Install with Firewalld Enabled

4 min

by default, the installer requires that firewalld is disabled before continuing if you need to leave firewalld enabled you can add a flag (under the firewalldconfig spec) to the installer override yaml patch file spec section for example apiversion cluster kurl sh/v1beta1 kind installer metadata name "patch" spec firewalldconfig bypassfirewalldwarning true configuring firewalld the required ports for cluster node communication need to be open in the firewalld config on each node in the cluster for more information see system requirements for an embedded cluster install docid\ ld6yzgax gpbbdt2c1h3s here is an example script for configuring firewalld in centos 7/rhel 7 environments \#!/bin/bash echo 'net ipv4 ip forward = 1' | tee a /etc/sysctl conf; sysctl p; firewall cmd permanent zone=external add masquerade; firewall cmd permanent zone=trusted add interface=cni0; \# ssh port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="22" accept'; \# http port (optional used to redirect to https) firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="80" accept'; \# https port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="443" accept'; \# kubernetes etcd port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="2379 2380" accept'; \# kubernetes api port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="6443" accept'; \# flannel vxlan port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="udp" port="8472" accept'; \# kots ui port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="8800" accept'; \# kubernetes component (kubelet, kube scheduler, kube controller) ports firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="10250 10252" accept'; firewall cmd reload if you wish to open additional ports after the swimlane deployment (e g syslog receiver, external mongo ports) see below kubectl get svc o wide name type cluster ip external ip port(s) age selector kotsadm clusterip 10 96 3 36 \<none> 3000/tcp 3d app=kotsadm kotsadm postgres clusterip 10 96 3 188 \<none> 5432/tcp 3d app=kotsadm postgres kubernetes clusterip 10 96 0 1 \<none> 443/tcp 3d1h \<none> kurl proxy kotsadm nodeport 10 96 1 64 \<none> 8800 8800/tcp 3d app=kurl proxy kotsadm sw api clusterip 10 96 2 47 \<none> 5000/tcp 3d service=swimlane api sw web clusterip 10 96 2 67 \<none> 443/tcp 3d service=swimlane web swimlane chrome clusterip 10 96 3 32 \<none> 4444/tcp 3d service=swimlane chrome swimlane sw mongo clusterip none \<none> 27017/tcp 3d app=sw mongo,release=swimlane swimlane sw mongo 0 external nodeport 10 96 0 224 \<none> 27017 35246/tcp 3d statefulset kubernetes io/pod name=swimlane sw mongo 0 swimlane sw mongo 1 external nodeport 10 96 1 229 \<none> 27017 6239/tcp 3d statefulset kubernetes io/pod name=swimlane sw mongo 1 swimlane sw mongo 2 external nodeport 10 96 0 104 \<none> 27017 36278/tcp 3d statefulset kubernetes io/pod name=swimlane sw mongo 2 swimlane syslog receiver nodeport 10 96 2 119 \<none> 514 42750/udp 3d service=swimlane syslog receiver the ports from the example output above will be different for every deployment run these commands to create firewall exceptions tcp ports 35246, 6239, 36278 have been assigned to our mongodb service for external access sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="35246" accept' sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="6239" accept' sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="36278" accept' udp port 42750 has been assigned to our swimlane syslog receiver service sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="udp" port="42750" accept' restart firewalld sudo firewall cmd reload see overriding installer settings docid\ x7jkijjg4ip6y3fqqqxyi for instructions on how to specify the installer override file during the install and join node commands