Network Access

1. Overview

This document specifies network and port requirements for Kublr and Kublr-managed Kubernetes deployment.

2. General Approach

Each Kubernetes cluster (including the cluster on which the Kublr Control Plane is running) requires IP netwrok connectivity between all of its nodes - master and workers. The open ports may be limited by a firewall, but all master and worker nodes must be able to reach each other on their IP addresses.

IP connectivity between nodes in different clusters is generally not required, different clusters may use different subnets, even if their IP spaces intersect.

Additionally Kublr Control Plane (KCP) must be able to access at least one API endpoint of each managed cluster, as well as be able to access infrastructure (e.g. cloud) provider API, and in case of on-prem deployment - cluster master nodes.

3. Port Requirements

Kublr and Kubernetes components communicate with each other using ports. The following ports required by Kublr and Kubernetes must be open between hosts, for example if you have a firewall in your environment. Some ports are optional depending on your configuration and usage.

In the following tables term “Node” is used as a generalization of “Master and/or Worker node”.

Table 1. Node to Node (masters and workers)

10250TCPKubelet API
8472UDPCanal (default)Canal
5473TCPCanal (default)Calico Typha
4 (IP-in-IP)CalicoCalico IP-in-IP
179TCPCalicoCalico BGP
8472UDPCalicoCalico VXLAN/Flannel
5473TCPCalicoCalico Typha

Table 2. Workers to Masters

443TCPKubernetes API
11250TCPBring-your-own-infrastructureWorkers need access to bare-metal clusters’ masters’ secret store

Table 3. Master to Masters


Table 4. Other

53TCP/UDPNodeInternetnon-air-gap deploymentDNS
443TCPNodeInternetnon-air-gap deploymentHTTPS to binary repositories
53TCP/UDPNodeIntranetair-gap deploymentIntra-organizational DNS
443TCPNodeIntranetair-gap deploymentIntra-organizational binary repository(ies)
443TCPMaster LBMastermaster LBIf master LB is used, the master LB must have access to masters
30000-32767TCP/UDPIngress LBWorkersingress LBIf ingress LB is used, the ingress LB must have access to worker nodes service NodePort port range (usually 30000-32767) or a specific port configured for the ingress controller

Table 5. Kublr Control Plane

443TCPKCP NodesManaged Clusters’ K8S APIKCP need access to K8S clusters’ API
443TCPKCP NodesCloud/infra APIKCP need access to cloud/infrastructure providers’ API
11250TCPKCP NodesManaged Clusters’ MastersBring-your-own-infrastructureKCP needs access to bare-metal clusters’ masters’ secret store