Failed to call webhook services

I’m setting up a bare metal install of Kubernetes with a control node and 2 worker nodes. Having followed this guide,

I’ve also installed metallb to enable load balancing.

When I try to create the IPAddress Pool with the following

apiVersion: /metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: default
namespace: metalllb-system
spec:
addresses:

  • 192.168.0.230-192.168.0.240

I get the following error Internal error occurred: failed calling webhook “/ipaddresspoolvalidationwebhook.metallb.io” failed to call webhook Post: connect: no route to host.

On the worker node if I log the rejected firewall requests I get the following

Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23853 DF PROTO=TCP SPT=39182 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000
Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38853 DF PROTO=TCP SPT=29948 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000

As I start and stop the other node I also get

Sep 21 21:12:56 c1-node1 kernel: "filter_IN_public_REJECT: "IN=cali5563f6ec2e2 OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148
Sep 21 21:12:57 c1-node1 kernel: "filter_IN_public_REJECT: "IN=calid27ed49a15a OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148

If I turn the firewall off on the worker nodes then everything works correctly.

The same error occurs if I try installing an ingress layer as well, calling the validate webhook.

I believe I need to update the Calico network policies to get things working, can anyone offer any advice if it is a network policy I need to create, or is it a direct rule in the firewall itself

On the firewall on the nodes I’ve got the ports opened as below

ports: 10250/tcp 30000-32767/tcp 7946/tcp 7946/udp 5473/tcp 4789/udp 2379/tcp 51820/udp 51821/udp 443/tcp 6443/tcp 9443/tcp

calicoctl get policies --all-namespaces returns with no policies.

Any help would be very much appreciated, since I’m only just starting to learn Kubernetes, and Calico etc, so I’m very much a newbie.

Typically with RHEL the problem is firewalld.

As you’ve already discovered with calicoctl, there are no blocking rules configured in Calico, so it must be firewalld blocking your traffic.

Calico is effectively a firewall too - just one that is aware of pods on the system.
firewalld and Calico don’t always play nicely together, I recommend disabling firewalld and using Calico’s host protection policy to take its place.