24 Port requirements #
To operate properly, a SUSE Telco Cloud deployment requires a number of ports to be reachable on the management and the downstream Kubernetes cluster nodes.
The exact list depends on the deployed optional components and the selected deployment options (e.g., CNI plug-in).
24.1 Management Nodes #
The following table lists the opened ports in nodes running the management cluster:
For CNI plug-in related ports, see CNI specific port requirements (Section 24.3, “CNI specific port requirements”).
| Protocol | Port | Source | Description |
|---|---|---|---|
TCP | 22 | Any source that requires SSH access | SSH access to management cluster nodes |
TCP | 80 | Load balancer/proxy that does external TLS termination | Rancher UI/API when external TLS termination is used |
TCP | 443 | Any source that requires TLS access to Rancher UI/API | Rancher agent, Rancher UI/API |
TCP | 2379 | RKE2 (management cluster) server nodes |
|
TCP | 2380 | RKE2 (management cluster) server nodes |
|
TCP | 6180 | Any BMC(1) previously instructed by |
|
TCP | 6185 | Any BMC(1) previously instructed by |
|
TCP | 6385 | Any | Ironic API |
TCP | 6443 | Any management cluster node; any external (to the management cluster) Kubernetes client | Kubernetes API |
TCP | 6545 | Any management cluster node | Pull artifacts from OCI-compliant registry (Hauler) |
TCP | 9345 | RKE2 server and agent nodes (management cluster) | RKE2 supervisor API for Node registration (opened port in all RKE2 server nodes) |
TCP | 10250 | Any management cluster node |
|
TCP/UDP/SCTP | 30000-32767 | Any external (to the management cluster) source accessing a service exposed on the primary network through a | Available |
(1) BMC: Baseboard Management Controller
(2) IPA: Ironic Python Agent
24.2 Downstream Nodes #
In SUSE Telco Cloud, before any (downstream) server becomes part of a running downstream Kubernetes cluster (or runs itself a single-node downstream Kubernetes cluster), it is required to go through some of the BaremetalHost Provisioning states.
The Baseboard Management Controller (BMC) for a just declared downstream server must be accessible through the out-of-band network. BMC is instructed (from the ironic service running on the management cluster) on the initial steps to take:
Pull and load the indicated IPA ramdisk image in the BMC offered
virtual media.Power-on the server.
Following ports are expected to be exposed from the BMC (they could differ depending on the exact hardware):
| Protocol | Port | Source | Description |
|---|---|---|---|
TCP | 80 | Ironic conductor (from management cluster) | Redfish API access (HTTP) |
TCP | 443 | Ironic conductor (from management cluster) | Redfish API access (HTTPS) |
Once the IPA ramdisk image loaded on the BMC
virtual mediais used to bootup the downstream server image, the hardware inspection phase begins. The following table lists the ports exposed by a running IPA ramdisk image:
Metal3/Ironic Provisioning phase #| Protocol | Port | Source | Description |
|---|---|---|---|
TCP | 22 | Any source that requires SSH access to IPA ramdisk image | SSH access to a being inspected downstream cluster node |
TCP | 9999 | Ironic conductor (from management cluster) | Ironic commands towards the running ramdisk image |
Once the baremetal host is properly provisioned and has joined a downstream Kubernetes cluster, it exposes the following ports:
For CNI plug-in related ports, see CNI specific port requirements (Section 24.3, “CNI specific port requirements”).
| Protocol | Port | Source | Description |
|---|---|---|---|
TCP | 22 | Any source that requires SSH access | SSH access to downstream cluster nodes |
TCP | 80 | Load balancer/proxy that does external TLS termination | Rancher UI/API when external TLS termination is used |
TCP | 443 | Any source that requires TLS access to Rancher UI/API | Rancher agent, Rancher UI/API |
TCP | 2379 | RKE2 (downstream cluster) server nodes |
|
TCP | 2380 | RKE2 (downstream cluster) server nodes |
|
TCP | 6443 | Any downstream cluster node; any external (to the downstream cluster) Kubernetes client. | Kubernetes API |
TCP | 9345 | RKE2 server and agent nodes (downstream cluster) | RKE2 supervisor API for Node registration (opened port in all RKE2 server nodes) |
TCP | 10250 | Any downstream cluster node |
|
TCP | 10255 | Any downstream cluster node |
|
TCP/UDP/SCTP | 30000-32767 | Any external (to the downstream cluster) source accessing a service exposed on the primary network through a | Available |
24.3 CNI specific port requirements #
Each supported CNI variant comes with its own set of port requirements. For more details, refer CNI Specific Inbound Network Rules in RKE2 documentation.
When cilium is set as default/primary CNI plug-in, following TCP port is additionally exposed when the cilium-operator workload is configured to expose metrics outside the Kubernetes cluster on which it is deployed. This ensures that an external Prometheus server instance running outside that Kubernetes cluster can still collect these metrics.
This is the default option when deploying cilium via the rke2-cilium Helm chart.
cilium-operator enabled #| Protocol | Port | Source | Description |
|---|---|---|---|
TCP | 9963 | External (to the Kubernetes cluster) metrics collector | cilium-operator metrics exposure |