Continental Innovates with Rancher and Kubernetes
To operate properly, Rancher requires a number of ports to be open on Rancher nodes and on downstream Kubernetes cluster nodes.
The following table lists the ports that need to be open to and from nodes that are running the Rancher server.
The port requirements differ based on the Rancher server architecture.
As of Rancher v2.5, Rancher can be installed on any Kubernetes cluster. For Rancher installs on a K3s, RKE, or RKE2 Kubernetes cluster, refer to the tabs below. For other Kubernetes distributions, refer to the distribution’s documentation for the port requirements for cluster nodes.
Notes: Rancher nodes may also require additional outbound access for any external authentication provider which is configured (LDAP for example). Kubernetes recommends TCP 30000-32767 for node port services. For firewalls, traffic may need to be enabled within the cluster and pod CIDR.
Notes:
The K3s server needs port 6443 to be accessible by the nodes.
The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s.
If you wish to utilize the metrics server, you will need to open port 10250 on each node.
Important: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472.
The following tables break down the port requirements for inbound and outbound traffic:
35.160.43.145/32
35.167.242.46/32
52.33.59.17/32
Typically Rancher is installed on three RKE nodes that all have the etcd, control plane and worker roles.
The following tables break down the port requirements for traffic between the Rancher nodes:
35.160.43.145
35.167.242.46
52.33.59.17
The RancherD (or RKE2) server needs port 6443 and 9345 to be accessible by other nodes in the cluster.
All nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used.
Typically all outbound traffic is allowed.
The following tables break down the port requirements for Rancher nodes, for inbound and outbound traffic:
When deploying Rancher into a Google Kubernetes Engine private cluster, the nodes where Rancher runs must be accessible from the control plane:
/28
Downstream Kubernetes clusters run your apps and services. This section describes what ports need to be opened on the nodes in downstream clusters so that Rancher can communicate with them.
The port requirements differ depending on how the downstream cluster was launched. Each of the tabs below list the ports that need to be opened for different cluster types.
The following diagram depicts the ports that are opened for each cluster type.
Tip: If security isn’t a large concern and you’re okay with opening a few additional ports, you can use the table in Commonly Used Ports as your port reference instead of the comprehensive tables below.
Tip:
If security isn’t a large concern and you’re okay with opening a few additional ports, you can use the table in Commonly Used Ports as your port reference instead of the comprehensive tables below.
The following table depicts the port requirements for Rancher Launched Kubernetes with nodes created in an Infrastructure Provider.
Note: The required ports are automatically opened by Rancher during creation of clusters in cloud providers like Amazon EC2 or DigitalOcean.
The following table depicts the port requirements for Rancher Launched Kubernetes with Custom Nodes.
The following table depicts the port requirements for hosted clusters.
Note: Registered clusters were called imported clusters before Rancher v2.5.
The following table depicts the port requirements for imported clusters.
These ports are typically opened on your Kubernetes nodes, regardless of what type of cluster it is.
Ports marked as local traffic (i.e., 9099 TCP) in the above requirements are used for Kubernetes healthchecks (livenessProbe andreadinessProbe). These healthchecks are executed on the node itself. In most cloud environments, this local traffic is allowed by default.
local traffic
9099 TCP
livenessProbe
readinessProbe
However, this traffic may be blocked when:
In these cases, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as source or destination in your security group, explicitly opening ports only applies to the private interface of the nodes / instances.
When using the AWS EC2 node driver to provision cluster nodes in Rancher, you can choose to let Rancher create a security group called rancher-nodes. The following rules are automatically added to this security group.
rancher-nodes
SUSE Linux may have a firewall that blocks all ports by default. To open the ports needed for adding the host to a custom cluster,
etc/sysconfig/SuSEfirewall2
FW_SERVICES_EXT_TCP="22 80 443 2376 2379 2380 6443 9099 9796 10250 10254 30000:32767" FW_SERVICES_EXT_UDP="8472 30000:32767" FW_ROUTE=yes
SuSEfirewall2
Result: The node has the open ports required to be added to a custom cluster.