kubedee
kubedee copied to clipboard
Internet access from pods
I needed to make the flannel daemonset privileged: true
to allow it to run iptables
commands like the following
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.672089 1 iptables.go:155] Adding iptables rule: -d 10.244.0.0/16 -j ACCEPT
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.870918 1 iptables.go:155] Adding iptables rule: -d 10.244.0.0/16 -j ACCEPT
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.672391 1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.871904 1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.873028 1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.673408 1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.873897 1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.674312 1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.2.0/24 -j RETURN
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.770506 1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully
Here is the config I adjusted: https://github.com/schu/kubedee/blob/master/manifests/kube-flannel.yml#L199-L202
This is the nuclear option, of course. Perhaps there is a more restricted capability to add that lets us avoid privileged: true
?