From ef07352df19e410ce7c3dc717d3231e1b9008c7a Mon Sep 17 00:00:00 2001 From: David Nuzik Date: Fri, 15 Nov 2019 09:19:36 -0700 Subject: [PATCH] Update node req port info regarding metrics-server port 10250 - Also change the Networking page to instead link to the Networking seciton of the NOde Requirements page so we don't duplicate information in two areas. --- .../en/installation/node-requirements/_index.md | 2 ++ content/k3s/latest/en/networking/_index.md | 17 ++++------------- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/content/k3s/latest/en/installation/node-requirements/_index.md b/content/k3s/latest/en/installation/node-requirements/_index.md index bc2d3bcc814..f3bb9ef42a8 100644 --- a/content/k3s/latest/en/installation/node-requirements/_index.md +++ b/content/k3s/latest/en/installation/node-requirements/_index.md @@ -34,3 +34,5 @@ k3s performance depends on the performance of the database. To ensure optimal sp The k3s server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach other nodes over UDP port 8472 (Flannel VXLAN). If you do not use flannel and provide your own custom CNI, then port 8472 is not needed by k3s. The node should not listen on any other port. k3s uses reverse tunneling such that the nodes make outbound connections to the server and all kubelet traffic runs through that tunnel. IMPORTANT: The VXLAN port on nodes should not be exposed to the world as it opens up your cluster network to be accessed by anyone. Run your nodes behind a firewall/security group that disabled access to port 8472. + +If you wish to utilize the metrics server, you will need to open port 10250 on each node. diff --git a/content/k3s/latest/en/networking/_index.md b/content/k3s/latest/en/networking/_index.md index 042090854d2..55182d17e63 100644 --- a/content/k3s/latest/en/networking/_index.md +++ b/content/k3s/latest/en/networking/_index.md @@ -3,18 +3,9 @@ title: "Networking" weight: 35 --- -Open Ports / Network Security ---------------------------- - -The server needs port 6443 to be accessible by the nodes. The nodes need to be able to reach -other nodes over UDP port 8472. The nodes also need to be able to reach the server on UDP port 8472. This is used for flannel VXLAN. If you don't use flannel -and provide your own custom CNI, then 8472 is not needed by k3s. The node should not listen -on any other port. k3s uses reverse tunneling such that the nodes make outbound connections -to the server and all kubelet traffic runs through that tunnel. - -IMPORTANT. The VXLAN port on nodes should not be exposed to the world, it opens up your -cluster network to accessed by anyone. Run your nodes behind a firewall/security group that -disables access to port 8472. +Open Ports +---------- +Please reference the [Node Requirements]({{< baseurl >}}/k3s/latest/en/installation/node-requirements/#networking) page for port information. Flannel ------- @@ -49,4 +40,4 @@ k3s includes a basic service load balancer that uses available host ports. If y a load balancer that listens on port 80, for example, it will try to find a free host in the cluster for port 80. If no port is available the load balancer will stay in Pending. -To disable the embedded load balancer run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB. \ No newline at end of file +To disable the embedded load balancer run the server with the `--no-deploy servicelb` option. This is necessary if you wish to run a different load balancer, such as MetalLB.