Konvoy Ports

Understanding configured ports for Konvoy deployment

This section describes pre-configured ports in your Konvoy deployment.

Konvoy Components listen on multiple ports on each node. These ports must be available for installation to succeed.

Before you begin

  • To perform an installation, Ansible needs SSH connectivity on Port 22.

  • Detailed aspects of the networking components that come together to form a Konvoy networking stack are available in the networking section.

  • You must use appropriate network mechanisms to prevent unauthorized access to cluster nodes. Refer to the documentation on security.

  • By default, pods are non-isolated; they accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. Refer to the documentation for details on how Konvoy integrates Calico to support Network Policies.

  • During installation Konvoy can be configured to automatically add iptables the rules outlined below.

Control-plane nodes

Port Konvoy Component Notes
22 Ansible ssh
179 calico-node BGP
2379 etcd client
2380 etcd peer
6443 kube-apiserver
9091 calico-node felix metrics
9092 calico-node bird metrics
9099 calico-node felix liveliness
10248 kubelet health
10249 kube-proxy metrics
10250 kubelet
10251 kube-scheduler liveliness
10252 kube-controller-manager liveliness
10256 kube-proxy health
10257 kube-controller-manager secure port
10259 kube-scheduler secure port
30000-32767 Kubernetes NodePorts

Worker nodes

Port Konvoy Component Notes
22 Ansible ssh
179 calico-node BGP
5473 calico-typha syncserver
9091 calico-node felix metrics
9092 calico-node bird metrics
9093 calico-typha metrics
9099 calico-node felix liveliness
10248 kubelet health
10249 kube-proxy metrics
10250 kubelet
10256 kube-proxy health
30000-32767 Kubernetes NodePorts