New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In Fedora 26 Atomic, Docker 1.13 prevents Kubernetes Services from opening NodePort #467

Open
daryllstrauss opened this Issue Aug 24, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@daryllstrauss

daryllstrauss commented Aug 24, 2017

Docker 1.13 changed the default FORWARD policy from ACCEPT to DENY that prevents services of type NodePort from working.

Workaround is appears to be:
/sbin/iptables -I FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"
on all the nodes in the cluster.

If you follow the Getting Started guide on the Project Atomic website and do the steps manually (ansible include the fix) you'll get a configuration where NodePort doesn't work. That leads to hair pulling and substantial frustration.

The Getting Started docs should be updated to explain this step until a more proper fix is deployed.

@jberkus

This comment has been minimized.

Contributor

jberkus commented Aug 24, 2017

Seems like we need to doc this more places than just the Getting Started guide.

@daryllstrauss

This comment has been minimized.

daryllstrauss commented Aug 25, 2017

Actually it looks like that rule only allows NodePort to work on the host running the pod. Since NodePort should forward from any minion node I ended up with:

iptables -I FORWARD 1 -i flannel.1 -j ACCEPT -m comment --comment "flannel subnet"
iptables -I FORWARD 1 -o flannel.1 -j ACCEPT -m comment --comment "flannel subnet"

That allows the forwarding to work between minion nodes. I think that's reasonably restricted, but someone more familiar with the networking should confirm that's a good answer.

@jberkus

This comment has been minimized.

Contributor

jberkus commented Aug 25, 2017

@jasonbrooks

This comment has been minimized.

Member

jasonbrooks commented Aug 25, 2017

@jlebon what do you think?

@jlebon

This comment has been minimized.

Member

jlebon commented Aug 25, 2017

Right, those are the same rules as in kubernetes/contrib#1612. Probably we should just point users to https://github.com/kubernetes/contrib from the get-go?

@jasonbrooks

This comment has been minimized.

Member

jasonbrooks commented Aug 25, 2017

I'm in favor of that. Some people resist ansible, I think they think it's going to be a big investment in learning about a new configuration management system. Others want a manual approach to sort of get their hands dirty, learn the details, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment