不管是单节点安装Rancher server,或高可用安装Rancher server,所有节点都需要满足以下的节点要求。

Rancher在以下操作系统及其后续的非主要发行版上受支持:

  • Ubuntu 16.04.x (64-bit)
    • Docker 17.03.x, 18.06.x, 18.09.x
  • Ubuntu 18.04.x (64-bit)
    • Docker 18.06.x, 18.09.x
  • Red Hat Enterprise Linux (RHEL)/CentOS 7.5+ (64-bit)
    • RHEL Docker 1.13
    • Docker 17.03.x, 18.06.x, 18.09.x
  • RancherOS 1.3.x+ (64-bit)
    • Docker 17.03.x, 18.06.x, 18.09.x
  • Windows Server version 1803 (64-bit)
    • Docker 17.06

1、Ubuntu、Centos操作系统有Desktop和Server版本,选择请安装server版本,别自己坑自己!
2、如果您正在使用RancherOS,请确保切换到受支持的Docker版本:
sudo ros engine switch docker-18.09.2

硬件要求根据Rancher部署的K8S集群规模大小进行扩展,根据要求配置每个节点。

HA 节点需求(标准3节点)

部署规模 集群数 Nodes vCPUs RAM
最多5个 最多50个 2 8 GB
最多15个 最多200个 4 16 GB
最多50个 最多500个 8 32 GB
大+ 最多100个 最多1000个 32 128 GB
大++ 超过100+个 超过1000+个 联系 Rancher 联系 Rancher

Single 节点需求

部署规模 Clusters Nodes vCPUs RAM
最多5个 最多50个 4 8 GB
最多15个 最多200个 8 16GB


节点IP地址

使用的每个节点(单节点安装,高可用性(HA)安装或集群中使用的worker节点)应配置静态IP。在DHCP的情况下,应配置DHCP IP保留以确保节点获得相同的IP分配。

端口需求

在HA集群中部署Rancher时,必须打开节点上的某些端口以允许与Rancher通信。必须打开的端口根据托管集群节点的计算机类型而变化,例如,如果要在基础结构托管的节点上部署Rancher,则必须为SSH打开22端口。下图描绘了需要为每种集群类型打开的端口。集群类型.

Basic Port Requirements

Rancher nodes:
Nodes running the rancher/rancher container

Rancher nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Load balancer/proxy that does external SSL termination
Rancher UI/API when external SSL termination is used
TCP 443
  • etcd nodes
  • controlplane nodes
  • worker nodes
  • Hosted/Imported Kubernetes
  • any that needs to be able to use UI/API
Rancher agent, Rancher UI/API, kubectl

Rancher nodes - Outbound rules

Protocol Port Destination Description
TCP 22
  • Any node IP from a node created using Node Driver
SSH provisioning of nodes using Node Driver
TCP 443
  • 35.160.43.145/32
  • 35.167.242.46/32
  • 52.33.59.17/32
git.rancher.io (catalogs)
TCP 2376
  • Any node IP from a node created using Node Driver
Docker daemon TLS port used by Docker Machine
TCP 6443
  • Hosted/Imported Kubernetes API
Kubernetes apiserver

etcd nodes:
Nodes with the role etcd

etcd nodes - Inbound rules

Protocol Port Source Description
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 2379
  • etcd nodes
  • controlplane nodes
etcd client requests
TCP 2380
  • etcd nodes
  • controlplane nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet

etcd nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • etcd node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe

controlplane nodes:
Nodes with the role controlplane

controlplane nodes - Inbound rules

Protocol Port Source Description
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
TCP 6443
  • etcd nodes
  • controlplane nodes
  • worker nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

controlplane nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 2379
  • etcd nodes
etcd client requests
TCP 2380
  • etcd nodes
etcd peer communication
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • etcd nodes
  • controlplane nodes
  • worker nodes
kubelet
TCP 10254
  • controlplane node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

worker nodes:
Nodes with the role worker

worker nodes - Inbound rules

Protocol Port Source Description
TCP 22
  • Linux worker nodes only
  • Any network that you want to be able to remotely access this node from.
Remote access over SSH
TCP 3389
  • Windows worker nodes only
  • Any network that you want to be able to remotely access this node from.
Remote access over RDP
TCP 80
  • Any that consumes Ingress services
Ingress controller (HTTP)
TCP 443
  • Any that consumes Ingress services
Ingress controller (HTTPS)
TCP 2376
  • Rancher nodes
Docker daemon TLS port used by Docker Machine
(only needed when using Node Driver/Templates)
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10250
  • controlplane nodes
kubelet
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe
TCP/UDP 30000-32767
  • Any source that consumes NodePort services
NodePort port range

worker nodes - Outbound rules

Protocol Port Destination Description
TCP 443
  • Rancher nodes
Rancher agent
TCP 6443
  • controlplane nodes
Kubernetes apiserver
UDP 8472
  • etcd nodes
  • controlplane nodes
  • worker nodes
Canal/Flannel VXLAN overlay networking
TCP 9099
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Canal/Flannel livenessProbe/readinessProbe
TCP 10254
  • worker node itself (local traffic, not across nodes)
See Local node traffic
Ingress controller livenessProbe/readinessProbe

Information on local node traffic

Kubernetes healthchecks (livenessProbe and readinessProbe) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.

Amazon EC2 security group when using Node Driver

If you are Creating an Amazon EC2 Cluster, you can choose to let Rancher create a Security Group called rancher-nodes. The following rules are automatically added to this Security Group.


Security group: rancher-nodes

Inbound rules

Type Protocol Port Range Source
SSH TCP 22 0.0.0.0/0
HTTP TCP 80 0.0.0.0/0
Custom TCP Rule TCP 443 0.0.0.0/0
Custom TCP Rule TCP 2376 0.0.0.0/0
Custom TCP Rule TCP 2379-2380 sg-xxx (rancher-nodes)
Custom UDP Rule UDP 4789 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 6443 0.0.0.0/0
Custom UDP Rule UDP 8472 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 10250-10252 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 10256 sg-xxx (rancher-nodes)
Custom TCP Rule TCP 30000-32767 0.0.0.0/0
Custom UDP Rule UDP 30000-32767 0.0.0.0/0

Outbound rules

Type Protocol Port Range Destination
All traffic All All 0.0.0.0/0