Skip to content

Port 6443: Kubernetes API server

Key idea:

Port 6443 (TCP) is the standard for Kubernetes API server. Kubernetes API server — control plane. Port 6443 (HTTPS) — every kubectl command, dashboard, operator interacts through it. Control plane components: etcd (2379), kube-schedule

Below: what uses this port, security considerations, online check, FAQ.

Check your host & ports →

What is on this port

Kubernetes API server

Kubernetes API server — control plane. Port 6443 (HTTPS) — every kubectl command, dashboard, operator interacts through it. Control plane components: etcd (2379), kube-scheduler, kube-controller-manager, kubelet (10250), kube-proxy.

Security considerations

Never expose 6443 publicly without strict RBAC + OIDC auth. Compromise = full cluster takeover. Use private API endpoint (EKS/AKS/GKE options) or SSH bastion.

Check this port online

Check port online →

Enterno.io Ping + Port checker tests TCP reachability of any port from 3 regions (Moscow / Frankfurt / Virginia).

What Services Use Port 6443?

Port 6443 (TCP) is primarily utilized by the Kubernetes API server, which serves as the central control plane component in a Kubernetes cluster. This port is critical for various services and tools that interact with the Kubernetes API, including:

  • kubectl: The command-line tool for interacting with the Kubernetes API. Every command issued via kubectl communicates over port 6443.
  • Kubernetes Dashboard: A web-based UI that allows users to manage and monitor Kubernetes clusters, which connects to the API server through this port.
  • Operators and Controllers: Custom controllers and operators that extend Kubernetes functionality often make API calls to the API server via port 6443.
  • CI/CD Pipelines: Continuous Integration and Continuous Deployment tools that automate application deployment and management may access the Kubernetes API over this port.

In summary, any component or tool that requires interaction with the Kubernetes control plane will utilize port 6443 to send and receive requests to the API server.

Security Considerations for Port 6443

Securing port 6443 is paramount, as it serves as the gateway to the Kubernetes API server. Here are several key security considerations:

  • Network Policies: Implement strict network policies to control which pods can access the API server. This minimizes the risk of unauthorized access.
  • Authentication: Use strong authentication mechanisms such as Bearer Tokens, Client Certificates, or OpenID Connect to ensure that only authorized users and services can interact with the API server.
  • Authorization: Enforce Role-Based Access Control (RBAC) to define what actions users and services can perform on resources within the cluster. This helps limit access to sensitive operations.
  • Encryption: Ensure that all traffic to and from port 6443 is encrypted using TLS. This protects sensitive data from being intercepted.
  • Audit Logging: Enable audit logs to monitor access and actions taken on the API server. This can help in identifying and responding to potential security incidents.

By implementing these security measures, you can significantly reduce the risk associated with exposing port 6443 in your Kubernetes environment.

Practical Examples of Interacting with Port 6443

Interacting with the Kubernetes API server on port 6443 can be done through various commands and configurations. Here are some practical examples:

  • Using kubectl: To check the status of your nodes, you can run the following command:
  • kubectl get nodes --kubeconfig=/path/to/kubeconfig

    This command communicates with the API server via port 6443 as specified in the kubeconfig file.

  • Accessing the API directly: You can use curl to make a direct API call to the Kubernetes server:
  • curl -k https://:6443/api/v1/nodes

    The -k flag allows you to bypass certificate verification for testing purposes.

  • Configuring a service account: To create a service account that can access the API server, use:
  • kubectl create serviceaccount my-service-account

    Then, you can bind roles to this service account to define its permissions.

These examples illustrate how to effectively communicate with the Kubernetes API server over port 6443, whether using kubectl or making direct API calls.

Learn more

Sources

Frequently Asked Questions

Is port 6443 open by default?

No, modern cloud providers (AWS, Google Cloud, Yandex) close all incoming ports by default. You must explicitly allow port 6443 in a Security Group or firewall.

How to check if my port 6443 is reachable?

Use <a href="/en/ping">Enterno Ping + Port Checker</a>. Or in shell: <code>nc -vz example.com 6443</code> or <code>telnet example.com 6443</code>.

Is port 6443 safe to expose?

Depends on the service. Kubernetes API server should never be exposed publicly without authentication + TLS. See <a href="/en/s/research-open-ports-exposure-2026">our 2026 exposure research</a>.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.