Open Wallenstein61 opened 4 years ago
I have got a step further. It seems a problem with the ufw firewall that comes with debian
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Nevertheless it blocks the 443 port of traefic. If I disable ufw, access works.
I'm not a kubernetes expert, however what puzzles me is, that
ss -ln | grep 443
does not show any process listening to 443
Seems that I have to dig deeper, if I do not sacrifice my firewall :-(
Wallenstein
Finally I managed it :-)
ufw has set routing to deny by default. Of course I could open all routing. However I only wanted routing on port 80 and 443. Therefore I had to add special routing rules:
(assuming eth0 is the external interface, and cni0 the internal interface to kubernetes cluster)
sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 80
#Allow in on port 80
sudo ufw route allow in on eth0 out on cni0 to 10.42.0.0/12 port 443
#Allow in on port 443
sudo ufw route allow in on cni0 out on eth0
# Allow all out from cni0 to eth0
sudo ufw route allow in on cni0 out on cni0
# Allow internal trafic from cni0 to cni0
$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere on eth0 ALLOW FWD Anywhere on cni0
10.32.0.0/12 443 on cni0 ALLOW FWD Anywhere on eth0
Anywhere on cni0 ALLOW FWD Anywhere on cni0
10.32.0.0/12 80 on cni0 ALLOW FWD Anywhere on eth0
Anywhere (v6) on eth0 ALLOW FWD Anywhere (v6) on cni0
Anywhere (v6) on cni0 ALLOW FWD Anywhere (v6) on cni0
I got stuck, immediately after
helm install setup team-setup --values values-setup.yaml
The page https://www.... is not reachable (neither on server nor from extern)
I have proceeded according to "Getting started":
sudo install.sh Kubernetes
and Helm installed:addapted values-setup.yaml
acme:
mail: me@my.domain
production: true
app:
name: www
domain: <my domain>
kubectl get pods
showskubectl exec landingpage-7c55f75fcf-9qgtc -- curl http://localhost
returns the nginx landing pagecurl http://localhost
orcurl https://localhost
returnscurl: (7) Failed to connect to localhost port 80/443: Die Wartezeit für die Verbindung ist abgelaufen
curl --insecure https://www...
on the host returns the errorGateway Timeout
Any Idea what went wrong?
Wallenstein