Skip to main content

Kubernetes

Self-hosted Kubernetes

Following this handbook in Chinese.

Install kubeadm

Required ports

When running Kubernetes in an environment with strict network boundaries, such as on-premises datacenter with physical network firewalls or Virtual Networks in Public Cloud, it is useful to be aware of the ports and protocols used by Kubernetes components.

Control plane (Master)

ProtocolDirectionPort RangePurposeUsed By
TCPInbound6443Kubernetes API serverAll
TCPInbound2379-2380etcd server client APIkube-apiserver, etcd
TCPInbound10250Kubelet APISelf, Control plane
TCPInbound10259kube-schedulerSelf
TCPInbound10257kube-controller-managerSelf

Although etcd ports are included in control plane section, you can also host your own. etcd cluster externally or on custom ports.

On Ubuntu, you should configure the ufw(Ubuntu firewall) to allow the ports.

for p in "6443/tcp" "2379:2380/tcp" "10250/tcp" "10259/tcp" "10257/tcp"; do sudo ufw allow "$p"; done

Worker node(s)

ProtocolDirectionPort RangePurposeUsed By
TCPInbound10250Kubelet APISelf, Control plane
TCPInbound10256kube-proxySelf, Load balancers
TCPInbound30000-32767NodePort ServicesAll

† Default port range for NodePort Services.

All default port numbers can be overridden. When custom ports are used those ports need to be open instead of defaults mentioned here.

On Ubuntu, you should configure the ufw(Ubuntu firewall) to allow the ports.

for p in "10250/tcp" "10256/tcp" "30000:32767/tcp"; do sudo ufw allow "$p"; done

One common example is API server port that is sometimes switched to 443. Alternatively, the default port is kept as is and API server is put behind a load balancer that listens on 443 and routes the requests to API server on the default port.