weixin_39598941
weixin_39598941
2020-12-29 10:45

OVN add iptables rule for traffic from pod to external

bug: 1626387 https://bugzilla.redhat.com/show_bug.cgi?id=1626387

Jira: SDN-182 Add firewall rule to permit pod to access node https://jira.coreos.com/browse/SDN-182

Signed-off-by: Phil Cameron

该提问来源于开源项目:ovn-org/ovn-kubernetes

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

10条回答

  • weixin_39598941 weixin_39598941 4月前

    PTAL Weibin is testing this. I will let you know results.

    点赞 评论 复制链接分享
  • weixin_39617044 weixin_39617044 4月前

    Testing the PR and container can ping the outside hostname now.

    点赞 评论 复制链接分享
  • weixin_39820588 weixin_39820588 4月前

    Also, the bug is that the pod cannot access the node where it is running, right? It can access other nodes, though?

    点赞 评论 复制链接分享
  • weixin_39598941 weixin_39598941 4月前

    the pod can't access the host. internal cluster networking is OK (as far as I know). There is a similar rule in openshift-sdn that permits pods to access the host.

    点赞 评论 复制链接分享
  • weixin_39820588 weixin_39820588 4月前

    There is a similar rule in openshift-sdn that permits pods to access the host.

    That is likely because openshift adds a chain with that name when installing the cluster?

    点赞 评论 复制链接分享
  • weixin_39598941 weixin_39598941 4月前

    Openshift installs and uses firewalld for firewalling. The FIREWALL_ALLOW_CHAIN chain is where the INPUT rules are added. There is no reason to not just add this rule to INPUT (see latest change).

    点赞 评论 复制链接分享
  • weixin_39820588 weixin_39820588 4月前

    You may have forgotten to push your latest changes.

    点赞 评论 复制链接分享
  • weixin_39598941 weixin_39598941 4月前

    I just pushed them. Sorry, don't know what happened before.

    点赞 评论 复制链接分享
  • weixin_39598941 weixin_39598941 4月前

    On 10/22/2018 11:28 AM, Gurucharan Shetty wrote:

    https://github.com/pecameron

    You may have forgotten to push your latest changes.

    — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/openvswitch/ovn-kubernetes/pull/456#issuecomment-431868988, or mute the thread https://github.com/notifications/unsubscribe-auth/ANUgev6GDDqrL3vMj6bPT6miJMd9H5rcks5uneQpgaJpZM4Xwmt-.

    I don't know what happened, I pushed them again and hopefully all is well now.

    点赞 评论 复制链接分享
  • weixin_39820588 weixin_39820588 4月前

    My iptables confidence is not high. One of you please have a look.

    点赞 评论 复制链接分享