I’m setting up a bare metal install of Kubernetes with a control node and 2 worker nodes. Having followed this guide,
I’ve also installed metallb to enable load balancing.
When I try to create the IPAddress Pool with the following
apiVersion: /metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: default
namespace: metalllb-system
spec:
addresses:
- 192.168.0.230-192.168.0.240
I get the following error Internal error occurred: failed calling webhook “/ipaddresspoolvalidationwebhook.metallb.io” failed to call webhook Post: connect: no route to host.
On the worker node if I log the rejected firewall requests I get the following
Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23853 DF PROTO=TCP SPT=39182 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000
Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38853 DF PROTO=TCP SPT=29948 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000
As I start and stop the other node I also get
Sep 21 21:12:56 c1-node1 kernel: "filter_IN_public_REJECT: "IN=cali5563f6ec2e2 OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148
Sep 21 21:12:57 c1-node1 kernel: "filter_IN_public_REJECT: "IN=calid27ed49a15a OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148
If I turn the firewall off on the worker nodes then everything works correctly.
The same error occurs if I try installing an ingress layer as well, calling the validate webhook.
I believe I need to update the Calico network policies to get things working, can anyone offer any advice if it is a network policy I need to create, or is it a direct rule in the firewall itself
On the firewall on the nodes I’ve got the ports opened as below
ports: 10250/tcp 30000-32767/tcp 7946/tcp 7946/udp 5473/tcp 4789/udp 2379/tcp 51820/udp 51821/udp 443/tcp 6443/tcp 9443/tcp
calicoctl get policies --all-namespaces returns with no policies.
Any help would be very much appreciated, since I’m only just starting to learn Kubernetes, and Calico etc, so I’m very much a newbie.