2.3.4 Setting up the Firewall Rules

Oracle Linux 7 installs and enables firewalld, by default. The Platform CLI notifies you of any rules that you may need to add during the deployment of the Kubernetes module. The Platform CLI also provides the commands to run to modify your firewall configuration to meet the requirements.

Make sure that all required ports are open. The ports required for a Kubernetes deployment are:

  • 2379/tcp: Kubernetes etcd server client API (on master nodes in multi-master deployments)

  • 2380/tcp: Kubernetes etcd server client API (on master nodes in multi-master deployments)

  • 6443/tcp: Kubernetes API server (master nodes)

  • 8090/tcp: Platform Agent (master and worker nodes)

  • 8091/tcp: Platform API Server (operator node)

  • 8472/udp: Flannel overlay network, VxLAN backend (master and worker nodes)

  • 10250/tcp: Kubernetes kubelet API server (master and worker nodes)

  • 10251/tcp: Kubernetes kube-scheduler (on master nodes in multi-master deployments)

  • 10252/tcp: Kubernetes kube-controller-manager (on master nodes in multi-master deployments)

  • 10255/tcp: Kubernetes kubelet API server for read-only access with no authentication (master and worker nodes)

In addition to the open ports, the firewall must also support masquerading. The commands to open the ports and enable masquerading are provided below.

2.3.4.1 Single Master Firewall Rules

For a single master deployment, the following ports are required to be open in the firewall.

Operator Node

On the operator node, run:

$ sudo firewall-cmd --add-port=8091/tcp --permanent

Restart the firewall for these rules to take effect:

$ sudo systemctl restart firewalld
Worker Nodes

On the Kubernetes worker nodes run:

$ sudo firewall-cmd --add-masquerade --permanent
$ sudo firewall-cmd --add-port=8090/tcp --permanent
$ sudo firewall-cmd --add-port=10250/tcp --permanent
$ sudo firewall-cmd --add-port=10255/tcp --permanent
$ sudo firewall-cmd --add-port=8472/udp --permanent

Restart the firewall for these rules to take effect:

$ sudo systemctl restart firewalld
Master Nodes

On the Kubernetes master nodes run:

$ sudo firewall-cmd --add-masquerade --permanent
$ sudo firewall-cmd --add-port=8090/tcp --permanent
$ sudo firewall-cmd --add-port=10250/tcp --permanent
$ sudo firewall-cmd --add-port=10255/tcp --permanent
$ sudo firewall-cmd --add-port=8472/udp --permanent
$ sudo firewall-cmd --add-port=6443/tcp --permanent

Restart the firewall for these rules to take effect:

$ sudo systemctl restart firewalld