This page describes the list of reserved hostPorts within Google Kubernetes Engine (GKE).
GKE System reserved hostPorts
GKE reserves specific hostPort ranges for its internal system
processes and services. These reservations are crucial for maintaining the
stability and functionality of GKE clusters. Although
GKE generally discourages the use of hostPort for user
applications due to potential conflicts and security risks, it relies on them
for internal operations.
Purpose of reserved hostPorts
- Control plane communication: certain GKE components, such as the kubelet and metrics-server, might use specific hostPorts for communication with the control plane or other internal services.
- System daemons: GKE system daemons and agents might require access to specific ports on the nodes for monitoring, logging, or other operational tasks.
- Internal services: GKE's internal services, responsible for cluster management and health checks, might use reserved hostPorts.
Understanding reserved ranges
Although the exact ranges can vary based on GKE version and configuration, GKE reserves a portion of the available port space. These reserved ranges are typically not documented for external user usage, as they are subject to change. It is very important to avoid using low-numbered ports, as these are commonly reserved by operating systems.
Best practices
Best practices:
- Avoid hostPort usage: minimize the use of hostPort in your application deployments to reduce the risk of conflicts with GKE's reserved ports.
- Service abstractions: use Kubernetes service types (NodePort, LoadBalancer, Ingress) as preferred alternatives to hostPort.
- Security scrutiny: if hostPort is unavoidable, carefully review and implement firewall rules to restrict access to the exposed ports.
- Autopilot considerations: when you use GKE Autopilot, be aware that you are unable to specify exact hostPorts.
List of reserved hostPorts
| Component | Reserved Host Ports |
|---|---|
| CNI / DPv2 | 9990, 6942, 9890, 4244, 9965 |
| kubelet | 4194, 10248, 10250, 10255 |
| kube-proxy | 10249, 10256 |
| node-problem-detector | 20256 |
| fluentbit | 2020, 2021 |
| stackdriver-metadata-agent | 8799 |
| sunrpc (local NFS mounts) | 665 - 986 |
| Filestore | 990 |
| k8s-metadata-proxy / gke-metadata-server | 987, 988, 989 |
| node-local-dns | 53, 8080, 9253, 9353 |
| gcfsd | 11253 |
| Network policy Antrea | 10349, 10350, 10351, 10352 |
| network-metering-agent | 47082, 47083 |
| configconnector | 8888, 48797 |
| gke-spiffe | 9889 |
| workload-identity-webhook | 9910 |
| GKE Metrics Agent | 8200, 8201, 8202, 8203 |
| GPU Device plugin | 2112 |
| runsc (gVisor / GKE Sandbox) | 9115 |
| containerd | 1338 |
| GKE Metrics Collector | 11123 |
| netd | 10231 |
List of reserved hostPorts that are specific to Autopilot
| Component | Reserved HostPorts |
|---|---|
| Autopilot Splunk Agent | 8006, 14250, 14268, 4317, 9080, 9943, 9411 |
| Autopilot Datadog Monitoring Agent | 8125, 8126 |
What's next
- Read an overview of networking in GKE.
- Learn about Kubernetes Services.
- Learn about exposing applications.