2 - 节点需求
- 节点IP地址
- 端口需求

2 - 节点需求

不管是单节点安装Rancher server，或高可用安装Rancher server,所有节点都需要满足以下的节点要求。

Rancher在以下操作系统及其后续的非主要发行版上受支持:

Ubuntu 16.04.x (64-bit)
- Docker 17.03.x, 18.06.x, 18.09.x
Ubuntu 18.04.x (64-bit)
- Docker 18.06.x, 18.09.x
Red Hat Enterprise Linux (RHEL)/CentOS 7.5+ (64-bit)
- RHEL Docker 1.13
- Docker 17.03.x, 18.06.x, 18.09.x
RancherOS 1.3.x+ (64-bit)
- Docker 17.03.x, 18.06.x, 18.09.x
Windows Server version 1803 (64-bit)
- Docker 17.06

1、Ubuntu、Centos操作系统有Desktop和Server版本，选择请安装server版本，别自己坑自己！ 2、如果您正在使用RancherOS，请确保切换到受支持的Docker版本:sudo ros engine switch docker-18.09.2

硬件要求根据Rancher部署的K8S集群规模大小进行扩展，根据要求配置每个节点。

HA 节点需求(标准3节点)

部署规模	集群数	Nodes	vCPUs	RAM
小	最多5个	最多50个	2	8 GB
中	最多15个	最多200个	4	16 GB
大	最多50个	最多500个	8	32 GB
大+	最多100个	最多1000个	32	128 GB
大++	超过100+个	超过1000+个	联系 Rancher	联系 Rancher

Single 节点需求

部署规模	Clusters	Nodes	vCPUs	RAM
小	最多5个	最多50个	4	8 GB
中	最多15个	最多200个	8	16GB

节点IP地址

使用的每个节点（单节点安装，高可用性（HA）安装或集群中使用的worker节点）应配置静态IP。在DHCP的情况下，应配置DHCP IP保留以确保节点获得相同的IP分配。

端口需求

在HA集群中部署Rancher时，必须打开节点上的某些端口以允许与Rancher通信。必须打开的端口根据托管集群节点的计算机类型而变化，例如，如果要在基础结构托管的节点上部署Rancher，则必须为SSH打开22端口。下图描绘了需要为每种集群类型打开的端口。集群类型.

Rancher nodes:Nodes running the rancher/rancher container

Rancher nodes - Inbound rules

Protocol	Port	Source	Description
TCP	80	- Load balancer/proxy that does external SSL termination	Rancher UI/API when external SSL termination is used
TCP	443	- etcd nodes- controlplane nodes- worker nodes- Hosted/Imported Kubernetes- any that needs to be able to use UI/API	Rancher agent, Rancher UI/API, kubectl

Rancher nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	22	- Any node IP from a node created using Node Driver	SSH provisioning of nodes using Node Driver
TCP	443	- 35.160.43.145/32- 35.167.242.46/32- 52.33.59.17/32	git.rancher.io (catalogs)
TCP	2376	- Any node IP from a node created using Node Driver	Docker daemon TLS port used by Docker Machine
TCP	6443	- Hosted/Imported Kubernetes API	Kubernetes apiserver

etcd nodes:Nodes with the role etcd

etcd nodes - Inbound rules

Protocol	Port	Source	Description
TCP	2376	- Rancher nodes	Docker daemon TLS port used by Docker Machine(only needed when using Node Driver/Templates)
TCP	2379	- etcd nodes- controlplane nodes	etcd client requests
TCP	2380	- etcd nodes- controlplane nodes	etcd peer communication
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- etcd node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	- controlplane nodes	kubelet

etcd nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	- Rancher nodes	Rancher agent
TCP	2379	- etcd nodes	etcd client requests
TCP	2380	- etcd nodes	etcd peer communication
TCP	6443	- controlplane nodes	Kubernetes apiserver
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- etcd node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe

controlplane nodes:Nodes with the role controlplane

controlplane nodes - Inbound rules

Protocol	Port	Source	Description
TCP	80	- Any that consumes Ingress services	Ingress controller (HTTP)
TCP	443	- Any that consumes Ingress services	Ingress controller (HTTPS)
TCP	2376	- Rancher nodes	Docker daemon TLS port used by Docker Machine(only needed when using Node Driver/Templates)
TCP	6443	- etcd nodes- controlplane nodes- worker nodes	Kubernetes apiserver
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- controlplane node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	- controlplane nodes	kubelet
TCP	10254	- controlplane node itself (local traffic, not across nodes)See Local node traffic	Ingress controller livenessProbe/readinessProbe
TCP/UDP	30000-32767	- Any source that consumes NodePort services	NodePort port range

controlplane nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	- Rancher nodes	Rancher agent
TCP	2379	- etcd nodes	etcd client requests
TCP	2380	- etcd nodes	etcd peer communication
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- controlplane node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	- etcd nodes- controlplane nodes- worker nodes	kubelet
TCP	10254	- controlplane node itself (local traffic, not across nodes)See Local node traffic	Ingress controller livenessProbe/readinessProbe

worker nodes:Nodes with the role worker

worker nodes - Inbound rules

Protocol	Port	Source	Description
TCP	22	- Linux worker nodes only- Any network that you want to be able to remotely access this node from.	Remote access over SSH
TCP	3389	- Windows worker nodes only- Any network that you want to be able to remotely access this node from.	Remote access over RDP
TCP	80	- Any that consumes Ingress services	Ingress controller (HTTP)
TCP	443	- Any that consumes Ingress services	Ingress controller (HTTPS)
TCP	2376	- Rancher nodes	Docker daemon TLS port used by Docker Machine(only needed when using Node Driver/Templates)
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- worker node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	- controlplane nodes	kubelet
TCP	10254	- worker node itself (local traffic, not across nodes)See Local node traffic	Ingress controller livenessProbe/readinessProbe
TCP/UDP	30000-32767	- Any source that consumes NodePort services	NodePort port range

worker nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	- Rancher nodes	Rancher agent
TCP	6443	- controlplane nodes	Kubernetes apiserver
UDP	8472	- etcd nodes- controlplane nodes- worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	- worker node itself (local traffic, not across nodes)See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10254	- worker node itself (local traffic, not across nodes)See Local node traffic	Ingress controller livenessProbe/readinessProbe

Information on local node traffic

Kubernetes healthchecks (livenessProbe and readinessProbe) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.

Amazon EC2 security group when using Node Driver

If you are Creating an Amazon EC2 Cluster, you can choose to let Rancher create a Security Group called rancher-nodes. The following rules are automatically added to this Security Group.

Security group: rancher-nodes

Inbound rules

Type	Protocol	Port Range	Source
SSH	TCP	22	0.0.0.0/0
HTTP	TCP	80	0.0.0.0/0
Custom TCP Rule	TCP	443	0.0.0.0/0
Custom TCP Rule	TCP	2376	0.0.0.0/0
Custom TCP Rule	TCP	2379-2380	sg-xxx (rancher-nodes)
Custom UDP Rule	UDP	4789	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	6443	0.0.0.0/0
Custom UDP Rule	UDP	8472	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	10250-10252	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	10256	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	30000-32767	0.0.0.0/0
Custom UDP Rule	UDP	30000-32767	0.0.0.0/0

Outbound rules

Type	Protocol	Port Range	Destination
All traffic	All	All	0.0.0.0/0