Failed to call webhook services

koimad · September 21, 2022, 8:40pm

I’m setting up a bare metal install of Kubernetes with a control node and 2 worker nodes. Having followed this guide,

I’ve also installed metallb to enable load balancing.

When I try to create the IPAddress Pool with the following

apiVersion: /metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: default
namespace: metalllb-system
spec:
addresses:

192.168.0.230-192.168.0.240

I get the following error Internal error occurred: failed calling webhook “/ipaddresspoolvalidationwebhook.metallb.io” failed to call webhook Post: connect: no route to host.

On the worker node if I log the rejected firewall requests I get the following

Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23853 DF PROTO=TCP SPT=39182 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000
Sep 21 21:21:06 c1-node1 kernel: "filter_FWD_public_REJECT: "IN=eth0 OUT=cali93c9421127d MAC=00:15:5d:00:95:0a:00:15:5d:00:95:09:08:00 SRC=192.168.0.201 DST=192.160.222.209 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38853 DF PROTO=TCP SPT=29948 DPT=9443 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x10000

As I start and stop the other node I also get

Sep 21 21:12:56 c1-node1 kernel: "filter_IN_public_REJECT: "IN=cali5563f6ec2e2 OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148
Sep 21 21:12:57 c1-node1 kernel: "filter_IN_public_REJECT: "IN=calid27ed49a15a OUT= MAC= SRC=fe80:0000:0000:0000:ecee:eeff:feee:eeee DST=ff02:0000:0000:0000:0000:0000:0000:00fb LEN=188 TC=0 HOPLIMIT=255 FLOWLBL=388505 PROTO=UDP SPT=5353 DPT=5353 LEN=148

If I turn the firewall off on the worker nodes then everything works correctly.

The same error occurs if I try installing an ingress layer as well, calling the validate webhook.

I believe I need to update the Calico network policies to get things working, can anyone offer any advice if it is a network policy I need to create, or is it a direct rule in the firewall itself

On the firewall on the nodes I’ve got the ports opened as below

ports: 10250/tcp 30000-32767/tcp 7946/tcp 7946/udp 5473/tcp 4789/udp 2379/tcp 51820/udp 51821/udp 443/tcp 6443/tcp 9443/tcp

calicoctl get policies --all-namespaces returns with no policies.

Any help would be very much appreciated, since I’m only just starting to learn Kubernetes, and Calico etc, so I’m very much a newbie.

lwr20 · September 26, 2022, 8:43am

Typically with RHEL the problem is firewalld.

As you’ve already discovered with calicoctl, there are no blocking rules configured in Calico, so it must be firewalld blocking your traffic.

Calico is effectively a firewall too - just one that is aware of pods on the system.
firewalld and Calico don’t always play nicely together, I recommend disabling firewalld and using Calico’s host protection policy to take its place.

koimad · September 28, 2022, 8:10pm

Hi Thanks for the reply, I will try and give this ago.

Topic		Replies	Views
AWS-EKS - App Mesh-Internal error occurred: failed calling webhook EKS-AKS-GKE-IKS eks	1	919	November 29, 2020
Calico-kube-controller and calico-node failed to start Kubernetes	1	469	March 28, 2022
Calico is not exposing services on self managed k8s cluster on aws using elb as VIP Open Source Calico Help aws	4	624	April 13, 2021
Upgrade from 3.16.4 to 3.18 failing with CrashLoopBackOff Open Source Calico Help	3	2308	March 31, 2021
Container Failed to start Open Source Calico Help	5	1320	March 11, 2021

Failed to call webhook services

Related Topics