Looking for a new opportunity as DevOps engineer
I am currently seeking a new opportunity as a DevOps Engineer, available from January 2026. I am open to remote or hybrid work from Prague, Czechia (Europe), for a long-term, full-time position or B2B contract. Please feel free to contact me for further details. You can also review my professional background on my LinkedIn profile.
Enabling Low-Range NodePorts Below 1024 in MicroK8s for Traefik Ingress
Discover how to configure MicroK8s to use NodePorts below 1024, a key step for setting up efficient ingress controllers like Traefik. This guide simplifies the process, ensuring a seamless integration of lower NodePorts in your Kubernetes environment.
When configuring an ingress controller such as Traefik on MicroK8s, you may encounter limitations with Kubernetes’ default NodePort range, which starts at port 30000. Many production setups, however, prefer exposing services on the standard HTTP (80) and HTTPS (443) ports. These ports fall within the system-reserved range below 1024 and are inaccessible to ordinary services unless explicitly enabled.
MicroK8s offers a straightforward way to extend the NodePort range, allowing you to bind Traefik or similar ingress controllers directly to these lower ports. This enables simpler setups and more intuitive access to deployed applications.
Adjusting the NodePort Range#
To allow MicroK8s to use NodePorts below 1024, modify the configuration of the Kubernetes API server. This setting defines the allowed NodePort range for all cluster services.
Open the kube-apiserver configuration file and update the --service-node-port-range parameter:
vi /var/snap/microk8s/current/args/kube-apiserver
...
# allow all nodeports
--service-node-port-range=0-65535
...
microk8s stop
microk8s start
This change redefines the permitted NodePort range to include all possible TCP ports (0–65535). It’s a broad setting, so ensure you apply it only in controlled environments or secure production systems where privileged access is monitored.
Restarting MicroK8s recreates the internal components with the updated configuration, bringing the change into effect.
Deploying the Traefik Ingress Controller#
With the extended NodePort range available, you can now deploy Traefik using ports 80 and 443 directly. This simplifies TLS management and avoids extra port forwarding steps on load balancers or host firewalls.
For example, in your Traefik Helm chart or manifest, set the service.spec.ports section accordingly:
ports:
- name: web
port: 80
nodePort: 80
- name: websecure
port: 443
nodePort: 443
After deployment, Traefik will handle incoming traffic on these familiar ports, improving accessibility for users and improving compatibility with external DNS or reverse proxy configurations.
Final Notes#
Enabling low-range NodePorts is ideal for local and small-scale production setups where simplicity and direct access are priorities. For large or security-critical environments, consider routing external traffic through a dedicated load balancer or reverse proxy that handles privileged ports separately.
With this adjustment, your MicroK8s cluster becomes more flexible and capable of supporting ingress controllers like Traefik in a clean, standardized way.
Looking for a new opportunity as DevOps engineer
I am currently seeking a new opportunity as a DevOps Engineer, available from January 2026. I am open to remote or hybrid work from Prague, Czechia (Europe), for a long-term, full-time position or B2B contract. Please feel free to contact me for further details. You can also review my professional background on my LinkedIn profile.