2021-01-06 05:49

No default iptable rule to allow incoming traffic to port 6443 on master (Kubernetes 1.9.3)


Uncomment only one, leave it on its own line:

/kind bug

What happened:

While deploying kubernetes v1.9.3 cluster using kubeadm on Centos 7.4, nodes couldn't reach master API on port 6443.

The command # kubeadm join --token 32fcfd.d1eec8c99efe1cfb --discovery-token-ca-cert-hash sha256:6931045ca75e9a9deb08b616467367d5e5d91185adb9bae3455c7b3d68f97800 on nodes showing the following error

Error: Trying to connect to API Server "" [discovery] Created cluster-info discovery client, requesting info from "" [discovery] Failed to request cluster info, will try again: [Get

What you expected to happen: Nodes should be able to communicate with master API, fetch the cluster-info and join the cluster. How to reproduce it (as minimally and precisely as possible):

Follow the procedure https://kubernetes.io/docs/setup/independent/install-kubeadm/

Anything else we need to know?:

After the investigation, it is observers that, the default firewall configuration on master node, not permitting incoming traffic to port 6443 in table IN_public_allow. After manually adding the incoming rule to the table, nodes are able to communicate with master API and join the cluster.


Kubernetes version (use kubectl version): Cloud provider or hardware configuration: OS (e.g. from /etc/os-release): CentOS 7.4 Kernel (e.g. uname -a): 3.10.0-693.17.1.el7.x86_64 Install tools: kubeadm Others:


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • weixin_39922642 weixin_39922642 4月前

    I think, that you either need to add this rule yourself, or you need to enable the bypassing of iptables by bridges via sysctl net.bridge.bridge-nf-call-iptables=1

    点赞 评论 复制链接分享
  • weixin_39949776 weixin_39949776 4月前


    点赞 评论 复制链接分享
  • weixin_39940253 weixin_39940253 4月前

    did you ensure selinux is disabled and

    cat <<eof>  /etc/sysctl.d/k8s.conf
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    sysctl --system

    This instruction was followed?

    点赞 评论 复制链接分享
  • weixin_39949776 weixin_39949776 4月前

    Closing due to timeout, please reopen with more data if you are still having an issue.

    点赞 评论 复制链接分享