Symptoms
After GDPR deployment per the official instructions, gdpr-backend pod does not become Running.
Checking the logs:
# kubectl logs gdpr-backend
shows errors that connection to OSS Core IP address and port 5432 is not possible.
It is not possible to ping OSS Core IP address from the pod:
[root@osscore ~]# kubectl exec -ti gdpr-backend-584c7875d9-4vmw7 ping 192.0.2.2
PING 192.0.2.2 (192.0.2.2) 56(84) bytes of data.
From 10.244.0.1 icmp_seq=1 Destination Host Prohibited
Liveness probe does not complete:
Warning Unhealthy 1m (x2 over 2m) kubelet, odingdpr01 Liveness probe failed: Get https://10.244.0.5:8081/rest/application/livenessProbe: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
Cause
Default RHEL7 firewalld configuration prohibits traffic required for Kubernetes network.
Resolution
In order to complete Kubernetes deployment, remove the default rules temporarily:
# iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
# iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
For a permanent resolution it is recommended to switch from firewalld to iptables and edit the rules on GDPR node:
# iptables-save > /etc/sysconfig/iptables
Edit /etc/sysconfig/iptables
, remove icmp-host-prohibited
lines, after that:
# systemctl stop firewalld
# systemctl disable firewalld
# yum install iptables-services
# systemctl enable iptables
# systemctl start iptables
Once Kubernetes is deployed, study the resulting iptables rules and apply your security regulations without affecting the existing rules.
Kubernetes networking system is complex and by far there is no official Kubernetes guide to setting up Firewall rules to comply with itself. It is advised that the network team adjusts FW policies to allow all communications listed at Kubernetes Cluster Network.