authenticated kubelet API for the master node kube-apiserver (and heapster/metrics-server addons) using TLS client cert. |
| TCP | 9443 | k0s-api | controller <-> controller | k0s controller join API, TLS with token auth. |
| HTTP | 33000 | Ingress controller | ||
| HTTPS | 33001 | Ingress controller | ||
| TCP | 33001 | |||
| HTTP | 18088 | etcd maintenance. Currently bound only to localhost, and thus does not need to be open. | ||
| GRPC | 5557 | etcd maintenance. Used for internal communication across services, and thus does not need to be opened externally to the cluster. Manager nodes, though, need to be able to communicate using this port. | ||
| TCP | 179 | Calico | controllers, worker nodes | BGP peers, used for Kubernetes networking. |
| TCP | 5473 | Calico | controllers, worker nodes | Calico-node connecting to typha. Only needed with Calico CNI-s. Not needed if typha is disabled[that scenario is atypical] |
| TCP | 80 | mkectl | First two controllers and first two manager nodes, as listed in hosts section of the MKE4.yaml configuration file. |
Networking checks. |