我的书签
添加书签
移除书签3 - 端口需求
注意 端口需求具体以英文文档为准。
要保证Rancher正常运行,需要主机或者安全策略打开以下端口。使用云服务创建集群(如Amazon EC2或DigitalOcean),Rancher会自动打开这些端口。下图显示了Rancher的基本端口要求。如果需要了解更多,请查阅下表。
Rancher节点
The following table lists the ports that need to be open to and from nodes that are running the Rancher server container for single node installs or pods for high availability installs.
| Protocol | Port | Source | Destination | Description |
|---|---|---|---|---|
| TCP | 80 | Load Balancer / Reverse Proxy | HTTP traffic to Rancher UI / API. | |
| TCP | 443 | Load Balancer / Reverse ProxyOtherwise IPs of all cluster nodes and other Rancher API / UI clients. | HTTPS traffic to Rancher UI / API. | |
| TCP | 443 | 35.160.43.14535.167.242.4652.33.59.17 | Rancher catalog (git.rancher.io). | |
| TCP | 22 | Any node created using node driver. | SSH provisioning of node by node driver. | |
| TCP | 2376 | Any node created using node driver. | Docker daemon TLS port used by node driver. | |
| TCP | Provider Dependent | Port of the Kubernetes API endpoint in hosted clusters. | Kubernetes API. |
Kubernetes集群节点
The ports required to be open for cluster nodes changes depending on how the cluster was launched. Each of the tabs below list the ports that need to be opened for different cluster creation options.
Tip:
If security isn’t a large concern and you’re okay with opening a few additional ports, you can use the table in Commonly Used Ports as your port reference instead of the comprehensive tables below.
The following table depicts the port requirements for Rancher Launched Kubernetes with nodes created in an Infrastructure Provider.
Note:The required ports are automatically opened by Rancher during creation of clusters in cloud providers like Amazon EC2 or DigitalOcean.
| From / To | Rancher Nodes | etcd Plane Nodes | Control Plane Nodes | Worker Plane Nodes | External Load Balancer | Internet |
|---|---|---|---|---|---|---|
| Rancher Nodes (1) | 22 TCP | git.rancher.io (2):35.160.43.145:3235.167.242.46:3252.33.59.17:32 | ||||
| 2376 TCP | ||||||
| etcd Plane Nodes | 443 TCP (3) | 2379 TCP | 443 TCP | |||
| 2380 TCP | ||||||
| 6443 TCP | ||||||
| 8472 UDP | ||||||
| 9099 TCP (4) | ||||||
| Control Plane Nodes | 443 TCP (3) | 2379 TCP | 443 TCP | |||
| 2380 TCP | ||||||
| 6443 TCP | ||||||
| 8472 UDP | ||||||
| 10250 TCP | ||||||
| 9099 TCP (4) | ||||||
| 10254 TCP (4) | ||||||
| Worker Plane Nodes | 443 TCP (3) | 6443 TCP | 443 TCP | |||
| 8472 UDP | ||||||
| 9099 TCP (4) | ||||||
| 10254 TCP (4) | ||||||
| External Load Balancer (5) | 80 TCP | |||||
| 443 TCP (6) | ||||||
| API / UI Clients | 80 TCP (3) | 80 TCP | ||||
| 443 TCP (3) | 443 TCP | |||||
| Workload Clients | 30000-32767 TCP / UDP(nodeport) | |||||
| 80 TCP (Ingress) | ||||||
| 443 TCP (Ingress) | ||||||
| Notes:1. Nodes running standalone server or Rancher HA deployment.2. Required to fetch Rancher chart library.3. Only without external load balancer.4. Local traffic to the node itself (not across nodes).5. Load balancer / proxy that handles tragging to the Rancher UI / API.6. Only if SSL is not terminated at external load balancer. | ||||||
The following table depicts the port requirements for Rancher Launched Kubernetes with Custom Nodes.
| From / To | Rancher Nodes | etcd Plane Nodes | Control Plane Nodes | Worker Plane Nodes | External Load Balancer | Internet |
|---|---|---|---|---|---|---|
| Rancher Nodes (1) | git.rancher.io (2):35.160.43.145:3235.167.242.46:3252.33.59.17:32 | |||||
| etcd Plane Nodes | 443 TCP (3) | 2379 TCP | 443 TCP | |||
| 2380 TCP | ||||||
| 6443 TCP | ||||||
| 8472 UDP | ||||||
| 4789 UDP (7) | ||||||
| 9099 TCP (4) | ||||||
| Control Plane Nodes | 443 TCP (3) | 2379 TCP | 443 TCP | |||
| 2380 TCP | ||||||
| 6443 TCP | ||||||
| 8472 UDP | ||||||
| 4789 UDP (7) | ||||||
| 10250 TCP | ||||||
| 9099 TCP (4) | ||||||
| 10254 TCP (4) | ||||||
| Worker Plane Nodes | 443 TCP (3) | 6443 TCP | 443 TCP | |||
| 8472 UDP | ||||||
| 4789 UDP (7) | ||||||
| 9099 TCP (4) | ||||||
| 10254 TCP (4) | ||||||
| External Load Balancer (5) | 80 TCP | |||||
| 443 TCP (6) | ||||||
| API / UI Clients | 80 TCP (3) | 80 TCP | ||||
| 443 TCP (3) | 443 TCP | |||||
| Workload Clients | 30000-32767 TCP / UDP(nodeport) | |||||
| 80 TCP (Ingress) | ||||||
| 443 TCP (Ingress) | ||||||
| Notes:1. Nodes running standalone server or Rancher HA deployment.2. Required to fetch Rancher chart library.3. Only without external load balancer.4. Local traffic to the node itself (not across nodes).5. Load balancer / proxy that handles tragging to the Rancher UI / API.6. Only if SSL is not terminated at external load balancer.7. Only if using Overlay mode on Windows cluster. | ||||||
The following table depicts the port requirements for hosted clusters.
| From / To | Rancher Nodes | Hosted / Imported Cluster | External Load Balancer | Internet |
|---|---|---|---|---|
| Rancher Nodes (1) | Kubernetes API Endpoint Port (2) | git.rancher.io (3):35.160.43.145:3235.167.242.46:3252.33.59.17:32 | ||
| Hosted / Imported Cluster | 443 TCP (4)(5) | 443 TCP (5) | ||
| External Load Balancer (5) | 80 TCP443 TCP (6) | |||
| API / UI Clients | 80 TCP (4)443 TCP (4) | 80 TCP443 TCP | ||
| Workload Client | Cluster / Provider Specific (7) | |||
| Notes:1. Nodes running standalone server or Rancher HA deployment.2. Only for hosted clusters.3. Required to fetch Rancher chart library.4. Only without external load balancer.5. From worker nodes.6. Only if SSL is not terminated at external load balancer.7. Usually Ingress backed by infrastructure load balancer and/or nodeport. | ||||
The following table depicts the port requirements for imported clusters.
| From / To | Rancher Nodes | Hosted / Imported Cluster | External Load Balancer | Internet |
|---|---|---|---|---|
| Rancher Nodes (1) | Kubernetes API Endpoint Port (2) | git.rancher.io (3):35.160.43.145:3235.167.242.46:3252.33.59.17:32 | ||
| Hosted / Imported Cluster | 443 TCP (4)(5) | 443 TCP (5) | ||
| External Load Balancer (5) | 80 TCP443 TCP (6) | |||
| API / UI Clients | 80 TCP (4)443 TCP (4) | 80 TCP443 TCP | ||
| Workload Client | Cluster / Provider Specific (7) | |||
| Notes:1. Nodes running standalone server or Rancher HA deployment.2. Only for hosted clusters.3. Required to fetch Rancher chart library.4. Only without external load balancer.5. From worker nodes.6. Only if SSL is not terminated at external load balancer.7. Usually Ingress backed by infrastructure load balancer and/or nodeport. | ||||
其他端口注意事项
常用端口
这些端口通常需要在Kubernetes节点上打开,而不管它是什么类型的集群。
| Protocol | Port | Description |
|---|---|---|
| TCP | 22 | Node driver SSH provisioning |
| TCP | 2376 | Node driver Docker daemon TLS port |
| TCP | 2379 | etcd client requests |
| TCP | 2380 | etcd peer communication |
| UDP | 8472 | Canal/Flannel VXLAN overlay networking |
| TCP | 9099 | Canal/Flannel livenessProbe/readinessProbe |
| TCP | 10250 | kubelet API |
| TCP | 10254 | Ingress controller livenessProbe/readinessProbe |
| TCP/UDP | 30000-32767 | NodePort port range |
本地节点流量
标记为local traffic的端口(即在上述要求中,Kubernetes healthchecking (livenessProbe andreadinessProbe)使用。这些healthcheck是在节点本身上执行的。在大多数云环境中,默认情况下允许本地通信。
然而,当以下情况出现时,该流量可能会被阻塞:
- 节点上应用了严格的主机防火墙策略。
- 节点具有多个接口(multihomed)。在这些情况下,您必须在您的主机防火墙中允许这类流量,或者在您的安全组配置中,在公共/私有云托管主机(如AWS或OpenStack)中允许这类流量。
Rancher AWS EC2安全组
使用AWS EC2 node driver提供Rancher中的集群节点,您可以选择让Rancher创建一个名为rancher-nodes的安全组,以下规则将自动添加到此安全组。
| Type | Protocol | Port Range | Source/Destination | Rule Type |
|---|---|---|---|---|
| SSH | TCP | 22 | 0.0.0.0/0 | Inbound |
| HTTP | TCP | 80 | 0.0.0.0/0 | Inbound |
| Custom TCP Rule | TCP | 443 | 0.0.0.0/0 | Inbound |
| Custom TCP Rule | TCP | 2376 | 0.0.0.0/0 | Inbound |
| Custom TCP Rule | TCP | 2379-2380 | sg-xxx (rancher-nodes) | Inbound |
| Custom UDP Rule | UDP | 4789 | sg-xxx (rancher-nodes) | Inbound |
| Custom TCP Rule | TCP | 6443 | 0.0.0.0/0 | Inbound |
| Custom UDP Rule | UDP | 8472 | sg-xxx (rancher-nodes) | Inbound |
| Custom TCP Rule | TCP | 10250-10252 | sg-xxx (rancher-nodes) | Inbound |
| Custom TCP Rule | TCP | 10256 | sg-xxx (rancher-nodes) | Inbound |
| Custom TCP Rule | TCP | 30000-32767 | 30000-32767 | Inbound |
| Custom UDP Rule | UDP | 30000-32767 | 30000-32767 | Inbound |
| All traffic | All | All | 0.0.0.0/0 | Outbound |
