Kubespray: iptables should be set to true when using calico

Created on 18 Jan 2018 · 3Comments · Source: kubernetes-sigs/kubespray

BUG REPORT:
In the same way it was done with #1137 for flannel, and #1277 for weave, dockerd should be run with --iptables=true in order to have a working cluster when calico is set as the network plugin.

Environment:

OS:
Linux 3.10.0-693.5.2.el7.x86_64 x86_64
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Version of Ansible : 2.4.0.0

Kubespray version (commit): c116b80

Network plugin used: calico

Source

dylanzr

Most helpful comment

The current version allows this to be done by setting docker_iptables_enabled to true.

https://github.com/kubernetes-incubator/kubespray/blob/master/roles/docker/templates/docker-options.conf.j2

This issue can be closed I think.

minhdanh on 26 Jun 2018

👍2

All 3 comments

I am not sure if this is related, but I am using calico plugin as well. Running docker build commands on the cluster nodes is not possible because they can't access network without --iptables=true. The same problem appears when I run docker in the Kubernetes pod by mouting host's /var/run/docker.sock into the pod. Without iptables=true docker does not activate masquerading for docker0 network device, so docker build can't work properly when run in default network.

While checking iptables fix for flannel, I found that it was removed again in the commit a39e78d42d5bcb6893d0981fc478a3883364fdae.

dmrub on 7 Feb 2018

👍2

I have encountered the same behaviour as described by dmrub.
Setting --iptables=true in DOCKER_OPTS in the file /etc/systemd/system/docker.service.d/docker-options.conf solved the issue.