weixin_39784460
weixin_39784460
2021-01-06 05:49

No default iptable rule to allow incoming traffic to port 6443 on master (Kubernetes 1.9.3)

BUG REPORT:

Uncomment only one, leave it on its own line:

/kind bug

What happened:

While deploying kubernetes v1.9.3 cluster using kubeadm on Centos 7.4, nodes couldn't reach master API on port 6443.

The command # kubeadm join --token 32fcfd.d1eec8c99efe1cfb 10.0.32.140:6443 --discovery-token-ca-cert-hash sha256:6931045ca75e9a9deb08b616467367d5e5d91185adb9bae3455c7b3d68f97800 on nodes showing the following error

Error: Trying to connect to API Server "10.0.32.140:6443" [discovery] Created cluster-info discovery client, requesting info from "https://10.0.32.140:6443" [discovery] Failed to request cluster info, will try again: [Get https://10.0.32.140:6443/api/v1/namespaces/kube-public/configmaps/cluster-info:

What you expected to happen: Nodes should be able to communicate with master API, fetch the cluster-info and join the cluster. How to reproduce it (as minimally and precisely as possible):

Follow the procedure https://kubernetes.io/docs/setup/independent/install-kubeadm/

Anything else we need to know?:

After the investigation, it is observers that, the default firewall configuration on master node, not permitting incoming traffic to port 6443 in table IN_public_allow. After manually adding the incoming rule to the table, nodes are able to communicate with master API and join the cluster.

Environment:

Kubernetes version (use kubectl version): Cloud provider or hardware configuration: OS (e.g. from /etc/os-release): CentOS 7.4 Kernel (e.g. uname -a): 3.10.0-693.17.1.el7.x86_64 Install tools: kubeadm Others:

该提问来源于开源项目:kubernetes/kubeadm

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

4条回答

  • weixin_39922642 weixin_39922642 4月前

    I think, that you either need to add this rule yourself, or you need to enable the bypassing of iptables by bridges via sysctl net.bridge.bridge-nf-call-iptables=1

    点赞 评论 复制链接分享
  • weixin_39949776 weixin_39949776 4月前

    /assign

    点赞 评论 复制链接分享
  • weixin_39940253 weixin_39940253 4月前

    did you ensure selinux is disabled and

    
    cat <<eof>  /etc/sysctl.d/k8s.conf
    net.bridge.bridge-nf-call-ip6tables = 1
    net.bridge.bridge-nf-call-iptables = 1
    EOF
    sysctl --system
    </eof>

    This instruction was followed?

    点赞 评论 复制链接分享
  • weixin_39949776 weixin_39949776 4月前

    Closing due to timeout, please reopen with more data if you are still having an issue.

    点赞 评论 复制链接分享