This message was deleted.
# rke2a
adamant-kite-43734
06/08/2022, 7:18 PMThis message was deleted.
c
creamy-pencil-82913
06/08/2022, 8:13 PMthis usually means that CNI traffic between nodes is being blocked or otherwise dropped. This results in DNS traffic from the node the pod is running on not being able to pass to the node where the coredns pod is running. Can you confirm that all the correct ports are open between nodes?
n
narrow-noon-75604
06/09/2022, 2:15 AM@creamy-pencil-82913 not all the ports are open between the nodes. Only specific ports mentioned in the rancher document are opened using firewall.
https://rancher.com/docs/rancher/v2.5/en/installation/resources/advanced/firewall/
narrow-noon-75604
06/09/2022, 2:39 AMAlso I came some known issues related to firewalld mentioned in the rke2 page,
https://docs.rke2.io/known_issues/#firewalld-conflicts-with-default-networking
I am using calico network stack in my cluster. Do I need to disable firewalld in order to use calico?
or Is there any possibility to use calico with firewalld enabled?
c
creamy-pencil-82913
06/09/2022, 4:28 AMdid you open the Rancher/RKE required ports, or the RKE2 required ports, specific to whatever CNI you’re using?
https://docs.rke2.io/install/requirements/#networking
creamy-pencil-82913
06/09/2022, 4:29 AMand yes, you should disable firewalld. It is not supported by most of the CNI projects.
n
narrow-noon-75604
06/09/2022, 4:34 AMWe are planning to use RKE2 in the production platform. So it is not possible to disable firewalld there, can you please let me know if there is any possibility to use RKE2 with firewalld?
c
creamy-pencil-82913
06/09/2022, 4:34 AMin production, you have it behind an actual firewall or security groups, right?
creamy-pencil-82913
06/09/2022, 4:35 AMKubernetes isn’t really designed to have the nodes just exposed directly to the internet. Normally you deploy it to a protected network, and expose everything through an external load-balancer and/or ingress.
n
narrow-noon-75604
06/09/2022, 4:45 AMAll the ports are opened in the server node as per the document you shared - https://docs.rke2.io/install/requirements/#networking
narrow-noon-75604
06/09/2022, 4:48 AM@creamy-pencil-82913 can you please share the issue/ticket link stating that firewalld should be disabled in order to support calico network.
c
creamy-pencil-82913
06/09/2022, 5:00 AMhttps://projectcalico.docs.tigera.io/getting-started/kubernetes/requirements
If your Linux distribution comes with installed Firewalld or another iptables manager it should be disabled. These may interfere with rules added by Calico and result in unexpected behavior.
creamy-pencil-82913
06/09/2022, 5:00 AMAs I said, this is a requirement of the CNI projects, not rancher or rke2 itself.
n
narrow-noon-75604
06/09/2022, 5:54 AMThanks for all the info @creamy-pencil-82913
h
hundreds-hairdresser-46043
06/10/2022, 8:48 AMI have the same problem on centos 8 stream with firewalld disabled - does not happen on ubuntu or oracle linux 8
17 Views