Node Requirements

Whether you’re configuring Rancher to run in a single-node or high-availability setup, each node running Rancher Server must meet the following requirements.

Rancher is tested on the following operating systems and their subsequent non-major releases with a supported version of Docker.

Ubuntu 16.04 (64-bit x86)
- Docker 17.03.x, 18.06.x, 18.09.x
Ubuntu 18.04 (64-bit x86)
- Docker 18.06.x, 18.09.x
Red Hat Enterprise Linux (RHEL)/CentOS 7.6 (64-bit x86)
- RHEL Docker 1.13
- Docker 17.03.x, 18.06.x, 18.09.x
RancherOS 1.5.1 (64-bit x86)
- Docker 17.03.x, 18.06.x, 18.09.x
Windows Server 2019 (64-bit x86)
- Requires Docker Engine - Enterprise Edition (EE)
- Nodes with Windows Server core version 1809 should use Docker EE-basic 18.09
- Nodes with Windows Server core version 1903 should use Docker EE-basic 19.03
- Supported for worker nodes only. See Configuring Custom Clusters for Windows

If you are using RancherOS, make sure you switch the Docker engine to a supported version using:

# Look up available versions
sudo ros engine list

# Switch to a supported version
sudo ros engine switch docker-18.09.2

See Running on ARM64 (Experimental) if you plan to run Rancher on ARM64.

Docker Documentation: Installation Instructions

Hardware requirements scale based on the size of your Rancher deployment. Provision each individual node according to the requirements.

HA Node Requirements

Deployment Size	Clusters	Nodes	vCPUs	RAM
Small	Up to 5	Up to 50	2	8 GB
Medium	Up to 15	Up to 200	4	16 GB
Large	Up to 50	Up to 500	8	32 GB
X-Large	Up to 100	Up to 1000	32	128 GB
XX-Large	100+	1000+	Contact Rancher	Contact Rancher

Single Node Requirements

Deployment Size	Clusters	Nodes	vCPUs	RAM
Small	Up to 5	Up to 50	1	4 GB
Medium	Up to 15	Up to 200	2	8 GB

Disks

Rancher performance depends on etcd in the cluster performance. To ensure optimal speed, we recommend always using SSD disks to back your Rancher management Kubernetes cluster. On cloud providers, you will also want to use the minimum size that allows the maximum IOPs. In larger clusters consider using dedicated storage devices for etcd data and wal directories.

Node IP Address

Each node used (either for the Single Node Install, High Availability (HA) Install or nodes that are used in clusters) should have a static IP configured. In case of DHCP, the nodes should have a DHCP reservation to make sure the node gets the same IP allocated.

Port Requirements

When deploying Rancher in an HA cluster, certain ports on your nodes must be open to allow communication with Rancher. The ports that must be open change according to the type of machines hosting your cluster nodes. For example, if your are deploying Rancher on nodes hosted by an infrastructure, port 22 must be open for SSH. The following diagram depicts the ports that are opened for each cluster type.

Cluster Type Port Requirements

Basic Port Requirements

Rancher nodes:
Nodes running the rancher/rancher container

Rancher nodes - Inbound rules

Protocol	Port	Source	Description
TCP	80	Load balancer/proxy that does external SSL termination	Rancher UI/API when external SSL termination is used
TCP	443	etcd nodes controlplane nodes worker nodes Hosted/Imported Kubernetes any that needs to be able to use UI/API	Rancher agent, Rancher UI/API, kubectl

Rancher nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	22	Any node IP from a node created using Node Driver	SSH provisioning of nodes using Node Driver
TCP	443	35.160.43.145/32 35.167.242.46/32 52.33.59.17/32	git.rancher.io (catalogs)
TCP	2376	Any node IP from a node created using Node Driver	Docker daemon TLS port used by Docker Machine
TCP	6443	Hosted/Imported Kubernetes API	Kubernetes apiserver

etcd nodes:
Nodes with the role etcd

etcd nodes - Inbound rules

Protocol	Port	Source	Description
TCP	2376	Rancher nodes	Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates)
TCP	2379	etcd nodes controlplane nodes	etcd client requests
TCP	2380	etcd nodes controlplane nodes	etcd peer communication
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	etcd node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	controlplane nodes	kubelet

etcd nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	Rancher nodes	Rancher agent
TCP	2379	etcd nodes	etcd client requests
TCP	2380	etcd nodes	etcd peer communication
TCP	6443	controlplane nodes	Kubernetes apiserver
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	etcd node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe

controlplane nodes:
Nodes with the role controlplane

controlplane nodes - Inbound rules

Protocol	Port	Source	Description
TCP	80	Any that consumes Ingress services	Ingress controller (HTTP)
TCP	443	Any that consumes Ingress services	Ingress controller (HTTPS)
TCP	2376	Rancher nodes	Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates)
TCP	6443	etcd nodes controlplane nodes worker nodes	Kubernetes apiserver
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	controlplane node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	controlplane nodes	kubelet
TCP	10254	controlplane node itself (local traffic, not across nodes) See Local node traffic	Ingress controller livenessProbe/readinessProbe
TCP/UDP	30000-32767	Any source that consumes NodePort services	NodePort port range

controlplane nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	Rancher nodes	Rancher agent
TCP	2379	etcd nodes	etcd client requests
TCP	2380	etcd nodes	etcd peer communication
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	controlplane node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	etcd nodes controlplane nodes worker nodes	kubelet
TCP	10254	controlplane node itself (local traffic, not across nodes) See Local node traffic	Ingress controller livenessProbe/readinessProbe

worker nodes:
Nodes with the role worker

worker nodes - Inbound rules

Protocol	Port	Source	Description
TCP	22	Linux worker nodes only Any network that you want to be able to remotely access this node from.	Remote access over SSH
TCP	3389	Windows worker nodes only Any network that you want to be able to remotely access this node from.	Remote access over RDP
TCP	80	Any that consumes Ingress services	Ingress controller (HTTP)
TCP	443	Any that consumes Ingress services	Ingress controller (HTTPS)
TCP	2376	Rancher nodes	Docker daemon TLS port used by Docker Machine (only needed when using Node Driver/Templates)
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	worker node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10250	controlplane nodes	kubelet
TCP	10254	worker node itself (local traffic, not across nodes) See Local node traffic	Ingress controller livenessProbe/readinessProbe
TCP/UDP	30000-32767	Any source that consumes NodePort services	NodePort port range

worker nodes - Outbound rules

Protocol	Port	Destination	Description
TCP	443	Rancher nodes	Rancher agent
TCP	6443	controlplane nodes	Kubernetes apiserver
UDP	8472	etcd nodes controlplane nodes worker nodes	Canal/Flannel VXLAN overlay networking
TCP	9099	worker node itself (local traffic, not across nodes) See Local node traffic	Canal/Flannel livenessProbe/readinessProbe
TCP	10254	worker node itself (local traffic, not across nodes) See Local node traffic	Ingress controller livenessProbe/readinessProbe

Information on local node traffic

Kubernetes healthchecks (livenessProbe and readinessProbe) are executed on the host itself. On most nodes, this is allowed by default. When you have applied strict host firewall (i.e. iptables) policies on the node, or when you are using nodes that have multiple interfaces (multihomed), this traffic gets blocked. In this case, you have to explicitly allow this traffic in your host firewall, or in case of public/private cloud hosted machines (i.e. AWS or OpenStack), in your security group configuration. Keep in mind that when using a security group as Source or Destination in your security group, that this only applies to the private interface of the nodes/instances.

Amazon EC2 security group when using Node Driver

If you are Creating an Amazon EC2 Cluster, you can choose to let Rancher create a Security Group called rancher-nodes. The following rules are automatically added to this Security Group.

Security group: rancher-nodes

Inbound rules

Type	Protocol	Port Range	Source
SSH	TCP	22	0.0.0.0/0
HTTP	TCP	80	0.0.0.0/0
Custom TCP Rule	TCP	443	0.0.0.0/0
Custom TCP Rule	TCP	2376	0.0.0.0/0
Custom TCP Rule	TCP	2379-2380	sg-xxx (rancher-nodes)
Custom UDP Rule	UDP	4789	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	6443	0.0.0.0/0
Custom UDP Rule	UDP	8472	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	10250-10252	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	10256	sg-xxx (rancher-nodes)
Custom TCP Rule	TCP	30000-32767	0.0.0.0/0
Custom UDP Rule	UDP	30000-32767	0.0.0.0/0

Outbound rules

Type	Protocol	Port Range	Destination
All traffic	All	All	0.0.0.0/0

Illumina