list of open ports added to "asciidoc/product/atip-requirements.adoc"

antaloala · antaloala · commit e65f739ddcae · 2025-08-21T13:36:26.000+02:00
Signed-off-by: Antonio Alonso Alarcon &lt;antonio.alarcon@suse.com&gt;
diff --git a/asciidoc/product/atip-requirements.adoc b/asciidoc/product/atip-requirements.adoc
@@ -60,6 +60,202 @@ The network architecture is based on the following components:
 To use the directed network provisioning workflow, the management cluster must have network connectivity to the downstream cluster server Baseboard Management Controller (BMC) so that host preparation and provisioning can be automated.
 ====
 
+=== Port requirements
+
+To operate properly, a SUSE Telco Cloud deployment requires a number of ports to be reachable on the Management and the Downstream Kubernetes cluster nodes.
+
+NOTE: The exact list depends on the deployed optional components and the selected deployment options (e.g., CNI plugin).
+
+==== Management Nodes
+
+The following table lists the opened ports in nodes running the Management cluster:
+
+NOTE: CNI plugin related ports are not included in this list, those being detailed in a following section (see below).
+
+|===
+| Protocol | Port | Source | Description
+| TCP
+| 22
+| Any source requiring SSH access
+| SSH access to mgmt. cluster nodes
+
+| TCP
+| 80
+| Load balancer/proxy that does external TLS termination
+| Rancher UI/API when external TLS termination is used
+
+| TCP
+| 443
+| Any source that requires TLS access to Rancher UI/API
+| Rancher agent, Rancher UI/API
+
+| TCP
+| 2379
+| RKE2 (management cluster) server nodes
+| etcd client port
+
+| TCP
+| 2380
+| RKE2 (management cluster) server nodes
+| etcd peer port
+
+| TCP
+| 6180
+| Any BMC^(1)^ previously instructed by `Metal^3^/ironic` to pull an IPA^(2)^ ramdisk image from this exposed port (non-TLS)
+| `Ironic` httpd non-TLS web server serving IPA^(2)^ iso images for virtual media based boot  +
+ +
+NOTE: In case this port is enabled, the functionally equivalent but TLS-enabled one (see below) is not opened
+
+| TCP
+| 6185
+| Any BMC^(1)^ previously instructed by `Metal^3^/ironic` to pull an IPA^(2)^ ramdisk image from this exposed port (TLS)
+| `Ironic` httpd TLS-enabled web server serving IPA^(2)^ iso images for virtual media based boot +
+ +
+NOTE: In case this port is enabled, the functionally equivalent but TLS-disabled one (see above) is not opened
+
+| TCP
+| 6385
+| Any `Metal^3^/ironic` IPA^(1)^ ramdisk image deployed & running in an "enrolled" `BareMetalHost` instance
+|Ironic API
+
+| TCP
+| 6443
+| Any management cluster node; any external (to the mgmt. cluster) kubernetes client
+| Kubernetes API
+
+| TCP
+| 6545
+| Any management cluster node
+| Pull artifacts from OCI-compliant registry (Hauler)
+
+| TCP
+| 9345
+| RKE2 server and agent nodes (management cluster)
+| RKE2 supervisor API for Node registration (opened port in all RKE2 server nodes)
+
+| TCP
+| 10250
+| Any management cluster node
+| kubelet metrics
+
+| TCP/UDP/SCTP
+| 30000-32767
+| Any external (to the management cluster) source accessing a service exposed on the primary network through a `spec.type: NodePort` or `spec.type: LoadBalancer` https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types[Service API object] 
+| Available `NodePort` port range
+|===
+^(1)^ BMC: Baseboard Management Controller +
+^(2)^ IPA: Ironic Python Agent 
+
+==== Downstream Nodes
+
+In SUSE Telco Cloud, before any (downstream) server becomes part of a running downstream kubernetes cluster (or runs itself a single-node downstream kubernetes cluster), it is required to go through some of the https://github.com/metal3-io/baremetal-operator/blob/main/docs/baremetalhost-states.md[BaremetalHost Provisioning states].
+
+* First of all, the Baseboard Management Controller (BMC) for a just enrolled downstream server must be accessible through the out-of-band network, for the ironic service running on the mgmt. cluster to instruct it on the initial steps to take: to get and load an IPA ramdisk image in the BMC offered `virtual media` and power-on the server. Following ports are expected to be exposed from the BMC (they could differ depending on the exact hardware):
+
+|===
+| Protocol | Port | Source | Description
+| TCP
+| 80
+| Ironic conductor (from management cluster)
+| Redfish API access (HTTP)
+
+| TCP
+| 443
+| Ironic conductor (from management cluster)
+| Redfish API access (HTTPS)
+|===
+
+* Once an IPA ramdisk image has been loaded on the target downstream server and used as bootup image (using BMC `virtual media` support) the hardware inspection phase is started. Here below are listed the ports being exposed by a running IPA ramdisk image:
+
+|===
+| Protocol | Port | Source | Description
+| TCP
+| 22
+| Any source requrining SSH access to IPA ramdisk image
+| SSH access to a being inspected downstream cluster node
+
+| TCP
+| 9999
+| Ironic conductor (from management cluster)
+| Ironic commands towards the running ramdisk image
+|===
+
+* Finally, once the baremetal host has been properly provisioned and has joined a downstream kubernetes cluster, it exposes the following ports:
+
+NOTE: CNI plugin related ports are not included in this list, those being detailed in a following section (see below).
+
+|===
+| Protocol | Port | Source | Description
+| TCP
+| 22
+| Any source requiring SSH access
+| SSH access to downstream cluster nodes
+
+| TCP
+| 80
+| Load balancer/proxy that does external TLS termination
+| Rancher UI/API when external TLS termination is used
+
+| TCP
+| 443
+| Any source that requires TLS access to Rancher UI/API
+| Rancher agent, Rancher UI/API
+
+| TCP
+| 2379
+| RKE2 (downstream cluster) server nodes
+| etcd client port
+
+| TCP
+| 2380
+| RKE2 (downstream cluster) server nodes
+| etcd peer port
+
+| TCP
+| 6443
+| Any downstream cluster node; any external (to the downstream cluster) kubernetes client.
+| Kubernetes API
+
+| TCP
+| 9345
+| RKE2 server and agent nodes (downstream cluster)
+| RKE2 supervisor API for Node registration (opened port in all RKE2 server nodes)
+
+| TCP
+| 10250
+| Any downstream cluster node
+| kubelet metrics
+
+| TCP
+| 10255
+| Any downstream cluster node
+| kubelet read-only access
+
+| TCP/UDP/SCTP
+| 30000-32767
+| Any external (to the downstream cluster) source accessing a service exposed on the primary network through a `spec.type: NodePort` or `spec.type: LoadBalancer` https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types[Service API object]
+| Available `NodePort` port range
+|===
+
+
+==== CNI specific port requirements
+
+Each supported CNI variant comes with its own set of port requirements; RKE2 documentation details those per each of the supported CNI plugins, see https://docs.rke2.io/install/requirements#cni-specific-inbound-network-rules
+
+In case of setting `cilium` as default/primary CNI plugin, the following port must be added to the list of externally exposed TCP ports (as provided by RKE2 documentation) when the cilium-operator workload is configured to expose metrics outside the kubernetes cluster it is deployed on (so an external Prometheus server instance running outside that kubernetes cluster can still collect them):
+
+NOTE: This is the default option when deploying cilium from SUSE rke2-cilium Helm chart (https://rke2-charts.rancher.io/assets/rke2-cilium/rke2-cilium-<major>.<minor>.<patch>.tgz).
+
+|===
+| Protocol | Port | Source | Description
+| TCP
+| 9963
+| External (to the kubernetes cluster) metrics collector
+| cilium-operator metrics exposure
+|===
+
+
+
 === Services (DHCP, DNS, etc.)
 
 Some external services like `DHCP`, `DNS`, etc. could be required depending on the kind of environment where they are deployed:
