[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: [atomic-devel] Atomic ISO has bad default IPtables
- From: Jason Brooks <jbrooks redhat com>
- To: Jonathan Lebon <jlebon redhat com>
- Cc: atomic-devel projectatomic io
- Subject: Re: [atomic-devel] Atomic ISO has bad default IPtables
- Date: Mon, 27 Jun 2016 17:58:15 -0700
On Wed, Jun 22, 2016 at 7:44 PM, Jonathan Lebon <jlebon redhat com> wrote:
> ----- Original Message -----
>> Folks,
>>
>> Bringing this to atomic-devel because I'm not sure that it isn't an
>> issue with centos Atomic ISOs as well. Also, I'm not quite sure where
>> the rule is coming from.
>
> They come from the iptables package itself:
>
> http://pkgs.fedoraproject.org/cgit/rpms/iptables.git/tree/sysconfig_iptables
>
>> Where's the best place to fix this?
>
> This normally shouldn't be an issue since e.g. the
> k8/contrib ansible playbooks insert rules at the top. That
> said, if you're encountering issues, it might mean that
> we're missing a few rules. I would file an issue there with
> more details probably.
>
A similar issue was reported (and fixed?) in openshift:
https://bugzilla.redhat.com/show_bug.cgi?id=1280279
I've had a tough time figuring out how to open the firewall to
NodePorts -- I end up removing those default reject rules as a
workaround.
For instance, I bring up a two node, one master cluster w/ atomic
fedora or centos, using the kube/contrib ansible, and then I run the
projectatomic/guestbookgo-atomicapp, locate automatically-assigned
NodePort for the guestbook (kubectl describe service guestbook | grep
NodePort), and try to access the app from the node IP at the NodePort.
By default, this will fail, unless I remove the reject rules and
restart iptables.
I can go file an issue in k8s/contrib, but is this a bug, or am I not
understanding how this is supposed to work?
Jason
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]