Whether you’re configuring Rancher to run in a single-node or high-availability setup, each node running Rancher Server must meet the following requirements.

Rancher is supported on the following operating systems and their subsequent non-major releases with a supported version of Docker.

  • Ubuntu 16.04 (64-bit)
    • Docker 17.03.2
  • Red Hat Enterprise Linux (RHEL)/CentOS 7.5 (64-bit)
    • RHEL Docker 1.13
    • Docker 17.03.2
  • RancherOS 1.4 (64-bit)
    • Docker 17.03.2
  • Windows Server version 1803 (64-bit)
    • Docker 17.06

If you are using RancherOS, make sure you switch the Docker engine to a supported version using:
sudo ros engine switch docker-17.03.2-ce

Docker Documentation: Installation Instructions

Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements.

Deployment Size Clusters Nodes vCPUs RAM
Small Up to 5 Up to 50 4 16GB
Medium Up to 100 Up to 500 8 32GB
Large Over 100 Over 500 Contact Rancher

Node IP address

Each node used (either for the Single Node Install, High Availability (HA) Install or nodes that are used in clusters) should have a static IP configured. In case of DHCP, the nodes should have a DHCP reservation to make sure the node gets the same IP allocated.

Port requirements

When deploying Rancher in an HA cluster, certain ports on your nodes must be open to allow communication with Rancher. The ports that must be open change according to the type of machines hosting your cluster nodes. For example, if your are deploying Rancher on nodes hosted by an infrastructure, port 22 must be open for SSH. The following diagram depicts the ports that are opened for each cluster type.

Cluster Type Port Requirements Basic Port Requirements

Rancher nodes:
Nodes running the rancher/rancher container

Rancher nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Load balancer/proxy that does external SSL termination
Rancher UI/API when external SSL termination is used
TCP 443
  • etcd nodes
  • controlplane nodes
  • worker nodes
  • Hosted/Imported Kubernetes
  • any that needs to be able to use UI/API
Rancher agent, Rancher UI/API, kubectl

Rancher nodes - Outbound rules

Protocol Port Destination Description
TCP 22
  • Any node IP from a node created using Node Driver
SSH provisioning of nodes using Node Driver
TCP 443
  • 35.160.43.145/32
  • 35.167.242.46/32
  • 52.33.59.17/32
git.rancher.io (catalogs)
TCP 2376
  • Any node IP from a node created using Node Driver
Docker daemon TLS port used by Docker Machine
TCP 6443
  • Hosted/Imported Kubernetes API
Kubernetes apiserver

etcd nodes:
Nodes with the role etcd

etcd nodes - Inbound rules

Protocol Port Source Description
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 2379
  • etcd nodes
  • controlplane nodes
etcd client requests
TCP 2380
  • etcd nodes
  • controlplane nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet

etcd nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe

controlplane nodes:
Nodes with the role controlplane

controlplane nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 6443
  • etcd nodes
  • controlplane nodes
  • worker nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

controlplane nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • etcd nodes
  • controlplane nodes
  • worker nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

worker nodes:
Nodes with the role worker

worker nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

worker nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

Information on local node traffic

Kubernetes healthchecks (livenessProbe and readinessProbe) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.

<h3 id="amazonec2-securitygroup-nodedriver">Amazon EC2 security group when using Node Driver</h3>
<p>If you are <a href="/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/ec2/">Creating an Amazon EC2 Cluster</a>, you can choose to let Rancher create a Security Group called <code>rancher-nodes</code>. The following rules are automatically added to this Security Group.
</p>

Security group: rancher-nodes

Inbound rules

Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0
HTTP TCP 80 0.0.0.0/0
Custom TCP Rule TCP 443 0.0.0.0/0
Custom TCP Rule TCP 2376 0.0.0.0/0
Custom TCP Rule TCP 2379-2380 sg-xxx (rancher-nodes)
Custom UDP Rule UDP 4789 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 6443 0.0.0.0/0
Custom UDP Rule UDP 8472 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 10250-10252 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 10256 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 30000-32767 0.0.0.0/0
Custom UDP Rule UDP 30000-32767 0.0.0.0/0

Outbound rules

Type Protocol Port Range Destination
All traffic All All 0.0.0.0/0