In Fedora 26 Atomic, Docker 1.13 prevents Kubernetes Services from opening NodePort

[daryllstrauss]

Docker 1.13 changed the default FORWARD policy from ACCEPT to DENY that prevents services of type NodePort from working.

Workaround is appears to be:
/sbin/iptables -I FORWARD 1 -o docker0 -j ACCEPT -m comment --comment "docker subnet"
on all the nodes in the cluster.

If you follow the Getting Started guide on the Project Atomic website and do the steps manually (ansible include the fix) you'll get a configuration where NodePort doesn't work. That leads to hair pulling and substantial frustration.

The Getting Started docs should be updated to explain this step until a more proper fix is deployed.

[jberkus]

Seems like we need to doc this more places than just the Getting Started guide.

[daryllstrauss]

Actually it looks like that rule only allows NodePort to work on the host running the pod. Since NodePort should forward from any minion node I ended up with:

iptables -I FORWARD 1 -i flannel.1 -j ACCEPT -m comment --comment "flannel subnet"
iptables -I FORWARD 1 -o flannel.1 -j ACCEPT -m comment --comment "flannel subnet"

That allows the forwarding to work between minion nodes. I think that's reasonably restricted, but someone more familiar with the networking should confirm that's a good answer.

[jberkus]

@jasonbrooks ?

[jasonbrooks]

@jlebon what do you think?

[jlebon]

Right, those are the same rules as in kubernetes-retired/contrib#1612. Probably we should just point users to https://github.com/kubernetes/contrib from the get-go?

[jasonbrooks]

I'm in favor of that. Some people resist ansible, I think they think it's going to be a big investment in learning about a new configuration management system. Others want a manual approach to sort of get their hands dirty, learn the details, etc.