On Wed, Jun 22, 2016 at 7:44 PM, Jonathan Lebon <jle...@redhat.com> wrote: > ----- Original Message ----- >> Folks, >> >> Bringing this to atomic-devel because I'm not sure that it isn't an >> issue with centos Atomic ISOs as well. Also, I'm not quite sure where >> the rule is coming from. > > They come from the iptables package itself: > > http://pkgs.fedoraproject.org/cgit/rpms/iptables.git/tree/sysconfig_iptables > >> Where's the best place to fix this? > > This normally shouldn't be an issue since e.g. the > k8/contrib ansible playbooks insert rules at the top. That > said, if you're encountering issues, it might mean that > we're missing a few rules. I would file an issue there with > more details probably. >
A similar issue was reported (and fixed?) in openshift: https://bugzilla.redhat.com/show_bug.cgi?id=1280279 I've had a tough time figuring out how to open the firewall to NodePorts -- I end up removing those default reject rules as a workaround. For instance, I bring up a two node, one master cluster w/ atomic fedora or centos, using the kube/contrib ansible, and then I run the projectatomic/guestbookgo-atomicapp, locate automatically-assigned NodePort for the guestbook (kubectl describe service guestbook | grep NodePort), and try to access the app from the node IP at the NodePort. By default, this will fail, unless I remove the reject rules and restart iptables. I can go file an issue in k8s/contrib, but is this a bug, or am I not understanding how this is supposed to work? Jason
