Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
In Fedora 26 Atomic, Docker 1.13 prevents Kubernetes Services from opening NodePort #467
Docker 1.13 changed the default FORWARD policy from ACCEPT to DENY that prevents services of type NodePort from working.
Workaround is appears to be:
If you follow the Getting Started guide on the Project Atomic website and do the steps manually (ansible include the fix) you'll get a configuration where NodePort doesn't work. That leads to hair pulling and substantial frustration.
The Getting Started docs should be updated to explain this step until a more proper fix is deployed.
Actually it looks like that rule only allows NodePort to work on the host running the pod. Since NodePort should forward from any minion node I ended up with:
iptables -I FORWARD 1 -i flannel.1 -j ACCEPT -m comment --comment "flannel subnet"
That allows the forwarding to work between minion nodes. I think that's reasonably restricted, but someone more familiar with the networking should confirm that's a good answer.