This document describes what ports the Kubernetes apiserver may serve on and how to reach them. The audience is cluster administrators who want to customize their cluster or understand the details.
Most questions about accessing the cluster are covered in Accessing the cluster.
The Kubernetes API is served by the Kubernetes apiserver process. Typically, there is one of these running on a single kubernetes-master node.
By default the Kubernetes APIserver serves HTTP on 2 ports:
- serves HTTP - default is port 8080, change with `--insecure-port` flag. - defaults IP is localhost, change with `--insecure-bind-address` flag. - no authentication or authorization checks in HTTP - protected by need to have host access
- default is port 6443, change with `--secure-port` flag. - default IP is first non-localhost network interface, change with `--bind-address` flag. - serves HTTPS. Set cert with `--tls-cert-file` and key with `--tls-private-key-file` flag. - uses token-file or client-certificate based [authentication](/docs/admin/authentication). - uses policy-based [authorization](/docs/admin/authorization).
- For security reasons, this had to be removed. Use the [service account](/docs/user-guide/service-accounts) feature instead.
Additionally, in some configurations there is a proxy (nginx) running on the same machine as the apiserver process. The proxy serves HTTPS protected by Basic Auth on port 443, and proxies to the apiserver on localhost:8080. In these configurations the secure port is typically set to 6443.
A firewall rule is typically configured to allow external HTTPS access to port 443.
The above are defaults and reflect how Kubernetes is deployed to Google Compute
kube-up.sh. Other cloud providers may vary.
There are differently configured serving ports to serve a variety of uses cases:
kubectlon a desktop machine. Currently, accesses the Localhost Port via a proxy (nginx) running on the
kubernetes-mastermachine. The proxy can use cert-based authentication or token-based authentication.