This message was deleted.
# rke2
a
This message was deleted.
c
this usually means that CNI traffic between nodes is being blocked or otherwise dropped. This results in DNS traffic from the node the pod is running on not being able to pass to the node where the coredns pod is running. Can you confirm that all the correct ports are open between nodes?
n
@creamy-pencil-82913 not all the ports are open between the nodes. Only specific ports mentioned in the rancher document are opened using firewall. https://rancher.com/docs/rancher/v2.5/en/installation/resources/advanced/firewall/
Also I came some known issues related to firewalld mentioned in the rke2 page, https://docs.rke2.io/known_issues/#firewalld-conflicts-with-default-networking I am using calico network stack in my cluster. Do I need to disable firewalld in order to use calico? or Is there any possibility to use calico with firewalld enabled?
c
did you open the Rancher/RKE required ports, or the RKE2 required ports, specific to whatever CNI you’re using? https://docs.rke2.io/install/requirements/#networking
and yes, you should disable firewalld. It is not supported by most of the CNI projects.
n
We are planning to use RKE2 in the production platform. So it is not possible to disable firewalld there, can you please let me know if there is any possibility to use RKE2 with firewalld?
c
in production, you have it behind an actual firewall or security groups, right?
Kubernetes isn’t really designed to have the nodes just exposed directly to the internet. Normally you deploy it to a protected network, and expose everything through an external load-balancer and/or ingress.
n
All the ports are opened in the server node as per the document you shared - https://docs.rke2.io/install/requirements/#networking
@creamy-pencil-82913 can you please share the issue/ticket link stating that firewalld should be disabled in order to support calico network.
c
https://projectcalico.docs.tigera.io/getting-started/kubernetes/requirements
If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
As I said, this is a requirement of the CNI projects, not rancher or rke2 itself.
n
Thanks for all the info @creamy-pencil-82913
h
I have the same problem on centos 8 stream with firewalld disabled - does not happen on ubuntu or oracle linux 8