k3s: Installation hangs forever when firewall(ufw) is active

Version: k3s version v1.17.0+k3s.1 (0f644650) on Ubuntu 19.10 Describe the bug I had to disable ufw otherwise the installation of k3s would just hang there forever.

To Reproduce sudo ufw status

Status: active
To                         Action      From
--                         ------      ----
443                        ALLOW       Anywhere                  
22/tcp                     ALLOW       Anywhere              
22/tcp (v6)                ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)

Expected behavior curl -sfL https://get.k3s.io | sh - runs as expected

Actual behavior installation gets stuck

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 1
Comments: 15 (9 by maintainers)

Most upvoted comments

Yeah, sounds like the UFW rules are higher up in the table than the kube-proxy rules, so it’s blocking traffic to cluster services. I’m not sure if we specifically support UFW at the moment, but it probably wouldn’t hurt to mention in the doc somewhere.

brandond on Jul 23, 2020

And it works! Thank you @brandond Looks like that was the key rule:

$ sudo ufw allow from 10.42.0.0/16 to any && sudo ufw allow from 10.43.0.0/16 to any
$ sudo ufw status
Status: active

...
Anywhere                   ALLOW       10.42.0.0/16              
Anywhere                   ALLOW       10.43.0.0/16   
...

rancher-max on Jul 23, 2020

Yes, even on a single node installation you will still need to be able to connect locally to that port. How else are you going to access the kubernetes api endpoint with kubectl? This isn’t like dockerd where you can disable the network and talk to it via a unix socket.

Maybe try something like: ufw allow from <node-ip> to any port 6443

brandond on Apr 10, 2020

Needs to be open to the local node and any other nodes, not the world.

brandond on Apr 10, 2020

Fix: sudo ufw allow 6443 && sudo ufw reload

tennox on Jan 10, 2020