Add ufw to k3s known issues #2732
Conversation
Addresses k3s-io/k3s#2059 by adding information on the modifications needed to run k3s with ufw enabled Signed-off-by: t0xicCode <xavier.l@magnax.ca>
t0xicCode
force-pushed
the
known-issue-ufw
branch
from
b7e9752
to
65230c5
Compare
|
Thank you! @erikwilson @Oats87 can you review this? |
| UFW firewall rules are evaluated prior to the kube-proxy rules, so traffic to cluster services can be blocked. Traffic from the service and pod networks should be allowed in ufw to ensure that the kube-proxy rules are evaluated. Given the default values, the following will allow traffic from those network through the ufw portion, before reaching the kube-proxy rules. | ||
|
|
||
| ``` | ||
| sudo ufw allow from 10.42.0.0/16 to any |
There was a problem hiding this comment.
I'd be curious to see the actual resulting chain on the iptables side after applying these UFW rules. I'm not sure we should be blindly adding these instructions to our docs without a full understanding of what is going on (and assurance that we aren't going to still have other "good" traffic blocked)
I think this needs more investigation IMO
|
I can run some tests and push the resulting iptables changes here. I was
under the impression that the original issue had delved into the details,
but it doesn’t hurt to check it again.
|
That'd be great if you could do that -- the original issue seemed to be more of a "It happens to work with these rules" but I've had to fight these system-level firewalls a few times on issues like this, where certain things work but others don't. |
|
@SheilaghM @davidnuzik Should we close this PR, then open an issue in the K3s repo for further investigation? |
Addresses k3s-io/k3s#2059 by adding information on the modifications needed to run k3s with ufw enabled.