Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
a
agreeable-alarm-7502
03/01/2023, 9:22 PMHi folks! I've been trying to set up k3s on a few spare machines running in my homelab. 1 control-plane node and 2 agent nodes. k3s & flannel start just fine, and the agent nodes can join the cluster just fine. However, pods can't route out of their network, even to the kubernetes API. i'm at a loss as to why that may be the case, can someone help me troubleshoot what's going on?
✅ 1
r
rough-farmer-49135
03/02/2023, 2:36 PMSo are you saying that your pod's trying to access something outside your k3s cluster and it fails to get the resource? My first question is if DNS works, as I've seen DNS fail inside a kubernetes cluster more than occasionally.
You should be able to use
kubectl execa
agreeable-alarm-7502
03/02/2023, 7:05 PMI found out what I missed, I misconfigured my firewall (nftables). DNS didn't even work, it was all traffic coming out of the pod CIDR range... because I was blocking forwarded packets. That is, I had this sort of firewall:
table inet my_firewall {
chain my_forward_rules {
type filter hook forward;
policy drop;
}
}I feel very silly about overlooking that 😅
r
rough-farmer-49135
03/02/2023, 7:06 PMHappens to us all at times.
a
agreeable-alarm-7502
03/02/2023, 7:07 PMDo you think it would be a possible feature to add to
k3s check-configr
rough-farmer-49135
03/02/2023, 7:09 PMI think part of the problem is that firewall in general is chancy with Kubernetes. As I recall vanilla Kubernetes tells you to turn off the firewall & I know RKE2 at least is explicitly incompatible with firewalld. So I'm not sure how easy or difficult it'd be to programmatically figure out what's fine & what's not. You could easily have a "WARNING - your firewall isn't disabled, make sure it doesn't cause problems..."-sort of message, but I'm not sure past that.
a
agreeable-alarm-7502
03/02/2023, 7:10 PMYeah. I was thinking maybe the command could spin up a random network-namespaced subprocess and have it check it can route out successfully.
r
rough-farmer-49135
03/02/2023, 7:12 PMNo clue, I'm not a k3s dev, so maybe it's easier than I expect. However, with all Linux firewalls (such as iptables, nftables, ufw, & firewalld) all just being frontends & management daemons for the kernel's netfilter, which is also used for handling internal networks & NATs & bridges & routing & all that happens with container networking that's where I'm not sure how much you could or couldn't do with it.