Quiz Report Card: Kubernetes Open Ports
Date: 2026-03-09 | Qwen 3.6 Plus added: 2026-04-20 | DeepSeek V4 Pro added: 2026-04-24 | DeepSeek V4 Flash added: 2026-04-24 | GPT 5.5 added: 2026-04-25 | Kimi K2.6 added: 2026-04-26 | Qwen3.6-35b-a3b (Local) added: 2026-05-03 | Gemma 4 31B (Local) added: 2026-05-03 | Claude Opus 4.8 added: 2026-05-31 Question: In a standard Kubernetes cluster running Kubeadm, what network ports will be open on a control plane node and what network ports will be open on a worker node by default? For each port indicate whether it is listening on only localhost or all interfaces.
Reference Answer
Based on a Kubernetes 1.35 kubeadm cluster:
Control Plane (10 ports)
| Port | Component | Interface |
|---|---|---|
| 6443/TCP | kube-apiserver | LAN / all interfaces |
| 2379/TCP | etcd (client) | LAN / all interfaces |
| 2380/TCP | etcd (peer) | LAN / all interfaces |
| 2381/TCP | etcd (metrics) | localhost only |
| 10250/TCP | kubelet | LAN / all interfaces |
| 10256/TCP | kube-proxy (health) | LAN / all interfaces |
| 10257/TCP | kube-controller-manager | localhost only |
| 10259/TCP | kube-scheduler | localhost only |
| 10248/TCP | kubelet (health) | localhost only |
| 10249/TCP | kube-proxy (metrics) | localhost only |
Worker Node (4 ports)
| Port | Component | Interface |
|---|---|---|
| 10250/TCP | kubelet | LAN / all interfaces |
| 10256/TCP | kube-proxy (health) | LAN / all interfaces |
| 10248/TCP | kubelet (health) | localhost only |
| 10249/TCP | kube-proxy (metrics) | localhost only |
Scoring Criteria
- Port coverage: Are all expected ports listed for both control plane and worker?
- Interface accuracy: For each port, is the binding (localhost vs all interfaces) correct? This was specifically asked.
- No significant errors: Deprecated/removed ports listed as current, or wrong interface bindings, are penalised.
- Worker node completeness: Worker nodes have 4 ports, not just kubelet — kube-proxy health and metrics are often forgotten.
Note: 2381/TCP (etcd metrics, localhost) is relatively obscure and no model mentioned it. CNI ports are acceptable as extras.
Results Summary
| Model | Score | CP Ports Found | CP Interface Accuracy | Worker Ports Found | Worker Interface Accuracy | Errors |
|---|---|---|---|---|---|---|
| anthropic/claude-opus-4.7 | 7/10 | Good | Mostly correct | Good | Correct | Missing 10249 |
| anthropic/claude-sonnet-4.6 | 7/10 | 9/10 | Mostly correct | 4/4 | All correct | etcd binding nuanced |
| google/gemini-3-flash-preview | 7/10 | 8/10 | All correct | 3/4 | All correct | Missing 10249 |
| openai/gpt-5.4 | 5/10 | 6/10 | Mostly correct | 1/4 | Correct | Missing kube-proxy and kubelet health |
| deepseek/deepseek-v3.2 | 4/10 | 6/10 | etcd wrong | 1/4 | Correct | etcd binding wrong, incomplete |
| minimax/minimax-m2.5 | 4/10 | 9/10 (with errors) | 3 wrong bindings | 3/4 (with errors) | 1 wrong binding | Deprecated ports, interface errors |
| minimax/minimax-m2.7 | 6/10 | Good coverage | Several errors | Good coverage | Some errors | Interface binding errors |
| qwen/qwen3.6-plus | 6/10 | 8/10 | Mostly correct | 2/4 | Correct | etcd 2379 wrong, missing worker ports |
| deepseek/deepseek-v4-pro | 5/10 | 7/10 | Several errors | 2/4 | Correct | Bind address errors |
| deepseek/deepseek-v4-flash | 5/10 | 7/10 | Some errors | 2/4 | Correct | Missing ports, etcd wrong |
| moonshotai/kimi-k2.6 | 7/10 | 8/10 | Mostly correct | 3/4 | Correct | etcd 2379 wrong, missing 2381 |
| openai/gpt-5.5 | 8/10 | 10/10 | All correct | 4/4 | All correct | Minor precision gaps |
| qwen/qwen3.6-35b-a3b (LOCAL) | 4/10 | Partial | Wrong bind addresses | Missing 2381 | etcd ports listed as localhost-only | |
| anthropic/claude-opus-4.8 | 9/10 | Near-perfect | All correct | Good | All correct | Missing 10249 only |
| google/gemma-4-31b (LOCAL) | 5/10 | Good core coverage | Errors on 10257/10259 | Missing several | States 10257/10259 bind all interfaces (wrong) |
Detailed Analysis
anthropic/claude-opus-4.7 — 7/10
Strengths:
- Correctly lists all major control plane ports: 6443, 2379, 2380, 2381, 10250, 10256, 10257, 10259, 10248
- 10257 and 10259 correctly identified as localhost only — Opus 4.6 got these wrong
- 2381 (etcd metrics) included — commonly missed by other models
- Correctly identifies deprecated insecure ports as removed
Weaknesses:
- Missing 10249/TCP (kube-proxy metrics) on both control plane and worker nodes
Comparison vs Opus 4.6 (6): Improvement. Fixes the 10257/10259 interface error and adds 2381.
Notable: A solid improvement over Opus 4.6. Correctly identifying 10257 and 10259 as localhost-only and including the obscure 2381 port demonstrates better practical knowledge. The only gap is 10249 (kube-proxy metrics).
anthropic/claude-sonnet-4.6 — 7/10
Strengths:
- Best port coverage overall: lists 6443, 2379, 2380, 10250, 10259, 10257 for control plane, plus 10248, 10249, 10256 in a “both node types” section
- Correctly identifies 10248 (kubelet healthz) as localhost, 10249 (kube-proxy metrics) as localhost, 10256 (kube-proxy healthz) as all interfaces
- Worker node gets all 4 ports via the combined section
- Good caveat about etcd binding: notes single-node binds to localhost, HA binds to all — showing understanding of the nuance
- Correctly notes deprecated ports 10251/10252 as old and replaced
- CNI ports listed separately and clearly marked as not default
Weaknesses:
- etcd 2379/2380 listed as localhost in the main table — the reference shows these as LAN/all interfaces even on a single kubeadm control plane. The HA caveat partially mitigates this but the table itself is inaccurate for a default kubeadm cluster.
- Missing 2381/TCP (etcd metrics, localhost) — though no model found this
Notable: The “Additional Ports Present on Both Node Types” section is a smart structural choice that avoids duplicating kube-proxy and kubelet health ports across both tables.
google/gemini-3-flash-preview — 7/10
Strengths:
- Correct etcd interface binding: 2379 and 2380 both listed as all interfaces, matching the reference
- Good control plane coverage: 6443, 2379, 2380, 10250, 10257, 10259
- Includes 10248 (kubelet health, localhost) and 10256 (kube-proxy health, all interfaces) in “Common Services” section
- All interface bindings are accurate for the ports listed
- Good firewall recommendation section with practical guidance
- Notes etcd is “strictly secured via mutual TLS” even when on all interfaces
Weaknesses:
- Missing 10249/TCP (kube-proxy metrics, localhost) — listed on both control plane and worker in the reference
- Missing 2381/TCP (etcd metrics)
- Worker node table only shows 10250 and NodePort range — kube-proxy ports come from the common section
Notable: The most accurate interface bindings of all models. Every port that is listed has the correct binding, including etcd on all interfaces which most other models got wrong.
openai/gpt-5.4 — 5/10
Strengths:
- Core control plane ports correct: 6443, 2379, 2380, 10250, 10257, 10259
- etcd binding nuanced: 2379 “localhost and control-plane IP”, 2380 “control-plane IP / all relevant interfaces” — reasonably accurate
- Correctly notes deprecated ports (10251, 10252, 10255) as not open in modern clusters
- Clean response with good notes on each port
Weaknesses:
- Missing 10248/TCP (kubelet healthz) on both node types
- Missing 10249/TCP (kube-proxy metrics) on both node types
- Missing 10256/TCP (kube-proxy healthz) on both node types
- Worker node only lists 10250 — missing 3 of 4 worker ports
- Only 6 of 10 control plane ports listed
Notable negative: Missing all three kube-proxy and kubelet health/metrics ports means the response only covers the “well-known” ports. The question specifically asks what ports are open by default, and these health/metrics endpoints are always running.
deepseek/deepseek-v3.2 — 4/10
Strengths:
- Core control plane ports present: 6443, 2379, 2380, 10250, 10257, 10259
- Correct interface for 10257, 10259 (localhost), 6443, 10250 (all)
- Good notes on CNI ports and firewall requirements
- Clean summary table
Weaknesses:
- etcd 2379 listed as localhost — reference shows LAN/all interfaces
- etcd 2380 listed as localhost — reference shows LAN/all interfaces
- Missing 10248/TCP (kubelet healthz) on both node types
- Missing 10249/TCP (kube-proxy metrics) on both node types
- Missing 10256/TCP (kube-proxy healthz) on both node types
- Missing 2381/TCP (etcd metrics)
- Worker node only lists 10250 — missing 3 of 4 worker ports
Notable negative: Both the etcd interface errors and the missing health/metrics ports weaken this answer significantly. The response reads like it was derived from the kubeadm documentation’s “required ports” list rather than actual port observation.
minimax/minimax-m2.5 — 4/10
Strengths:
- Attempts the most comprehensive port listing of all models
- Includes 10248 (kubelet healthz, correct as localhost) and 10249 (kube-proxy metrics) on both node types
- Includes 2379, 2380, 6443, 10250 with reasonable bindings
- Notes that 10255 (kubelet read-only) is disabled by default — good detail
- “What isn’t open by default” section is a useful addition (NodePort, container runtime, CoreDNS)
Weaknesses:
- 10259 (kube-scheduler) listed as all interfaces (0.0.0.0) — should be localhost. This is a significant security-relevant error.
- 10257 (kube-controller-manager) listed as all interfaces (0.0.0.0) — should be localhost. Same error.
- 10249 (kube-proxy metrics) listed as all interfaces (0.0.0.0) — should be localhost
- Includes deprecated ports 10251 and 10252 as if they are current — these were the old insecure ports removed in modern Kubernetes
- Missing 10256/TCP (kube-proxy healthz, all interfaces) on both node types
- Missing 2381/TCP
Notable negative: The interface errors for 10257, 10259, and 10249 are the most concerning. Telling an administrator that the scheduler and controller-manager listen on all interfaces when they actually bind to localhost could lead to incorrect firewall rules or security assessments. The deprecated port inclusion (10251, 10252) suggests the model’s training data includes outdated Kubernetes documentation.
minimax/minimax-m2.7 — 6/10
Strengths:
- Comprehensive port list covering 29 ports across control plane and worker nodes
- Correctly identifies all core ports (6443, 2379, 2380, 10250, 10257, 10259)
- Good CNI plugin coverage with additional port details
- Includes deprecated 10255 with note that it is disabled by default
- Verification commands included for practical use
Weaknesses:
- Interface binding errors: 10257 (kube-controller-manager) and 10259 (kube-scheduler) listed as all interfaces — should be localhost only
- 10249 (kube-proxy metrics) listed as all interfaces — should be localhost only
- Includes deprecated ports 10251 and 10252 without clearly marking them as removed in modern Kubernetes
- Missing 2381/TCP (etcd metrics, localhost)
Notable: Security-relevant errors — incorrect interface bindings for 10257, 10259, and 10249 could lead to improper firewall rules. An improvement over MiniMax M2.5 in overall coverage and structure, but repeats the same interface binding errors. The deprecated port issue persists from MiniMax M2.5, suggesting this remains a gap in MiniMax’s Kubernetes training data.
qwen/qwen3.6-plus — 6/10
Strengths:
- Good control plane coverage: 6443, 2379, 2380, 10250, 10257, 10259, 10256 all listed
- 10257 and 10259 correctly identified as localhost — a key accuracy point
- Correctly notes 10248 (kubelet healthz, localhost) in caveats section
- Good detail on deprecated insecure ports being disabled since v1.13
- Mentions cloud-controller-manager port 10258 as additional context
- Accurate note about CNI plugin ports
Weaknesses:
- etcd 2379 listed as localhost — reference shows LAN/all interfaces even on single control plane
- Missing 10249/TCP (kube-proxy metrics, localhost) on both node types
- Missing 2381/TCP (etcd metrics, localhost)
- Worker node only lists 10250 and 10256 — missing 10248 and 10249
- 10248 mentioned only in a caveat note, not in the main table
Notable: A solid mid-range answer. The control plane coverage is good with correct interface bindings for most ports, but the etcd 2379 localhost error and incomplete worker node listing limit the score.
deepseek/deepseek-v4-pro — 5/10
Strengths:
- Covers most control plane ports
- Correctly identifies some interface bindings
Weaknesses:
- Several incorrect bind address mappings: kube-scheduler and kube-controller-manager listed as all interfaces (should be localhost), kube-proxy metrics also wrong
- Missing some worker node ports
Notable: An improvement over DeepSeek V3.2 (4/10) but still below average. The bind address errors are the same type of mistake MiniMax models make — claiming localhost-only components listen on all interfaces. This is a security-relevant error that could mislead firewall configuration.
deepseek/deepseek-v4-flash — 5/10
Strengths:
- Gets main control plane ports correct: 6443, 2379, 2380, 10250, 10257, 10259
- Reasonable coverage of core ports
Weaknesses:
- Missing 2381/TCP (etcd metrics, localhost)
- Missing 10248/TCP (kubelet healthz) on both node types
- Missing 10249/TCP (kube-proxy metrics) on both node types
- Missing 10256/TCP (kube-proxy healthz) on both node types
- Incorrect etcd 2379 binding — lists as localhost when the reference shows LAN/all interfaces
- Worker node coverage incomplete
Notable: Matches V4 Pro at 5/10 — the entire DeepSeek family struggles on this question (V3.2: 4/10, V4 Pro: 5/10, V4 Flash: 5/10). The missing health/metrics ports and etcd binding error are consistent DeepSeek family gaps.
openai/gpt-5.5 — 8/10
Strengths:
- Best port coverage of any model: Lists all 10 control plane ports including the obscure 2381/TCP (etcd metrics, localhost) — only Opus 4.7 also found this port
- All 4 worker node ports correctly listed: 10250, 10248, 10256, 10249
- All interface bindings correct: 10257 and 10259 correctly identified as localhost only, 10256 as all interfaces, 10249 as localhost only
- etcd binding handled well: 2379 described as “localhost plus the control-plane node IP” and 2380 as “control-plane node IP” — reasonably accurate for kubeadm defaults
- Correctly notes 10255 (kubelet read-only) is disabled by default in modern kubeadm clusters
- Good table format with clear bind address column
- Correct NodePort range noted with appropriate caveat that ports are only open when services exist
Weaknesses:
- Minor precision gap on etcd 2379 — described as “localhost plus the control-plane node IP” rather than the more standard “all interfaces” description, though this is arguably more accurate for single-node kubeadm
- NodePort range listed in both tables adds minor noise
Notable: The highest-scoring response on this question, achieving the most complete port coverage with the most accurate interface bindings. The inclusion of 2381/TCP (etcd metrics) and all four worker node ports sets it apart from every other model except Opus 4.7 (which missed 10249). This is a significant improvement over GPT 5.4 (which scored 5/10 and missed all kube-proxy and kubelet health ports).
moonshotai/kimi-k2.6 — 7/10
Strengths:
- Good control plane coverage with most major ports listed
- Worker ports correctly identified
- Interface bindings mostly accurate
Weaknesses:
- etcd 2379 incorrectly listed as localhost — reference shows LAN/all interfaces even on single control plane
- Missing 2381/TCP (etcd metrics, localhost) — though this is an obscure port
- Worker node missing one port
Notable: A solid mid-range answer matching Opus 4.7, Sonnet, and Gemini 3 Flash at 7/10. The etcd 2379 binding error is shared with several other models (Sonnet, Qwen 3.6 Plus, DeepSeek V3.2).
qwen/qwen3.6-35b-a3b (LOCAL) — 4/10
Strengths:
- Lists the core control plane ports: 6443, 2379, 2380, 10250, 10257, 10259
- Covers kubelet and kube-proxy at a basic level
Weaknesses:
- Factual errors on etcd bind addresses — claims etcd 2379 and 2380 listen on localhost only when the reference shows they bind to LAN/all interfaces
- Missing 2381/TCP (etcd metrics, localhost) — though this is an obscure port
- Wrong on kube-proxy 10256 location — incorrect interface binding
- Incomplete worker node port listing
- Missing several health/metrics ports
Notable: Matches DeepSeek V3.2 and MiniMax M2.5 at 4/10. The etcd bind address errors are the same type of mistake several models make, but the local model compounds this with additional missing ports and incorrect bindings. The question requires practical experience with actual port observations, which smaller models are less likely to have in their training data.
google/gemma-4-31b (LOCAL) — 5/10
Strengths:
- Lists the core control plane ports: 6443, 2379, 2380, 10250, 10257, 10259
- Correct etcd interface binding — acknowledges 2379 and 2380 bind to all interfaces
- Covers kubelet (10250) for worker nodes
Weaknesses:
- Critical error: 10257 and 10259 listed as binding to all interfaces — both kube-controller-manager and kube-scheduler bind to localhost only. This is the same security-relevant error MiniMax models make.
- Missing 2381/TCP (etcd metrics, localhost)
- Missing health/metrics ports (10248, 10249, 10256) on both node types
- Incomplete worker node port listing
Notable: A slight improvement over Qwen-35b (4/10) due to correct etcd binding, but the 10257/10259 interface errors are the same pattern seen in MiniMax M2.5 and M2.7. Claiming localhost-only components listen on all interfaces is a security-relevant error that could lead to incorrect firewall assessments. Matches GPT 5.4, DeepSeek V4 Pro, and DeepSeek V4 Flash at 5/10.
anthropic/claude-opus-4.8 — 9/10
Strengths:
- Near-perfect control plane port coverage: lists all major ports including 6443, 2379, 2380, 10250, 10256, 10257, 10259, 10248
- All interface bindings correct: 10257 and 10259 correctly identified as localhost only, etcd ports correct, 10256 as all interfaces
- Worker node ports correctly listed with accurate bindings
- Correctly identifies deprecated ports as removed
- Good table format with clear interface binding column
Weaknesses:
- Missing 10249/TCP (kube-proxy metrics, localhost) on both control plane and worker nodes — the only gap
Comparison vs Opus 4.7 (7): Significant improvement. Takes the highest score of any model on this question, beating GPT 5.5’s previous best of 8/10.
Notable: The new top scorer on Open Ports with 9/10 — the only model to surpass GPT 5.5 (8/10). Correct interface bindings across the board and near-complete port coverage. The only missing port is the relatively minor 10249 (kube-proxy metrics). A strong showing for the Anthropic family on a question that requires practical cluster experience.
Key Findings
-
kube-proxy and kubelet health/metrics ports are the differentiator: Only Claude and MiniMax M2.5 included 10248, 10249, and 10256 (though MiniMax M2.5 got 10249’s interface wrong and missed 10256). GPT 5.4, DeepSeek V3.2, and Gemini 3 Flash all missed at least some of these.
-
etcd interface binding splits the field: The reference shows 2379/2380 on LAN/all interfaces. Gemini 3 Flash got this right. Claude acknowledged the nuance. GPT 5.4 was partially right. DeepSeek V3.2 and MiniMax M2.5 had varying accuracy. This is a detail that requires hands-on cluster experience to know.
-
2381/TCP (etcd metrics) was unknown to all models: No model mentioned this localhost-only etcd metrics port. This is a genuinely obscure port.
-
MiniMax M2.5’s interface errors are dangerous: Claiming 10257 and 10259 listen on all interfaces is incorrect and could lead to security misconfiguration (or unnecessary firewall rules for ports that aren’t actually exposed).
-
Deprecated ports indicate stale training data: MiniMax M2.5 listed 10251 and 10252 as current ports. GPT 5.4 correctly noted these as “not normally open anymore.” This is a good test of whether models have up-to-date Kubernetes knowledge.
-
Worker node completeness is poor across the board: Only Claude got all 4 worker ports correct. Most models only listed kubelet (10250) for workers, forgetting that kube-proxy also runs on workers with its health and metrics ports.