The firewall affects pods from accessing other node services

[hardship1]

Steps to Reproduce (for bugs)

1.turned off the firewall. 2.then deployed kubernetes and flannel. 3.start the firewall and then turn it off. 4.Pods cannot access other nodes' networks

Expected Behavior

Pods can access pods of other nodes，When the firewall changes

Current Behavior

Pods cannot access other nodes' networks， When the firewall changes

I'm guessing that iptables changed after the firewall was turned off, but flannel didn't refresh the iptables rule flannel version is 0.13.1-rc2

[thomasferrandiz]

Did you configure the firewall properly to work with flannel? https://github.com/flannel-io/flannel/blob/223db64f91e04731a93203542babc6b3243ddc08/Documentation/troubleshooting.md?plain=1#L62

[hardship1]

I turned off the firewall and just started flannel working normally. Then after the firewall is started and shut down again, the pod will not be able to access other nodes, and when the pod is restarted, it will be able to access other nodes, and Flannel will not check the iptables rules by itself? Instead of deleting a pod, create a pod rule.

[hardship1]

A change in the firewall state causes the iptables rule to change, but Flannel doesn't do anything about it

[thomasferrandiz]

flannel only creates or deletes iptables rules on specific events like the creation/deletion of a pod or when a node is added to the cluster. Otherwise we assume that the firewall is already configured as required in the documentation when flannel starts and that nothing is modified afterwards. If you modify the firewall or run another program that interferes with flannel's iptables rules then your cluster can end up in a broken state.

[hardship1]

Thanks, if I want to rewrite the iptables rule when I restart the firewall, any suggestions? or does flannel provide a refresh interface?

[thomasferrandiz]

the only solution I see is that you add your own rules in way that does not interfere with flannel's. There is no way to tell flannel to refresh the rules apart from restarting it.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.