Port Requirements
import PortsIaasNodes from '@site/src/components/PortsIaasNodes' import PortsCustomNodes from '@site/src/components/PortsCustomNodes' import PortsImportedHosted from '@site/src/components/PortsImportedHosted'
To operate properly, Rancher requires a number of ports to be open on Rancher nodes and on downstream Kubernetes cluster nodes.
Rancher Nodes
The following table lists the ports that need to be open to and from nodes that are running the Rancher server.
The port requirements differ based on the Rancher server architecture.
Rancher can be installed on any Kubernetes cluster. For Rancher installs on a K3s, RKE, or RKE2 Kubernetes cluster, refer to the tabs below. For other Kubernetes distributions, refer to the distribution’s documentation for the port requirements for cluster nodes.
Notes:
|
Ports for Rancher Server Nodes on SUSE® Rancher Prime: K3s
Click to expand
The K3s server needs port 6443 to be accessible by the nodes.
The nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used. The node should not listen on any other port. K3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. However, if you do not use Flannel and provide your own custom CNI, then port 8472 is not needed by K3s.
If you wish to utilize the metrics server, you will need to open port 10250 on each node.
Important:
The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. |
The following tables break down the port requirements for inbound and outbound traffic:
Protocol | Port | Source | Description |
---|---|---|---|
TCP |
80 |
Load balancer/proxy that does external SSL termination |
Rancher UI/API when external SSL termination is used |
TCP |
443 |
<ul><li>server nodes</li><li>agent nodes</li><li>hosted/registered Kubernetes</li><li>any source that needs to be able to use the Rancher UI or API</li></ul> |
Rancher agent, Rancher UI/API, kubectl |
TCP |
6443 |
K3s server nodes |
Kubernetes API |
UDP |
8472 |
K3s server and agent nodes |
Required only for Flannel VXLAN. |
TCP |
10250 |
K3s server and agent nodes |
kubelet |
Protocol | Port | Destination | Description |
---|---|---|---|
TCP |
22 |
Any node IP from a node created using Node Driver |
SSH provisioning of nodes using Node Driver |
TCP |
443 |
git.rancher.io |
Rancher catalog |
TCP |
2376 |
Any node IP from a node created using Node driver |
Docker daemon TLS port used by Docker Machine |
TCP |
6443 |
Hosted/Imported Kubernetes API |
Kubernetes API server |
Ports for Rancher Server Nodes on RKE
Click to expand
Typically Rancher is installed on three RKE nodes that all have the etcd, control plane and worker roles.
The following tables break down the port requirements for traffic between the Rancher nodes:
Protocol | Port | Description |
---|---|---|
TCP |
443 |
Rancher agents |
TCP |
2379 |
etcd client requests |
TCP |
2380 |
etcd peer communication |
TCP |
6443 |
Kubernetes apiserver |
TCP |
8443 |
Nginx Ingress’s Validating Webhook |
UDP |
8472 |
Canal/Flannel VXLAN overlay networking |
TCP |
9099 |
Canal/Flannel livenessProbe/readinessProbe |
TCP |
10250 |
Metrics server communication with all nodes |
TCP |
10254 |
Ingress controller livenessProbe/readinessProbe |
The following tables break down the port requirements for inbound and outbound traffic:
Protocol | Port | Source | Description |
---|---|---|---|
TCP |
22 |
RKE CLI |
SSH provisioning of node by RKE |
TCP |
80 |
Load Balancer/Reverse Proxy |
HTTP traffic to Rancher UI/API |
TCP |
443 |
<ul><li>Load Balancer/Reverse Proxy</li><li>IPs of all cluster nodes and other API/UI clients</li></ul> |
HTTPS traffic to Rancher UI/API |
TCP |
6443 |
Kubernetes API clients |
HTTPS traffic to Kubernetes API |
Protocol | Port | Destination | Description |
---|---|---|---|
TCP |
443 |
git.rancher.io |
Rancher catalog |
TCP |
22 |
Any node created using a node driver |
SSH provisioning of node by node driver |
TCP |
2376 |
Any node created using a node driver |
Docker daemon TLS port used by node driver |
TCP |
6443 |
Hosted/Imported Kubernetes API |
Kubernetes API server |
TCP |
Provider dependent |
Port of the Kubernetes API endpoint in hosted cluster |
Kubernetes API |
Ports for Rancher Server Nodes on SUSE® Rancher Prime: RKE2
Click to expand
The RKE2 server needs port 6443 and 9345 to be accessible by other nodes in the cluster.
All nodes need to be able to reach other nodes over UDP port 8472 when Flannel VXLAN is used.
If you wish to utilize the metrics server, you will need to open port 10250 on each node.
Important:
The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disables access to port 8472. |
Protocol | Port | Source | Description |
---|---|---|---|
TCP |
9345 |
RKE2 server and agent nodes |
Node registration. Port should be open on all server nodes to all other nodes in the cluster. |
TCP |
6443 |
RKE2 agent nodes |
Kubernetes API |
UDP |
8472 |
RKE2 server and agent nodes |
Required only for Flannel VXLAN |
TCP |
10250 |
RKE2 server and agent nodes |
kubelet |
TCP |
2379 |
RKE2 server nodes |
etcd client port |
TCP |
2380 |
RKE2 server nodes |
etcd peer port |
TCP |
30000-32767 |
RKE2 server and agent nodes |
NodePort port range. Can use TCP or UDP. |
TCP |
5473 |
Calico-node pod connecting to typha pod |
Required when deploying with Calico |
HTTP |
80 |
Load balancer/proxy that does external SSL termination |
Rancher UI/API when external SSL termination is used |
HTTPS |
443 |
<ul><li>hosted/registered Kubernetes</li><li>any source that needs to be able to use the Rancher UI or API</li></ul> |
Rancher agent, Rancher UI/API, kubectl. Not needed if you have a load balancer doing TLS termination. |
Typically all outbound traffic is allowed.
Ports for Rancher Server in Docker
Click to expand
The following tables break down the port requirements for Rancher nodes, for inbound and outbound traffic:
Protocol | Port | Source | Description |
---|---|---|---|
TCP |
80 |
Load balancer/proxy that does external SSL termination |
Rancher UI/API when external SSL termination is used |
TCP |
443 |
<ul><li>hosted/registered Kubernetes</li><li>any source that needs to be able to use the Rancher UI or API</li></ul> |
Rancher agent, Rancher UI/API, kubectl |
Protocol | Port | Source | Description |
---|---|---|---|
TCP |
22 |
Any node IP from a node created using Node Driver |
SSH provisioning of nodes using Node Driver |
TCP |
443 |
git.rancher.io |
Rancher catalog |
TCP |
2376 |
Any node IP from a node created using a node driver |
Docker daemon TLS port used by Docker Machine |
TCP |
6443 |
Hosted/Imported Kubernetes API |
Kubernetes API server |
Downstream Kubernetes Cluster Nodes
Downstream Kubernetes clusters run your apps and services. This section describes what ports need to be opened on the nodes in downstream clusters so that Rancher can communicate with them.
The port requirements differ depending on how the downstream cluster was launched. Each of the tabs below list the ports that need to be opened for different cluster types.
The following diagram depicts the ports that are opened for each cluster type.
If security isn’t a large concern and you’re okay with opening a few additional ports, you can use the table in Commonly Used Ports as your port reference instead of the comprehensive tables below. |
Ports for SUSE® Virtualization Clusters
Refer to the Harvester Integration Overview for more information on Harvester port requirements.
Ports for Rancher Launched Kubernetes Clusters using Node Pools
Click to expand
The following table depicts the port requirements for Rancher Launched Kubernetes with nodes created in an Infrastructure Provider.
The required ports are automatically opened by Rancher during creation of clusters in cloud providers like Amazon EC2 or DigitalOcean. |
Ports for Rancher Launched Kubernetes Clusters using Custom Nodes
Click to expand
The following table depicts the port requirements for Rancher Launched Kubernetes with Custom Nodes.
Ports for Hosted Kubernetes Clusters
Click to expand
The following table depicts the port requirements for hosted clusters.
Ports for Registered Clusters
Registered clusters were called imported clusters before Rancher v2.5. |
Click to expand
The following table depicts the port requirements for registered clusters.
Other Port Considerations
Commonly Used Ports
These ports are typically opened on your Kubernetes nodes, regardless of what type of cluster it is.
Protocol | Port | Description |
---|---|---|
TCP |
22 |
Node driver SSH provisioning |
TCP |
179 |
Calico BGP Port |
TCP |
2376 |
Node driver Docker daemon TLS port |
TCP |
2379 |
etcd client requests |
TCP |
2380 |
etcd peer communication |
UDP |
8472 |
Canal/Flannel VXLAN overlay networking |
UDP |
4789 |
Flannel VXLAN overlay networking on Windows cluster |
TCP |
8443 |
Rancher webhook |
TCP |
9099 |
Canal/Flannel livenessProbe/readinessProbe |
TCP |
9443 |
Rancher webhook |
TCP |
9796 |
Default port required by Monitoring to scrape metrics from Linux and Windows node-exporters |
TCP |
6783 |
Weave Port |
UDP |
6783-6784 |
Weave UDP Ports |
TCP |
10250 |
Metrics server communication with all nodes API |
TCP |
10254 |
Ingress controller livenessProbe/readinessProbe |
TCP/UDP |
30000-32767 |
NodePort port range |
Local Node Traffic
Ports marked as local traffic
(i.e., 9099 TCP
) in the above requirements are used for Kubernetes healthchecks (livenessProbe
andreadinessProbe
).
These healthchecks are executed on the node itself. In most cloud environments, this local traffic is allowed by default.
However, this traffic may be blocked when:
-
You have applied strict host firewall policies on the node.
-
You are using nodes that have multiple interfaces (multihomed).
In these cases, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as source or destination in your security group, explicitly opening ports only applies to the private interface of the nodes / instances.
Rancher AWS EC2 Security Group
When using the AWS EC2 node driver to provision cluster nodes in Rancher, you can choose to let Rancher create a security group called rancher-nodes
. The following rules are automatically added to this security group.
Type | Protocol | Port Range | Source/Destination | Rule Type |
---|---|---|---|---|
SSH |
TCP |
22 |
0.0.0.0/0 |
Inbound |
HTTP |
TCP |
80 |
0.0.0.0/0 |
Inbound |
Custom TCP Rule |
TCP |
443 |
0.0.0.0/0 |
Inbound |
Custom TCP Rule |
TCP |
2376 |
0.0.0.0/0 |
Inbound |
Custom TCP Rule |
TCP |
2379-2380 |
sg-xxx (rancher-nodes) |
Inbound |
Custom UDP Rule |
UDP |
4789 |
sg-xxx (rancher-nodes) |
Inbound |
Custom TCP Rule |
TCP |
6443 |
0.0.0.0/0 |
Inbound |
Custom UDP Rule |
UDP |
8472 |
sg-xxx (rancher-nodes) |
Inbound |
Custom TCP Rule |
TCP |
10250-10252 |
sg-xxx (rancher-nodes) |
Inbound |
Custom TCP Rule |
TCP |
10256 |
sg-xxx (rancher-nodes) |
Inbound |
Custom TCP Rule |
TCP |
30000-32767 |
0.0.0.0/0 |
Inbound |
Custom UDP Rule |
UDP |
30000-32767 |
0.0.0.0/0 |
Inbound |
All traffic |
All |
All |
0.0.0.0/0 |
Outbound |
Opening SUSE Linux Ports
SUSE Linux may have a firewall that blocks all ports by default. To open the ports needed for adding the host to a custom cluster,
-
SLES 15 / openSUSE Leap 15
-
SLES 12 / openSUSE Leap 42
-
SSH into the instance.
-
Start YaST in text mode:
sudo yast2
-
Navigate to Security and Users > Firewall > Zones:public > Ports. To navigate within the interface, follow these instructions.
-
To open the required ports, enter them into the TCP Ports and UDP Ports fields. In this example, ports 9796 and 10250 are also opened for monitoring. The resulting fields should look similar to the following:
TCP Ports 22, 80, 443, 2376, 2379, 2380, 6443, 9099, 9796, 10250, 10254, 30000-32767 UDP Ports 8472, 30000-32767
-
When all required ports are enter, select Accept.
-
SSH into the instance.
-
Edit /
etc/sysconfig/SuSEfirewall2
and open the required ports. In this example, ports 9796 and 10250 are also opened for monitoring:FW_SERVICES_EXT_TCP="22 80 443 2376 2379 2380 6443 9099 9796 10250 10254 30000:32767" FW_SERVICES_EXT_UDP="8472 30000:32767" FW_ROUTE=yes
-
Restart the firewall with the new ports:
SuSEfirewall2
Result: The node has the open ports required to be added to a custom cluster.