Add port requirements doc #388
Conversation
|
Can one of the admins verify this patch? |
3 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
k8s-ci-robot
added
the
cncf-cla: yes
|
We should likely try and break this up into ingress/egress traffic with source/destination. For example, we don't want the kubelet api ports to be open to the world, we only want it to be open to master nodes. This might be a good starting point: We can likely simplify some of that (e.g. assume flannel vxlan) - and there might be some missing. /cc @dghubble (do you have something similar documented based on baremetal installs?) |
jamiehannaford
force-pushed
the
port-requirements-doc
branch
2 times, most recently
from
976e4a5 to
ada4d7b
Compare
|
Incorporated the feedback. If there's anything else I should add just let me know |
Documentation/requirements.md
Outdated
| | Protocol | Port Range | Source | Purpose | | ||
| -----------|------------|-------------------------------------------|------------------------| | ||
| | TCP | 443 | Worker Nodes, API Requests, and End-Users | Kubernetes API server. | | ||
| | UDP | 8472 | Master & Worker Nodes | flannel overlay network - *vxlan backend* | |
There was a problem hiding this comment.
TCP 10251 for kube-scheduler healthz
TCP 10252 for kube-controller-manager healthz
There was a problem hiding this comment.
The healthchecks should be local from the kubelet on the same host- so I don't think we would need to open them up to firewall rules external to the node.
Documentation/requirements.md
Outdated
|
|
||
| | Protocol | Port Range | Source | Purpose | | ||
| -----------|-------------|--------------------------------|------------------------------------------------------------------------| | ||
| | UDP/TCP | 53 | Master & Worker Nodes | Internal DNS server | |
There was a problem hiding this comment.
kube-dns runs on the pod network, so this doesn't need to be open between hosts (ultimately packets will be going over flannel port 8472)
Documentation/requirements.md
Outdated
| -----------|-------------|--------------------------------|------------------------------------------------------------------------| | ||
| | UDP/TCP | 53 | Master & Worker Nodes | Internal DNS server | | ||
| | UDP | 8472 | Master & Worker Nodes | flannel overlay network - *vxlan backend* | | ||
| | TCP | 10249 | Health check | Kube proxy health check | |
There was a problem hiding this comment.
This should only be a local health-check. Shouldn't need to be open remotely
Documentation/requirements.md
Outdated
| | TCP | 10249 | Health check | Kube proxy health check | | ||
| | TCP | 10250 | Master Nodes | Worker node Kubelet API for exec and logs. | | ||
| | TCP | 10255 | Heapster | Worker node read-only Kubelet API. | | ||
| | TCP | 30000-32767 | External Application Consumers | Default port range for [external service][external-service] ports. Typically, these ports would need to be exposed to external load-balancers, or other external consumers of the application itself. | |
There was a problem hiding this comment.
external-service link isn't populated here.
Documentation/requirements.md
Outdated
| | UDP | 8472 | Master & Worker Nodes | flannel overlay network - *vxlan backend* | | ||
| | TCP | 10249 | Health check | Kube proxy health check | | ||
| | TCP | 10250 | Master Nodes | Worker node Kubelet API for exec and logs. | | ||
| | TCP | 10255 | Heapster | Worker node read-only Kubelet API. | |
There was a problem hiding this comment.
heapster could be on workers or master (right now at least) - might make more clear to just note those as the sources (rather than the app name).
Also, it has been a while since I've looked but I thought heapster itself needed access to a cadvisor port (but maybe not anymore)?
There was a problem hiding this comment.
Yeah, I think you're right. Looks like it's 4194: https://github.com/kubernetes/kubernetes/pull/2759/files
jamiehannaford
force-pushed
the
port-requirements-doc
branch
from
ada4d7b to
f166f1f
Compare
|
@lblackstone @aaronlevy Thanks for feedback, RFR again |
|
@jamiehannaford mind if we re-open? Sorry it has taken so long to come back to this -- got bogged down in a bunch of v1.6 development work. |
|
Can one of the admins verify this patch? |
3 similar comments
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
Can one of the admins verify this patch? |
|
@aaronlevy Sure, np. If there's anything else that needs to be added in just ping me |
|
Can we name the document |
jamiehannaford
force-pushed
the
port-requirements-doc
branch
from
f166f1f to
f19e178
Compare
|
@aaronlevy Okay, done. Sorry it took so long to get to! |
Fixes #344. Wasn't too sure about all of them, so documented the ones I knew about. Feel free to add any extras I left out and I'll update the doc.