Firewalld block rancher cluster dns: Weave CNI does not work with Firewalld on RHEL 8 based OSs

This document (000020713) is provided subject to the disclaimer at the end of this document.

Environment

Issue:

Firewalld service block Rancher cluster DNS on Rhel8.

Steps to reproduce:

1. Install and setup RKE on RHEL 8

2. CoreDNS is deployed as part of the RKE setup

3. Start firewalld service on RHEL8 nodes.

After starting firewalld service, k8s pod logs return connection error:

ent-041273.voicelab.local. A: read udp 172.21.0.19:58953->1.10.64.26:53: i/o timeout --------------

Situation

The Internal Kubernetes DNS server (coredns) is blocked. Once firewalld is stopped, the Kubernetes DNS works well.

Firewalld block these ports that are required:

- 2379-2380/tcp

- 4789/udp

- 5000/tcp

- 6443/tcp

- 6783/tcp

- 6783-6784/udp

- 9100/tcp

- 10250/tcp

- 10257/tcp

- 10259/tcp

Resolution

Stop firewalld on RHEL8 nodes, it is a requirement as described in Rancher requirements.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.