This page describes the list of reserved hostPorts within
Google Kubernetes Engine (GKE).
GKE System reserved hostPorts
GKE reserves specific hostPort ranges for its internal system
processes and services. These reservations are crucial for maintaining the
stability and functionality of GKE clusters. Although
GKE generally discourages the use of hostPort for user
applications due to potential conflicts and security risks, it relies on them
for internal operations.
Purpose of reserved hostPorts
Control plane communication: certain GKE components, such
as the kubelet and metrics-server, might use specific hostPorts for
communication with the control plane or other internal services.
System daemons: GKE system daemons and agents might
require access to specific ports on the nodes for monitoring, logging, or
other operational tasks.
Internal services: GKE's internal services, responsible
for cluster management and health checks, might use reserved hostPorts.
Understanding reserved ranges
Although the exact ranges can vary based on GKE version and
configuration, GKE
reserves a portion of the available port space. These reserved ranges are
typically not documented for external user usage, as they are subject to change.
It is very important to avoid using low-numbered ports, as these are commonly
reserved by operating systems.
Best practices
Best practices:
Avoid hostPort usage: minimize the use of hostPort in your application
deployments to reduce the risk of conflicts with GKE's reserved ports.
Service abstractions: use Kubernetes service types (NodePort,
LoadBalancer, Ingress) as preferred alternatives to hostPort.
Security scrutiny: if hostPort is unavoidable, carefully review and
implement firewall rules to restrict access to the exposed ports.
Autopilot considerations: when you use GKE Autopilot,
be aware that you are unable to specify exact hostPorts.
List of reserved hostPorts
Component
Reserved Host Ports
CNI / DPv2
9990, 6942, 9890, 4244, 9965
kubelet
4194, 10248, 10250, 10255
kube-proxy
10249, 10256
node-problem-detector
20256
fluentbit
2020, 2021
stackdriver-metadata-agent
8799
sunrpc (local NFS mounts)
665 - 986
Filestore
990
k8s-metadata-proxy / gke-metadata-server
987, 988, 989
node-local-dns
53, 8080, 9253, 9353
gcfsd
11253
Network policy Antrea
10349, 10350, 10351, 10352
network-metering-agent
47082, 47083
configconnector
8888, 48797
gke-spiffe
9889
workload-identity-webhook
9910
GKE Metrics Agent
8200 - 8227
GPU Device plugin
2112
runsc (gVisor / GKE Sandbox)
9115
containerd
1338
GKE Metrics Collector
11123
netd
10231
List of reserved hostPorts that are specific to Autopilot
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Reserved hostPorts\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page describes the list of reserved hostPorts within\nGoogle Kubernetes Engine (GKE).\n| **Note:** Always refer to the latest GKE release notes for any updates or changes to GKE's reserved hostPort ranges. When in doubt, avoid using hostPorts and rely on Kubernetes service abstractions.\n\nGKE System reserved hostPorts\n-----------------------------\n\nGKE reserves specific `hostPort` ranges for its internal system\nprocesses and services. These reservations are crucial for maintaining the\nstability and functionality of GKE clusters. Although\nGKE generally discourages the use of `hostPort` for user\napplications due to potential conflicts and security risks, it relies on them\nfor internal operations.\n| **Warning:** Attempting to use hostPorts within GKE's reserved ranges might result in Pod deployment failures or unexpected cluster behavior. GKE reserves the right to change these ranges without prior notice.\n\n### Purpose of reserved hostPorts\n\n- **Control plane communication**: certain GKE components, such as the kubelet and metrics-server, might use specific hostPorts for communication with the control plane or other internal services.\n- **System daemons**: GKE system daemons and agents might require access to specific ports on the nodes for monitoring, logging, or other operational tasks.\n- **Internal services**: GKE's internal services, responsible for cluster management and health checks, might use reserved hostPorts.\n\n### Understanding reserved ranges\n\nAlthough the exact ranges can vary based on GKE version and\nconfiguration, GKE\nreserves a portion of the available port space. These reserved ranges are\ntypically not documented for external user usage, as they are subject to change.\nIt is very important to avoid using low-numbered ports, as these are commonly\nreserved by operating systems.\n\n### Best practices\n\n**Best practices**:\n\n- **Avoid hostPort usage**: minimize the use of hostPort in your application deployments to reduce the risk of conflicts with GKE's reserved ports.\n- **Service abstractions**: use Kubernetes service types (NodePort, LoadBalancer, Ingress) as preferred alternatives to hostPort.\n- **Security scrutiny**: if hostPort is unavoidable, carefully review and implement firewall rules to restrict access to the exposed ports.\n- **Autopilot considerations**: when you use GKE Autopilot, be aware that you are unable to specify exact hostPorts.\n\n### List of reserved hostPorts\n\n### List of reserved hostPorts that are specific to Autopilot\n\nWhat's next\n-----------\n\n- Read an overview of [networking in\n GKE](/kubernetes-engine/docs/concepts/network-overview).\n- Learn about [Kubernetes Services](/kubernetes-engine/docs/concepts/service).\n- Learn about [exposing\n applications](/kubernetes-engine/docs/how-to/exposing-apps)."]]
