microk8s is sets iptables policy FORWARD to DROP on reboot

Created on 29 Dec 2018  Â·  8Comments  Â·  Source: ubuntu/microk8s

I created a fresh install of ubuntu 18.04 minimal on a vmware esxi 6.7u1 host. i checked iptables -S and got this output (truncated):

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

This is consistent, no matter how often i reboot. Then i installed microk8s and all looks fine:

robert@k:~$ sudo snap install microk8s --edge --classic
microk8s (edge) v1.13.1 from Canonical✓ installed
robert@k:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
<trimmed>

However, after a reboot:

robert@k:~$ sudo iptables -S
[sudo] password for robert: 
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
<trimmed>

I've attached the microk8s.inspect tarball as
inspection-report-20181229_224350.tar.gz

inactive
Source
picture mnbf9rca
👍2

Most helpful comment

Adding --iptables=false to /var/snap/microk8s/current/args/dockerd fixes it.

picture mnbf9rca on 29 Dec 2018
👍5

All 8 comments

Adding --iptables=false to /var/snap/microk8s/current/args/dockerd fixes it.

mnbf9rca picture mnbf9rca on 29 Dec 2018
👍5

Nabbed from one of the referencing issues: to fix this on the current session, use sudo iptables -P FORWARD ACCEPT.

andyljones picture andyljones on 15 Jul 2019

@mnbf9rca with new version v1.15.1, you don't have dockerd, so this option isn't working anymore. I can't find any solution for containerd to make iptables persistent, maybe do you know one? The sudo iptables -P FORWARD ACCEPT works fine, but only for the current session.

vovapolu picture vovapolu on 5 Aug 2019

@vovapolu You should be able to use the iptables-persistent package:

sudo apt-get install iptables-persistent
ktsakalozos picture ktsakalozos on 6 Aug 2019
👍2

@ktsakalozos Hmm, that's strange, I've installed this package almost at the start, but for some time it didn't work, but now everything is good. Thanks :)

vovapolu picture vovapolu on 8 Aug 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 3 Jul 2020

Adding --iptables=false to /var/snap/microk8s/current/args/dockerd fixes it.

Sadly this does not work. Don't know if it's me or anymore. this file does not exist, I created it with the line, and still see DROP upon restarts.

Same for the iptables-persistent package, sadly.

bcouetil picture bcouetil on 10 Sep 2020
👍2

Adding --iptables=false to /var/snap/microk8s/current/args/dockerd fixes it.

This will no longer work cause new version of microk8s use containerd instead of dockerd

illja96 picture illja96 on 22 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

carmine picture carmine  Â·  4Comments
qbx2 picture qbx2  Â·  4Comments
singram picture singram  Â·  4Comments
devbharat picture devbharat  Â·  3Comments
khteh picture khteh  Â·  5Comments