Kubernetes firewall port configuration¶

Configuring firewalls is a critical step when installing and securing a Kubernetes cluster, particularly when using tools like kubeadm and firewalld on distributions such as CentOS 7.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md] The specific ports required depend on the node's role, with distinct rules for the Control Plane (master) and worker nodes.

Control Plane (Master) Ports¶

The master node manages the cluster state and requires several ports to be open to facilitate communication with the cluster network, etcd, and the scheduler.

• API Server (6443/TCP): This is the primary port used by the Kubernetes API server.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• etcd (2379-2380/TCP): Used for etcd server client communication and peer communication.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Kubelet API (10250/TCP): The kubelet API on the master node listens on this port.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Scheduler (10251/TCP): Port for the kube-scheduler.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Controller Manager (10252/TCP): Port for the kube-controller-manager.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Health Checks (10248/TCP): Used for Health Check probes (e.g., curl -sSL http://localhost:10248/healthz).^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Read-Only kubelet (10255/TCP): A read-only kubelet port for health and stats.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]

Implementation Example (Firewalld)¶

To configure these ports on a master node using firewalld, the following commands are typically executed:

sudo firewall-cmd --permanent --add-port=6443/tcp
sudo firewall-cmd --permanent --add-port=2379-2380/tcp
sudo firewall-cmd --permanent --add-port=10248/tcp
sudo firewall-cmd --permanent --add-port=10250/tcp
sudo firewall-cmd --permanent --add-port=10251/tcp
sudo firewall-cmd --permanent --add-port=10252/tcp
sudo firewall-cmd --permanent --add-port=10255/tcp
sudo firewall-cmd --reload

Worker Node Ports¶

Worker nodes run the containers and require fewer ports compared to the master node.

• Health Checks (10248/TCP): kubelet Health Check endpoint.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Scheduler (10251/TCP): The source text mentions opening this port on worker nodes in the example configuration, likely for specific Metrics or debugging access, though typically the scheduler runs on the master.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]
• Read-Only kubelet (10255/TCP): Used for exposing read-only stats and health information.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]

Implementation Example (Firewalld)¶

The corresponding firewalld configuration for worker nodes is:

sudo firewall-cmd --permanent --add-port=10248/tcp
sudo firewall-cmd --permanent --add-port=10251/tcp
sudo firewall-cmd --permanent --add-port=10255/tcp
sudo firewall-cmd --reload

Alternative: Disabling the Firewall¶

In some lab or development environments, administrators may choose to stop and disable the firewall entirely to simplify connectivity troubleshooting.^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Sources¶

^[400-devops__06-Kubernetes__k8s-learning__00.install__01.使用部署工具安装_Kubernetes.md]

Related Concepts¶

• [[Kubernetes Installation]]
• [[Kubeadm]]
• [[Container Networking]]
• [[Linux Security Modules]]
• [[Network Policies]]