2.2.7 Firewall and iptables Requirements

Kubernetes uses iptables to handle many networking and port forwarding rules. Therefore, you must ensure that you do not have any rules set that may interfere with the functioning of Kubernetes. The kubeadm-setup.sh script requires an iptables rule to accept forwarding traffic. If this rule is not set, the script exits and notifies you that you may need to add this iptables rule. A standard Docker installation may create a firewall rule that prevents forwarding, therefore you may need to run:

# iptables -P FORWARD ACCEPT

The kubeadm-setup.sh script checks iptables rules and, where there is a match, instructions are provided on how to modify your iptables configuration to meet any requirements. See Section 4.1, “Kubernetes and iptables Rules” for more information.

If you have a requirement to run a firewall directly on the systems where Kubernetes is deployed, you must ensure that all ports required by Kubernetes are available. For instance, the TCP port 6443 must be accessible on the master node to allow other nodes to access the API Server. All nodes must be able to accept connections from the master node on the TCP port 10250 and traffic should be allowed on the UDP port 8472. All nodes must be able to receive traffic from all other nodes on every port on the network fabric that is used for the Kubernetes pods. The firewall must support masquerading.

Oracle Linux 7 installs and enables firewalld, by default. If you are running firewalld, the kubeadm-setup.sh script notifies you of any rules that you may need to add. In summary, run the following commands on all nodes:

# firewall-cmd --add-masquerade --permanent
# firewall-cmd --add-port=10250/tcp --permanent
# firewall-cmd --add-port=8472/udp --permanent

Additionally, run the following command on the master node:

# firewall-cmd --add-port=6443/tcp --permanent

Use the --permanent option to make these firewall rules persistent across reboots.

Remember to restart the firewall for these rules to take effect:

# systemctl restart firewalld