[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Atomic ISO has bad default IPtables

On Wed, Jun 22, 2016 at 7:44 PM, Jonathan Lebon <jlebon redhat com> wrote:
> ----- Original Message -----
>> Folks,
>> Bringing this to atomic-devel because I'm not sure that it isn't an
>> issue with centos Atomic ISOs as well.  Also, I'm not quite sure where
>> the rule is coming from.
> They come from the iptables package itself:
> http://pkgs.fedoraproject.org/cgit/rpms/iptables.git/tree/sysconfig_iptables
>> Where's the best place to fix this?
> This normally shouldn't be an issue since e.g. the
> k8/contrib ansible playbooks insert rules at the top. That
> said, if you're encountering issues, it might mean that
> we're missing a few rules. I would file an issue there with
> more details probably.

A similar issue was reported (and fixed?) in openshift:

I've had a tough time figuring out how to open the firewall to
NodePorts -- I end up removing those default reject rules as a

For instance, I bring up a two node, one master cluster w/ atomic
fedora or centos, using the kube/contrib ansible, and then I run the
projectatomic/guestbookgo-atomicapp, locate automatically-assigned
NodePort for the guestbook (kubectl describe service guestbook | grep
NodePort), and try to access the app from the node IP at the NodePort.
By default, this will fail, unless I remove the reject rules and
restart iptables.

I can go file an issue in k8s/contrib, but is this a bug, or am I not
understanding how this is supposed to work?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]