Needed ports for Kubernetes cluster
Kubernestes needs:
Master node(s):
TCP 6443* Kubernetes API ServerTCP 2379-2380 etcd server client APITCP 10250 Kubelet APITCP 10251 kube-schedulerTCP 10252 kube-controller-managerTCP 10255 Read-Only Kubelet API
Worker nodes (minions):
TCP 10250 Kubelet APITCP 10255 Read-Only Kubelet APITCP 30000-32767 NodePort Services
Providing that the API server, etcd, scheduler and controller manager run on the same machine, the ports you would need to open publicly in the absence of VPN are:
Master6443 (or 8080 if TLS is disabled)
Client connections to the API server from nodes (kubelet, kube-proxy, pods) and users (kubectl, ...)
10250 (insecure by default!)
Kubelet port, accepts connections from the API server (master).
Also nodes should be able to receive traffic from other nodes and from the master on pretty much any port, on the network fabric used for Kubernetes pods (flannel, weave, calico, ...)
If you expose applications using a NodePort service or Ingress resource, the corresponding ports should also be open on your nodes.