« Back to projectatomic.io
Ask Your Question

NodePort fails on Fedora 26 Atomic

asked 2017-08-22 23:24:00 +0000

Daryll gravatar image

I created a Kubernetes cluster on a Fedora 26 box with Fedora 26 Atomic images. I created a master and 4 minions following the getting started guide and then brought up a deployed of the hello-node pod. The deployment worked fine, and if I created a shell on the pods, I could reach the services by the pod IP or the cluster IP as expected.

Then I tried to bring up a NodePort service, and ran into problems. The service was created and showed up when I kubectl get svc. The problem is doing a curl to the <nodeip>:<port> that was assigned to the service times out. If I log on to the minion nodes and look at the NAT iptables, it appears that the handling for the NodePort is in there.

After a lot of digging, it turns out that docker 1.13 changed the default policy for the FORWARD table from ACCEPT to DENY. That means no traffic is routed from the minion node to the cluster. Changing that policy by doing

iptables --policy FORWARD ACCEPT

on all the nodes makes the NodePort work as expected, but that doesn't seem to be adhering to the concept of minimized privileges.

It seems that Fedora 26 Atomic should address this or roll back to docker 1.12.X.

edit retag flag offensive close merge delete


Is there a better place to post this? I believe it's a real bug/issue and it's getting virtually no views here.

Daryll ( 2017-08-24 13:32:40 +0000 )edit

2 answers

Sort by ยป oldest newest most voted

answered 2017-10-19 09:40:23 +0000

From the bastion host used by the installer:

[root@domain openshift-ansible]# ansible --version ansible config file = /root/openshift-ansible/ansible.cfg configured module search path = Default w/o overrides python version = 2.7.13 (default, Jun 26 2017, 10:20:05) [GCC 7.1.1 20170622 (Red Hat 7.1.1-3)]

[root@domain openshift-ansible]# git describe openshift-ansible-3.6.153-1-66-g2a706ad8

[root@domain openshift-ansible]# git branch * master

[root@domain openshift-ansible]# cat /etc/redhat-release Fedora release 26 (Twenty Six) see more: happy wheels full game. This is full version of the game

edit flag offensive delete link more

answered 2017-08-25 09:57:42 +0000

If you are really the online games lover then visit myminesweeper.com here to play minesweeper game online on homepage this game is most challenging game her you have to detonate the hidden mines.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Question Tools

1 follower


Asked: 2017-08-22 23:24:00 +0000

Seen: 32 times

Last updated: Oct 19 '17