Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In Fedora 26 Atomic, Docker 1.13 prevents Kubernetes Services from opening NodePort #467

Open
daryllstrauss opened this issue Aug 24, 2017 · 6 comments

Comments

@daryllstrauss
Copy link

daryllstrauss commented Aug 24, 2017

Docker 1.13 changed the default FORWARD policy from ACCEPT to DENY that prevents services of type NodePort from working.

Workaround is appears to be:
/sbin/iptables -I FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"
on all the nodes in the cluster.

If you follow the Getting Started guide on the Project Atomic website and do the steps manually (ansible include the fix) you'll get a configuration where NodePort doesn't work. That leads to hair pulling and substantial frustration.

The Getting Started docs should be updated to explain this step until a more proper fix is deployed.

@jberkus
Copy link
Contributor

jberkus commented Aug 24, 2017

Seems like we need to doc this more places than just the Getting Started guide.

@daryllstrauss
Copy link
Author

Actually it looks like that rule only allows NodePort to work on the host running the pod. Since NodePort should forward from any minion node I ended up with:

iptables -I FORWARD 1 -i flannel.1 -j ACCEPT -m comment --comment "flannel subnet"
iptables -I FORWARD 1 -o flannel.1 -j ACCEPT -m comment --comment "flannel subnet"

That allows the forwarding to work between minion nodes. I think that's reasonably restricted, but someone more familiar with the networking should confirm that's a good answer.

@jberkus
Copy link
Contributor

jberkus commented Aug 25, 2017

@jasonbrooks ?

@jasonbrooks
Copy link
Contributor

@jlebon what do you think?

@jlebon
Copy link
Contributor

jlebon commented Aug 25, 2017

Right, those are the same rules as in kubernetes-retired/contrib#1612. Probably we should just point users to https://github.com/kubernetes/contrib from the get-go?

@jasonbrooks
Copy link
Contributor

I'm in favor of that. Some people resist ansible, I think they think it's going to be a big investment in learning about a new configuration management system. Others want a manual approach to sort of get their hands dirty, learn the details, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants