3.2.7 Firewall and iptables Requirements

Kubernetes uses iptables to handle many networking and port forwarding rules. Therefore, you must ensure that you do not have any rules set that may interfere with the functioning of Kubernetes. The kubeadm-ha-setup tool requires an iptables rule to accept forwarding traffic. If this rule is not set, the tool exits and notifies you that you may need to add this iptables rule. A standard Docker installation may create a firewall rule that prevents forwarding, therefore you may need to run:

# iptables -P FORWARD ACCEPT

The kubeadm-ha-setup tool checks iptables rules and, where there is a match, instructions are provided on how to modify your iptables configuration to meet any requirements. See Section 4.1, “Kubernetes and iptables Rules” for more information.

If you have a requirement to run a firewall directly on the systems where Kubernetes is deployed, you must ensure that all ports required by Kubernetes are available. For instance, the TCP port 6443 must be accessible on the master node to allow other nodes to access the API Server. All nodes must be able to accept connections from the master node on the TCP ports 10250-10252 and 10255, and traffic should be allowed on the UDP port 8472. All nodes must be able to receive traffic from all other nodes on every port on the network fabric that is used for the Kubernetes pods. The firewall must support masquerading.

Oracle Linux 7 installs and enables firewalld, by default. If you are running firewalld, the kubeadm-ha-setup tool notifies you of any rules that you may need to add. In summary, run the following commands on all nodes:

# firewall-cmd --add-masquerade --permanent
# firewall-cmd --add-port=2379-2380/tcp --permanent
# firewall-cmd --add-port=10250/tcp --permanent
# firewall-cmd --add-port=10251/tcp --permanent
# firewall-cmd --add-port=10252/tcp --permanent
# firewall-cmd --add-port=10255/tcp --permanent
# firewall-cmd --add-port=8472/udp --permanent

Additionally, run the following command on each node in the master cluster to enable API access:

# firewall-cmd --add-port=6443/tcp --permanent

The --permanent option ensures these firewall rules persistent across reboots. Remember to restart the firewall for these rules to take effect:

# systemctl restart firewalld