Firewall Port Requirements for Kubernetes & SELinux Environments
Proper firewall configuration is essential for a stable and secure Capacity Private Cloud deployment on Kubernetes. In environments where SELinux is enabled, strict adherence to security policies is paramount—SELinux governs how processes interact with each other and the network, making explicit firewall allowances and correct SELinux context labeling critical for system stability.
Use the tables below to configure your Network Security Groups (NSGs) or local firewall rules for each component of the platform. Ensure all listed ports are open between the relevant nodes and services before deploying or upgrading.
Kubernetes Control Plane & Worker Nodes
The following ports are required for cluster orchestration and internal component communication.
| Protocol | Port / Range | Purpose | Used By |
| TCP | 6443 | Kubernetes API Server | All |
| TCP | 2379–2380 | etcd server client API | kube-apiserver, etcd |
| TCP | 10250 | Kubelet API | Self, Control plane |
| TCP | 10256 | Kube-proxy health check | Self |
| TCP | 10257 | kube-controller-manager | Self |
| TCP | 10259 | kube-scheduler | Self |
NGINX Ingress Controller
The NGINX Ingress Controller manages external access to cluster services, functioning as a reverse proxy and load balancer for the platform.
| Protocol | Port / Range | Purpose | Used By |
| TCP | 80 | Standard HTTP traffic | Kubernetes |
| TCP | 443 | HTTPS / Ingress controller | Kubernetes |
| TCP | 8443 | Internal control plane (webhook) | Kubernetes |
| TCP | 10254 | Metrics / health check endpoint | Kubernetes |
Calico Networking (CNI)
Calico is the Container Network Interface (CNI) plugin responsible for pod networking and network security policies. These ports support node-to-node communication and routing.
| Protocol | Port / Range | Purpose | Used By |
| TCP | 179 | BGP peer-to-peer routing between nodes | Kubernetes |
| UDP | 4789 | VXLAN overlay networking | Kubernetes |
| TCP | 5473 | Typha — scales Calico datastore API access | Kubernetes |
Media Server
These ports support voice and media processing through the MRCP API, including session signaling and media stream transport.
| Protocol | Port / Range | Purpose | Used By |
| TCP/UDP | 20000–24999 | MRCP server port base (media channel range) | MRCP API |
| TCP/UDP | 25000–29999 | MRCP server port base (extended range) | MRCP API |
| TCP/UDP | 5060 | SIP signaling (sip_port) | MRCP API |
| TCP/UDP | 5061 | SIPS signaling (sips_port) | MRCP API |
| TCP/UDP | 554 | RTSP media streaming (rtsp_port) | MRCP API |
External Services & Database Connectivity
The following ports are required for application data persistence, caching, and messaging infrastructure used by the platform.
| Protocol | Port / Range | Purpose | Used By |
| TCP | 22 | SSH remote access | System admins |
| TCP | 5432 | PostgreSQL database | Application clients |
| TCP | 6379 | Redis cache | Application clients |
| TCP | 20717 | MongoDB | Application clients |
| TCP | 5672 | RabbitMQ (AMQP) | Application clients |
| TCP | 15672 | RabbitMQ management console | Admins / monitoring |