Search code examples
kubernetesflannel

How can I use Flannel without disabing firewalld (Kubernetes)


I'm new to flannel and K8s. I'm playing around them on my 1 master and 2 nodes cluster (created from KVM).

I initialized my cluster with flannel network addon. And then I found I can't reach the Internal. It turned out that there may be something wrong with my network or DNS process.

Following https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/, I add 8285 and 8472 to firewalld

[root@k8smaster ~]# firewall-cmd --list-port
6443/tcp 80/tcp 8285/udp 8472/udp 8472/tcp 8285/tcp

And I got

[root@k8smaster ~]# kubectl exec -ti dnsutils -- nslookup kubernetes.default
;; connection timed out; no servers could be reached

command terminated with exit code 1

However, if I stop the firewalld, everything is just fine.

[root@k8smaster ~]# kubectl exec -ti dnsutils -- nslookup kubernetes.default
Server:     10.96.0.10
Address:    10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

So my question is, are there any ports I should add into firewalld? Let me know if any info. I should add here. Thank you.


Solution

  • The rules you are applying referred only for Flannel communication, you need to allow all Kubernetes ports to make it work.

    In resume, you need to apply rules for these ports:

    Control-plane node(s)
    Protocol        Direction       Port Range      Purpose Used By
    TCP     Inbound 6443*   Kubernetes API server   All
    TCP     Inbound 2379-2380       etcd server client API  kube-apiserver, etcd
    TCP     Inbound 10250   Kubelet API     Self, Control plane
    TCP     Inbound 10251   kube-scheduler  Self
    TCP     Inbound 10252   kube-controller-manager Self
    
    Worker node(s)
    Protocol        Direction       Port Range      Purpose Used By
    TCP     Inbound 10250   Kubelet API     Self, Control plane
    TCP     Inbound 30000-32767     NodePort Services†      All
    † Default port range for NodePort Services.
    ~                                          
    

    Here you could see all necessary ports for Control-plane and Worker nodes.

    And then after this rules applied you need to apply more other 2 rules to allow flannel network as mentioned here.

    Make sure that your firewall rules allow UDP ports 8285 and 8472 traffic for all hosts participating in the overlay network. The Firewall section of Flannel’s troubleshooting guide explains about this in more detail.