check iptables rules for a DROP during installation

[mcku]

Summary

If restrictive iptables rules already exist, MicroK8s might fail to start.

I am using an Ubuntu VM prepared by someone else. After debugging for some time, I have realized that coredns and calico were failing to start because they were failing to reach the Kubernetes API due to the rules in iptables. For example, the FORWARD chain had a DROP rule, and the generated rules for MicroK8s were right after the DROP.

Why is this important?

For newcomers it might be difficult to realize why coredns and calico is not starting up. Other tools such as juju also fail at bootstrap step with no apparent reason.

Are you interested in contributing to this feature?

Yes

An example is the following list of rules: (I was using the unofficial Ubuntu template in Qubes OS)

:FORWARD DROP [0:0]
...
-A FORWARD -j DROP
-A FORWARD -s 10.1.0.0/16 -m comment --comment "generated for MicroK8s pods" -j ACCEPT
-A FORWARD -d 10.1.0.0/16 -m comment --comment "generated for MicroK8s pods" -j ACCEPT

In this case the installer can check if a DROP exists in the FORWARD chain and let the user know so that the further steps can succeed.

In my situation, INPUT and FORWARD chains had default DROP policy as well. The DROP policy in the INPUT chain prevented connectivity. I think it might be good to detect and avoid these.

[ktsakalozos]

Hi @mcku thank you for reporting this. We try to address similar problems when we start the k8s services, see [1]. This is were we could add the extra rules you suggest.

[1] https://github.com/canonical/microk8s/blob/master/microk8s-resources/wrappers/run-kubelite-with-args#L92