0

I have provisioned a Kubernetes cluster on RHEL 7 and deployed Calico to it. The calic-node pods running on the master and worker nodes do not become ready until I SSH into the master and temporarily disable iptables with systemctl stop iptables.

I have configured iptables on the master to allow incoming access over TCP to 6443, 2379:2380, and 10250:10252. So it should be configured correctly as per the documented required ports. After all, the nodes are able to join the cluster via kubeadm join which requires the ability to network with the master over 6443.

TJ Zimmerman
  • 251
  • 6
  • 18
  • It is possible to check if the issue is due to blocked ports, however, in addtion to 6443 can you open 443 and 8080 and check one more time? (https://kubernetes.io/docs/reference/access-authn-authz/controlling-access/) . Addtionally it would be good to see FW config. – Nick Apr 08 '20 at 16:38
  • I added another answer with the solution. I had to add a few ports for Calico to each node. I have deployed Kubernetes a few dozen times before with Kubeadm and never had to forward these ports. However, before now I have always used firewalld rather than iptables for managing OS port forwarding. I'm unsure why this migration required the change. – TJ Zimmerman Apr 08 '20 at 19:32

1 Answers1

1

The solution was also including the ports defined here.

TJ Zimmerman
  • 251
  • 6
  • 18