flannel: IPTables rules missing from Flannel/CNI on Kubernetes installation
The following IP Tables rules are missing, causing routing between nodes to not work properly between containers. I can ping between hosts, but not between containers running on hosts.
sudo /sbin/iptables -I FORWARD 1 -i cni0 -j ACCEPT -m comment --comment "flannel subnet"
sudo /sbin/iptables -I FORWARD 1 -o cni0 -j ACCEPT -m comment --comment "flannel subnet"
sudo /sbin/iptables -t nat -A POSTROUTING -s 10.244.0.0/16 ! -d 10.244.0.0/16 -j MASQUERADE
Expected Behavior
I expect by default, without special modifications to IPTables to connect to containers running on other flannel nodes (i.e. kube master/api-server and kube-worker).
Current Behavior
IP connectivity between containers running on flannel nodes is broken
Possible Solution
Add iptables rules above
Steps to Reproduce (for bugs)
Install k8s cluster v1.6 using kubeadm with CNI and flannel plugin.
Context
Your Environment
- Flannel version: v0.7.1-amd64
- Backend used (e.g. vxlan or udp): vxlan
- Etcd version: 3.1
- Kubernetes version (if used): 1.6 via kubeadm and CNI/Flannel plugins
- Operating System and version: centos7
- Link to your project (optional):
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Reactions: 5
- Comments: 19 (2 by maintainers)
Commits related to this issue
- fix: docker.service file + some work on flannel integration, not completed yet. See also https://github.com/coreos/flannel/issues/799 for an issue why iptables rules need to be changed. — committed to rhuss/ansible-kubernetes-openshift-pi3 by rhuss 7 years ago
- fix: docker.service file + some work on flannel integration, not completed yet. See also https://github.com/coreos/flannel/issues/799 for an issue why iptables rules need to be changed. — committed to rhuss/ansible-kubernetes-openshift-pi3 by rhuss 7 years ago
- network/iptables: Add iptables rules to FORWARD chain To work around the Docker change from v1.13 which changed the default FORWARD policy to DROP. The change has bitten many many users. The troubl... — committed to tomdee/flannel by tomdee 7 years ago
- network/iptables: Add iptables rules to FORWARD chain To work around the Docker change from v1.13 which changed the default FORWARD policy to DROP. The change has bitten many many users. The troubl... — committed to tomdee/flannel by tomdee 7 years ago
- network/iptables: Add iptables rules to FORWARD chain To work around the Docker change from v1.13 which changed the default FORWARD policy to DROP. The change has bitten many many users. The troubl... — committed to willgorman/flannel by tomdee 7 years ago
I have the same issue.But i think it’s not a bug of FLANNEL. My env:
It seems docker version >=1.13 will add iptables rule like below,and it make this issue happen:
All you need to do is add a rule below:
I fixed it permanently by doing this: Edit /etc/sysctl.conf Add line: net.ipv4.ip_forward=1 Reboot
I think this issue need to be re-opened. WIth [0], I still need to apply iptables -P FORWARD ACCEPT
[0] quay.io/coreos/flannel:v0.10.0-amd64
cc @tomdee
@tomdee Do you know which version flannel has the fix? We are seeing it with 0.10.0.
[bbalasubram@cirrus-vm1 Demo]$ docker version Client: Version: 17.12.1-ce API version: 1.35 Go version: go1.9.4 Git commit: 7390fc6 Built: Tue Feb 27 22:15:20 2018 OS/Arch: linux/amd64
Server: Engine: Version: 17.12.1-ce API version: 1.35 (minimum version 1.12) Go version: go1.9.4 Git commit: 7390fc6 Built: Tue Feb 27 22:17:54 2018 OS/Arch: linux/amd64 Experimental: false [bbalasubram@cirrus-vm1 Demo]$ kubectl version Client Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.4”, GitCommit:“bee2d1505c4fe820744d26d41ecd3fdd4a3d6546”, GitTreeState:“clean”, BuildDate:“2018-03-12T16:29:47Z”, GoVersion:“go1.9.3”, Compiler:“gc”, Platform:“linux/amd64”} Server Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.4”, GitCommit:“bee2d1505c4fe820744d26d41ecd3fdd4a3d6546”, GitTreeState:“clean”, BuildDate:“2018-03-12T16:21:35Z”, GoVersion:“go1.9.3”, Compiler:“gc”, Platform:“linux/amd64”} [bbalasubram@cirrus-vm1 Demo]$
I can confirm this issue with flannel 0.9.0 (both vxlan & host-gw), k8s 1.8.2, docker 17.05 Applying the iptables rules solves the problems.
I’m using Docker 1.12, so I think the behavior must start in an earlier version. Also, I don’t think its an acceptable solution to change the default behavior for an IPTables rules. My two rules are a more precise fix.
Modifying the /etc/sysctl.conf made the trick, txs
I see it with 0.10.0 too. And it dosen’t work after i apply those iptables rules.