This document specifies network and port requirements for Kublr and Kublr-managed Kubernetes deployment.
Each Kubernetes cluster (including the cluster on which the Kublr Control Plane is running) requires IP netwrok connectivity between all of its nodes - master and workers. The open ports may be limited by a firewall, but all master and worker nodes must be able to reach each other on their IP addresses.
IP connectivity between nodes in different clusters is generally not required, different clusters may use different subnets, even if their IP spaces intersect.
Additionally Kublr Control Plane (KCP) must be able to access at least one API endpoint of each managed cluster, as well as be able to access infrastructure (e.g. cloud) provider API, and in case of on-prem deployment - cluster master nodes.
Kublr and Kubernetes components communicate with each other using ports. The following ports required by Kublr and Kubernetes must be open between hosts, for example if you have a firewall in your environment. Some ports are optional depending on your configuration and usage.
In the following tables term “Node” is used as a generalization of “Master and/or Worker node”.
| Port | Protocol | Conditions | Notes |
|---|---|---|---|
| 10250 | TCP | Kubelet API | |
| 8472 | UDP | Canal (default) | Canal |
| 5473 | TCP | Canal (default) | Calico Typha |
| 4 (IP-in-IP) | Calico | Calico IP-in-IP | |
| 179 | TCP | Calico | Calico BGP |
| 8472 | UDP | Calico | Calico VXLAN/Flannel |
| 5473 | TCP | Calico | Calico Typha |
| 6783 | TCP/UDP | Weave | Weave |
| 6784 | UDP | Weave | Weave |
| 8285 | UDP | Flannel | Flannel |
| 8472 | UDP | Flannel | Flannel |
| Port | Protocol | Conditions | Notes |
|---|---|---|---|
| 443 | TCP | Kubernetes API | |
| 11250 | TCP | Bring-your-own-infrastructure | Workers need access to bare-metal clusters’ masters’ secret store |
| Port | Protocol | Conditions | Notes |
|---|---|---|---|
| 2379 | TCP | Etcd | |
| 2380 | TCP | Etcd |
| Port | Protocol | Source | Destination | Conditions | Notes |
|---|---|---|---|---|---|
| 53 | TCP/UDP | Node | Internet | non-air-gap deployment | DNS |
| 443 | TCP | Node | Internet | non-air-gap deployment | HTTPS to binary repositories |
| 53 | TCP/UDP | Node | Intranet | air-gap deployment | Intra-organizational DNS |
| 443 | TCP | Node | Intranet | air-gap deployment | Intra-organizational binary repository(ies) |
| 443 | TCP | Master LB | Master | master LB | If master LB is used, the master LB must have access to masters |
| 30000-32767 | TCP/UDP | Ingress LB | Workers | ingress LB | If ingress LB is used, the ingress LB must have access to worker nodes service NodePort port range (usually 30000-32767) or a specific port configured for the ingress controller |
| Port | Protocol | Source | Destination | Conditions | Notes |
|---|---|---|---|---|---|
| 443 | TCP | KCP Nodes | Managed Clusters’ K8S API | KCP need access to K8S clusters’ API | |
| 443 | TCP | KCP Nodes | Cloud/infra API | KCP need access to cloud/infrastructure providers’ API | |
| 11250 | TCP | KCP Nodes | Managed Clusters’ Masters | Bring-your-own-infrastructure | KCP needs access to bare-metal clusters’ masters’ secret store |
