Network configuration & Firewall
If your network configuration uses an firewall, you must ensure infrastructure components can communicate with each other through specific ports that act as communication endpoints for certain processes or services
The following network prerequisites are necessary to ensure proper operation of the system:
- Operating System: A compatible operating system must be installed on all nodes in the network. Please refer to theย Software requirementsย page
- SSH Access: Secure Shell (SSH) access must be enabled on all nodes in the network to allow for secure remote communication and management.
- Time Synchronization (NTP): Accurate time synchronization via Network Time Protocol (NTP) must be established on all nodes in the network to prevent issues with time-sensitive operations.
- DNS: To prevent potential DNS issues in the cluster, it is essential to ensure that the DNS address in /etc/resolv.conf is reachable.
- Firewall: It is required to configure the correct ports to allow communication between infrastructure components if your network is protected by a Firewall or Security Group. You can either disable the firewall or adhere to the recommended setting instructions.
- Microsoft Azure environment tested with the following security-group :
Services | Protocol | Action | Start Port | End Port | Comment |
|---|---|---|---|---|---|
VXLAN traffic | UDP | allow | 4789 | ๏ปฟ | calico |
ssh | TCP | allow | 22 | ๏ปฟ | ๏ปฟ |
rpcbind | TCP | allow | 111 | ๏ปฟ | use NFS |
nodeport | TCP | allow | 30000 | 32767 | ๏ปฟ |
metric server | UDP | allow | 8443 | ๏ปฟ | prometheus metric service |
master | TCP | allow | 10250 | 10258 | ๏ปฟ |
local-registry | TCP | allow | 5000 | ๏ปฟ | offline environment |
local-apt | TCP | allow | 5080 | ๏ปฟ | offline environment |
ipip | IPENCAP / IPIP | allow | ๏ปฟ | ๏ปฟ | calico needs to allow the ipip protocol |
https | TCP | allow | 443 | ๏ปฟ | ๏ปฟ |
etcd | TCP | allow | 2379 | 2380 | ๏ปฟ |
dns | TCP | allow | 53 | ๏ปฟ | ๏ปฟ |
dns | UDP | allow | 53 | ๏ปฟ | ๏ปฟ |
ceph monitor | Any | allow | 3300 | ๏ปฟ | ๏ปฟ |
ceph monitor | UDP | allow | 6789 | ๏ปฟ | ๏ปฟ |
ceph daemons | Any | allow | 6800 | 7300 | ๏ปฟ |
calico | TCP | allow | 9099 | 9100 | ๏ปฟ |
calico | TCP | allow | 5473 | ๏ปฟ | calico networking with Typha enabledย |
bgp | TCP | allow | 179 | ๏ปฟ | ๏ปฟ |
apiserver | TCP | allow | 6443 | ๏ปฟ | ๏ปฟ |
The KubeCLI tool allows for the simultaneous installation of both Kubernetes and Kubeark. For versions of Kubernetes starting from 1.18, it is necessary to install certain prerequisites prior to installation. Please refer to the following list to ensure that all necessary dependencies are installed on your node before proceeding with the installation.
socat | required |
|---|---|
conntrack | required |
ebtables | Optional but recommended |
ipset | Optional but recommended |
ipvsadm | Optional but recommended |
