Firewall

All the Fedore CoreOS (RHCOS) machines require network in initramfs during boot to fetch Ignition config from the machine config server.

During the initial boot, the machines require either a DHCP server or that static IP addresses be set on each host in the cluster to establish a network connection, which allows them to download their Ignition config files.

It is recommended to use the DHCP server to manage the machines for the cluster long-term. Ensure that the DHCP server is configured to provide persistent IP addresses and host names to the cluster machines.

The Kubernetes API server must be able to resolve the node names of the cluster machines. If the API servers and worker nodes are in different zones, you can configure a default DNS search zone to allow the API server to resolve the node names. Another supported approach is to always refer to hosts by their fully-qualified domain names in both the node objects and all DNS requests.

You must configure the network connectivity between machines to allow cluster components to communicate. Each machine must be able to resolve the host names of all other machines in the cluster.

Firewall All Machines to All Machines
Protocol Port Description
ICMP N/A Network reachability tests
TCP 1936 Metrics
9000-9999 Host level services, including the node exporter on ports 9100-9101 and the Cluster Version Operator on port 9099.
10250-10259 The default ports that Kubernetes reserves
10256 openshift-sdn
UDP 4789 VXLAN and Geneve
6081 VXLAN and Geneve
9000-9999 Host level services, including the node exporter on ports 9100-9101.
TCP/UDP 30000-32767 Kubernetes node port


Firewall All Machines to Control Plane
Protocol Port Description
TCP 6443 Kubernetes API


Control Plane Machines to Control Plane Machines
Protocol Port Description
TCP 2379-2380 etcd server and peer ports
Daftar Materi