Please enable Javascript to view the contents
Kubernetes 基础环境要求
1. 基础包
| Kubernetes 版本 ≥ 1.18 |
|---|
socat | 必须安装 |
conntrack | 必须安装 |
ebtables | 可选,但推荐安装 |
ipset | 可选,但推荐安装 |
ipvsadm | 可选,但推荐安装 |
1
| apt-get -y install socat conntrack ebtables ipset ipvsadm
|
2. 端口要求
2.1 基础节点服务
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| ssh | TCP | allow | 22 | 22 | 节点远程管理 |
| docker | TCP | allow | 2375 | 2376 | Docker 远程通信 |
| etcd | TCP | allow | 2379 | 2380 | etcd 集群通信 |
2.2 Master/Control Plane 组件
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| apiserver | TCP | allow | 6443 | 6443 | K8s API Server (HTTPS) |
| apiserver-insecure | TCP | allow | 8080 | 8080 | K8s API Server (HTTP, 已废弃) |
| etcd-client | TCP | allow | 2379 | 2379 | etcd 客户端通信 |
| etcd-peer | TCP | allow | 2380 | 2380 | etcd 节点间通信 |
| scheduler | TCP | allow | 10259 | 10259 | kube-scheduler |
| controller-manager | TCP | allow | 10257 | 10257 | kube-controller-manager |
| kubelet | TCP | allow | 10250 | 10250 | kubelet API |
| kubelet-readonly | TCP | allow | 10255 | 10255 | kubelet 只读端口 (已废弃) |
| kube-proxy-metrics | TCP | allow | 10249 | 10249 | kube-proxy 指标 |
2.3 Worker Node 组件
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| kubelet | TCP | allow | 10250 | 10250 | kubelet API |
| kubelet-readonly | TCP | allow | 10255 | 10255 | kubelet 只读端口 (已废弃) |
| kube-proxy | TCP | allow | 10256 | 10256 | kube-proxy 健康检查 |
| nodeport | TCP | allow | 30000 | 32767 | NodePort 服务范围 |
2.4 网络组件 (CNI)
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| calico-typha | TCP | allow | 5473 | 5473 | Calico Typha |
| calico-node | TCP | allow | 9099 | 9100 | Calico 监控端口 |
| bgp | TCP | allow | 179 | 179 | Calico BGP |
| ipip | IPENCAP/IPIP | allow | — | — | Calico IP-in-IP 封装模式 |
| wireguard | UDP | allow | 51820 | 51821 | Calico WireGuard (可选) |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| flannel-vxlan | UDP | allow | 8472 | 8472 | Flannel VXLAN 模式 |
| flannel-host-gw | TCP | allow | 8285 | 8285 | Flannel host-gw 模式 |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| cilium-agent | TCP | allow | 9876 | 9876 | Cilium Agent |
| cilium-operator | TCP | allow | 9234 | 9234 | Cilium Operator |
| cilium-hubble | TCP | allow | 4244 | 4244 | Hubble gRPC |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| weave | TCP | allow | 6783 | 6783 | Weave 网络通信 |
| weave | UDP | allow | 6783 | 6784 | Weave 网络通信 |
2.5 存储相关
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| rpcbind | TCP | allow | 111 | 111 | NFS RPC 绑定 |
| rpcbind | UDP | allow | 111 | 111 | NFS RPC 绑定 |
| nfs | TCP | allow | 2049 | 2049 | NFS 服务 |
| nfs | UDP | allow | 2049 | 2049 | NFS 服务 |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| iscsi | TCP | allow | 3260 | 3260 | iSCSI 目标端口 |
2.6 服务发现和 DNS
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| coredns | TCP | allow | 53 | 53 | CoreDNS 解析 |
| coredns | UDP | allow | 53 | 53 | CoreDNS 解析 |
| coredns-metrics | TCP | allow | 9153 | 9153 | CoreDNS 指标 |
2.7 监控和日志
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| prometheus | TCP | allow | 9090 | 9090 | Prometheus 服务器 |
| node-exporter | TCP | allow | 9100 | 9100 | Node Exporter |
| kube-state-metrics | TCP | allow | 8080 | 8081 | kube-state-metrics |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| grafana | TCP | allow | 3000 | 3000 | Grafana Web UI |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| elasticsearch | TCP | allow | 9200 | 9300 | Elasticsearch |
| kibana | TCP | allow | 5601 | 5601 | Kibana Web UI |
| logstash | TCP | allow | 5044 | 5044 | Logstash Beats |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| jaeger-query | TCP | allow | 16686 | 16686 | Jaeger UI |
| jaeger-collector | TCP | allow | 14268 | 14268 | Jaeger HTTP |
| jaeger-agent | UDP | allow | 6831 | 6832 | Jaeger UDP |
2.8 Ingress
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| nginx-http | TCP | allow | 80 | 80 | HTTP 流量 |
| nginx-https | TCP | allow | 443 | 443 | HTTPS 流量 |
| nginx-metrics | TCP | allow | 10254 | 10254 | NGINX 指标 |
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| traefik-web | TCP | allow | 8080 | 8080 | Traefik Dashboard |
| traefik-http | TCP | allow | 80 | 80 | HTTP 流量 |
| traefik-https | TCP | allow | 443 | 443 | HTTPS 流量 |
2.9 Service Mesh
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| istiod | TCP | allow | 15010 | 15017 | Istiod 控制平面 |
| envoy-admin | TCP | allow | 15000 | 15000 | Envoy 管理端口 |
| envoy-outbound | TCP | allow | 15001 | 15001 | Envoy 出站流量 |
| envoy-inbound | TCP | allow | 15006 | 15006 | Envoy 入站流量 |
| istio-proxy | TCP | allow | 15020 | 15020 | Istio Proxy 状态 |
2.10 负载均衡器
| Service | Protocol | Action | Start Port | End Port | Comment |
|---|
| metallb-speaker | TCP | allow | 7472 | 7472 | MetalLB Speaker |
| metallb-webhook | TCP | allow | 9443 | 9443 | MetalLB Webhook |
