Shared Interface Network Setup
Network configuration for standard single-NIC deployments where all traffic shares a single interface.
Networking Guide
Network architecture and configuration guides
You're viewing a development version of manager,
the latest released version is v1.4.1
Go to the latest released versionNetwork Architecture
Physical Network
Each cluster node must have at least one network interface card (NIC) configured as the default gateway. If the node lacks a pre-configured default route, it must be established prior to installation.
K3s requires a default route to auto-detect the node’s primary IP and for kube-proxy ClusterIP routing to function properly. If no default route exists, create a dummy interface as a workaround:
ip link add dummy0 type dummy
ip link set dummy0 up
ip addr add 203.0.113.254/31 dev dummy0
ip route add default via 203.0.113.255 dev dummy0 metric 1000
Overlay Network
Kubernetes creates virtual network interfaces for pods that are typically not associated with any specific firewalld zone. The cluster uses the following network ranges:
| Network | CIDR | Purpose |
|---|---|---|
| Pod | 10.42.0.0/16 | Inter-pod communication |
| Service | 10.43.0.0/16 | Kubernetes service discovery |
Firewall regulations should target the primary physical interface. The overlay network traffic is handled by Flannel VXLAN.
Port Requirements
Inter-Node Communication
The following ports must be permitted between all cluster nodes for Kubernetes and cluster infrastructure:
| Port | Protocol | Source | Destination | Purpose |
|---|---|---|---|---|
| 2379-2380 | TCP | Server nodes | Server nodes | etcd cluster communication |
| 6443 | TCP | All nodes | Server nodes | Kubernetes API server |
| 8472 | UDP | All nodes | All nodes | Flannel VXLAN overlay network |
| 10250 | TCP | All nodes | All nodes | Kubelet metrics and management |
| 5001 | TCP | All nodes | Server nodes | Spegel registry mirror |
| 9500-9503 | TCP | All nodes | All nodes | Longhorn management API |
| 8500-8504 | TCP | All nodes | All nodes | Longhorn agent communication |
| 10000-30000 | TCP | All nodes | All nodes | Longhorn data replication |
| 3260 | TCP | All nodes | All nodes | Longhorn iSCSI |
| 2049 | TCP | All nodes | All nodes | Longhorn RWX (NFS) |
Application Services Ports
The following ports must be accessible for application services within the cluster:
| Port | Protocol | Service |
|---|---|---|
| 6379 | TCP | Redis |
| 9093 | TCP | Alertmanager |
| 9095 | TCP | Kafka |
| 8086 | TCP | Telegraf (InfluxDB v2 listener) |
External Access Ports
The following ports must be accessible from external clients to cluster nodes:
| Port | Protocol | Service |
|---|---|---|
| 80 | TCP | HTTP ingress (Optional, redirects to HTTPS) |
| 443 | TCP | HTTPS ingress (Required, all services) |
| 9095 | TCP | Kafka (external client connections) |
| 6379 | TCP | Redis (external client connections) |
| 8125 | TCP/UDP | Telegraf (metrics collection) |
Network Configuration Guides
Deployment Type
Choose the guide that matches your deployment architecture:
| Guide | Description | Who Should Use This |
|---|---|---|
| Configuring Segregated Networks | Multi-NIC deployments with air-gapped cluster backplane | Most users - If you have separate interfaces for cluster traffic and external internet access |
| Shared Interface Setup | Single-NIC deployments where all traffic shares one interface | Users with a single network interface for both cluster traffic and external access |
Not sure which to use? If you have explicitly separate interfaces for cluster communication and external access, start with Configuring Segregated Networks. Only use the shared interface guide if your hardware is limited to a single NIC.
Configuring Segregated Networks
Multi-NIC deployment guide for air-gapped or segregated network setups