Running microk8s with ufw enabled

microk8s
#1

Is it possible to get microk8s working on a system where ufw is enabled? I’ve found that the hostpath provisioner and kube-dns pods are unable to run unless I disable it; they get stuck in CrashLoopBackoff with errors like:

F0318 15:26:22.847440 1 hostpath-provisioner.go:162] Error getting server version: Get https://10.152.183.1:443/version: dial tcp 10.152.183.1:443: i/o timeout

What subnets do I need to allow in order to get this to work with firewalls enabled, and how can I find them? I don’t really want to expose a development cluster like microk8s to all network interfaces.

0 Likes

#2

Update: Allowing cbr0 per the FAQ[0] seemed to fix this!

[0] https://microk8s.io/docs/#my-dns-and-dashboard-pods-are-crashlooping

3 Likes

#3

Hi @cmars,

In the upcoming v1.14 release of MicroK8s we have reviewed the ports we leave open, have a look at https://github.com/ubuntu/microk8s/blob/feature/containerd-access/docs/ports.md . You can also give the new release a test drive with

sudo snap install microk8s --classic --channel=1.14/beta

Note that you will still need to allow packet forwarding on cb0

1 Like