0

I'm trying to bootstrap a Kubernetes cluster on RHEL 7.8 but I'm having some issues with my firewall.

nftables is not supported in Kubernetes and iptables-legacy must be installed instead. While the iptables-legacy package exists in distros like Debian Buster, it does not seem to be available for RHEL 7. However, this article mentions installing iptables-services, disabling firewalld, and enabling iptables. The relevant material from the article is:

yum install iptables-services.x86_64 -y
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl mask firewalld.service
systemctl start iptables
systemctl enable iptables
systemctl unmask iptables
iptables -F
service iptables save

After this, if I run iptables --version on the server, I can see that 1.4.2 is installed. Since this is older than 1.8 as implied by the GitHub issue linked above, this version should be fine.

Before running kubeadm join from my worker nodes, the following Ansible tasks run against my master to configure iptables:

- iptables:
    chain: INPUT
    destination_port: "{{ port }}"
    jump: ACCEPT
    protocol: tcp
  loop:
    - 6443
    - 2379:2380
    - 10250:10252
  loop_control:
    loop_var: port

- command: service iptables save

- systemd:
    name: iptables
    state: restarted

And this against my nodes to configure iptables:

- iptables:
    chain: INPUT
    destination_port: "{{ port }}"
    jump: ACCEPT
    protocol: tcp
  loop:
    - 10250
    - 30000:32767
  loop_control:
    loop_var: port

- command: service iptables save

- systemd:
    name: iptables
    state: restarted

After this, I can confirm that the rule is present in memory:

$> iptables -S | grep 6443
-A INPUT -p tcp -m tcp --dport 6443 -j ACCEPT

Then, when I run kubeadm join from the worker node, it fails to connect:

I0406 22:07:19.205714    5715 token.go:73] [discovery] Created cluster-info discovery client, requesting info from "https://192.168.50.10:6443"
I0406 22:07:19.206720    5715 token.go:78] [discovery] Failed to request cluster info: [Get https://192.168.50.10:6443/api/v1/namespaces/kube-public/configmaps/cluster-info?timeout=10s: dial tcp 192.168.50.10:6443: connect: no route to host]
I0406 22:07:19.206749    5715 token.go:191] [discovery] Failed to connect to API Server "192.168.50.10:6443": Get https://192.168.50.10:6443/api/v1/namespaces/kube-public/configmaps/cluster-info?timeout=10s: dial tcp 192.168.50.10:6443: connect: no route to host
I0406 22:07:24.207648    5715 token.go:188] [discovery] Trying to connect to API Server "192.168.50.10:6443

However, if I systemctl stop iptables on the master then the worker nodes can join without any issues. Indicating to me that the firewall on the master is misconfigured?

Community
  • 1
TJ Zimmerman
  • 251
  • 6
  • 18
  • I'm trying to reproduce your issue, could you confirm what kubernetes version did you deployed? You deployed it with kubeadm like the guide on medium you mention in your question? – Will R.O.F. Apr 07 '20 at 08:38
  • V1.18. Deployed according to the official kubeadm docs. https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/install-kubeadm/ – TJ Zimmerman Apr 07 '20 at 08:40

1 Answers1

1

The Ansible module iptables uses the append action by default. This caused the reject rules to not be located where they should be. Adding action: insert to my iptables tasks in Ansible resolved the issue.

TJ Zimmerman
  • 251
  • 6
  • 18