🟠 High   ⏱ 5–30 min  Last verified: 29 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Windows worker node cannot join cluster and workload scheduling fails.

Environment & Reproduction

Appears when API server, overlay, or kubelet ports are denied by host or perimeter firewall.

kubeadm join ...

Root Cause Analysis

Traffic to control plane endpoints is blocked, resulting in repeated join and heartbeat timeouts.

Quick Triage

Test connectivity to control plane and required service ports.

Test-NetConnection k8s-master -Port 6443
Test-NetConnection k8s-master -Port 10250

Step-by-Step Diagnosis

Review firewall rules, routes, and kubelet logs.

Get-NetFirewallRule | ? DisplayName -match 'kube|flannel|calico'
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Kubernetes join diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Open required ports and align cluster CIDR routing.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

New-NetFirewallRule -DisplayName 'K8s API 6443' -Direction Outbound -Action Allow -Protocol TCP -RemotePort 6443
New-NetFirewallRule -DisplayName 'Kubelet 10250' -Direction Outbound -Action Allow -Protocol TCP -RemotePort 10250
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Kubernetes firewall remediation β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use dedicated management VLAN and policy objects for cluster node classes.

route print

Verification & Acceptance Criteria

Node becomes Ready and can run test pod.

kubectl get nodes -o wide

Rollback Plan

Remove temporary firewall exceptions and revert network ACL changes.

Remove-NetFirewallRule -DisplayName 'K8s API 6443'

Prevention & Hardening

Version and audit cluster firewall baselines per environment tier.

Get-NetFirewallProfile | Select Name,Enabled

Related: CNI pod crashloops, DNS pod timeouts, and kube-proxy startup failures.

Related tutorial: View the step-by-step tutorial for Windows Server 2022.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Kubernetes networking prerequisites for Windows nodes and firewall planning guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.