The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

2.3.4 Setting up the Firewall Rules

Oracle Linux 7 installs and enables firewalld, by default. The Platform CLI notifies you of any rules that you may need to add during the deployment of the Kubernetes module. The Platform CLI also provides the commands to run to modify your firewall configuration to meet the requirements.

Make sure that all required ports are open. The ports required for a Kubernetes deployment are:

  • 2379/tcp: Kubernetes etcd server client API (on master nodes in multi-master deployments)

  • 2380/tcp: Kubernetes etcd server client API (on master nodes in multi-master deployments)

  • 6443/tcp: Kubernetes API server (master nodes)

  • 8090/tcp: Platform Agent (master and worker nodes)

  • 8091/tcp: Platform API Server (operator node)

  • 8472/udp: Flannel overlay network, VxLAN backend (master and worker nodes)

  • 10250/tcp: Kubernetes kubelet API server (master and worker nodes)

  • 10251/tcp: Kubernetes kube-scheduler (on master nodes in multi-master deployments)

  • 10252/tcp: Kubernetes kube-controller-manager (on master nodes in multi-master deployments)

  • 10255/tcp: Kubernetes kubelet API server for read-only access with no authentication (master and worker nodes)

The commands to open the ports and to set up the firewall rules are provided below.

2.3.4.1 Single Master Firewall Rules

For a single master deployment, the following ports are required to be open in the firewall.

Operator Node

On the operator node, run: 

$ sudo firewall-cmd --add-port=8091/tcp --permanent

Restart the firewall for these rules to take effect: 

$ sudo systemctl restart firewalld
Worker Nodes

On the Kubernetes worker nodes run: 

$ sudo firewall-cmd --zone=trusted --add-interface=cni0 --permanent
$ sudo firewall-cmd --add-port=8090/tcp --permanent
$ sudo firewall-cmd --add-port=10250/tcp --permanent
$ sudo firewall-cmd --add-port=10255/tcp --permanent
$ sudo firewall-cmd --add-port=8472/udp --permanent

Restart the firewall for these rules to take effect: 

$ sudo systemctl restart firewalld
Master Nodes

On the Kubernetes master nodes run: 

$ sudo firewall-cmd --zone=trusted --add-interface=cni0 --permanent
$ sudo firewall-cmd --add-port=8090/tcp --permanent
$ sudo firewall-cmd --add-port=10250/tcp --permanent
$ sudo firewall-cmd --add-port=10255/tcp --permanent
$ sudo firewall-cmd --add-port=8472/udp --permanent
$ sudo firewall-cmd --add-port=6443/tcp --permanent

Restart the firewall for these rules to take effect: 

$ sudo systemctl restart firewalld

Copyright © 2019, 2021, Oracle and/or its affiliates. All rights reserved. Legal Notices