Install with Firewalld Enabled

by default, the installer requires that firewalld is disabled before continuing if you need to leave firewalld enabled you can add a flag (under the firewalldconfig spec) to the installer override yaml patch file spec section for example apiversion cluster kurl sh/v1beta1 kind installer metadata name "patch" spec firewalldconfig bypassfirewalldwarning true configuring firewalld the required ports for cluster node communication need to be open in the firewalld config on each node in the cluster for more information see docid 9lxricxlm1t14ydlkt4zr here is an example script for configuring firewalld in centos 7/rhel 7 environments \#!/bin/bash echo 'net ipv4 ip forward = 1' | tee a /etc/sysctl conf; sysctl p; firewall cmd permanent zone=external add masquerade; firewall cmd permanent zone=trusted add interface=cni0; \# ssh port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="22" accept'; \# http port (optional used to redirect to https) firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="80" accept'; \# https port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="443" accept'; \# kubernetes etcd port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="2379 2380" accept'; \# kubernetes api port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="6443" accept'; \# flannel vxlan port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="udp" port="8472" accept'; \# kots ui port firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="8800" accept'; \# kubernetes component (kubelet, kube scheduler, kube controller) ports firewall cmd permanent zone=public add rich rule=' rule family="ipv4" port protocol="tcp" port="10250 10252" accept'; firewall cmd reload if you wish to open additional ports after the swimlane deployment (e g external mongo ports) see below kubectl get svc o wide name type cluster ip external ip port(s) age selector gotenberg clusterip 10 96 3 132 \<none> 3500/tcp 21m service=gotenberg kotsadm clusterip 10 96 1 169 \<none> 3000/tcp 153m app=kotsadm kotsadm postgres clusterip 10 96 1 58 \<none> 5432/tcp 153m app=kotsadm postgres kubernetes clusterip 10 96 0 1 \<none> 443/tcp 157m \<none> kurl proxy kotsadm nodeport 10 96 1 20 \<none> 8800 8800/tcp 153m app=kurl proxy kotsadm mongo clusterip none \<none> 27017/tcp 21m app=mongo,release=turbine mongo 0 external nodeport 10 96 1 49 \<none> 27017 24361/tcp 7m45s statefulset kubernetes io/pod name=mongo 0 mongo 1 external nodeport 10 96 0 76 \<none> 27017 24964/tcp 6m29s statefulset kubernetes io/pod name=mongo 1 mongo 2 external nodeport 10 96 1 75 \<none> 27017 22626/tcp 6m29s statefulset kubernetes io/pod name=mongo 2 postgresql pgpool clusterip 10 96 0 97 \<none> 5432/tcp 21m app kubernetes io/component=pgpool,app kubernetes io/instance=turbine,app kubernetes io/name=postgresql ha postgresql postgresql clusterip 10 96 2 67 \<none> 5432/tcp 21m app kubernetes io/component=postgresql,app kubernetes io/instance=turbine,app kubernetes io/name=postgresql ha postgresql postgresql headless clusterip none \<none> 5432/tcp 21m app kubernetes io/component=postgresql,app kubernetes io/instance=turbine,app kubernetes io/name=postgresql ha rabbitmq clusterip 10 96 1 133 \<none> 5672/tcp,4369/tcp,25672/tcp,15672/tcp 21m app kubernetes io/instance=turbine,app kubernetes io/name=rabbitmq rabbitmq headless clusterip none \<none> 4369/tcp,5672/tcp,25672/tcp,15672/tcp 21m app kubernetes io/instance=turbine,app kubernetes io/name=rabbitmq swimlane api clusterip 10 96 3 8 \<none> 5000/tcp 21m service=swimlane api swimlane reports clusterip 10 96 3 21 \<none> 4000/tcp 21m service=swimlane reports swimlane web clusterip 10 96 0 173 \<none> 443/tcp 21m service=swimlane web turbine agent clusterip none \<none> 10000/tcp 21m service=turbine agent turbine api clusterip 10 96 2 69 \<none> 3000/tcp 21m service=turbine api turbine engine clusterip 10 96 1 138 \<none> 3000/tcp 21m service=turbine engine turbine webhook agent clusterip 10 96 2 47 \<none> 3008/tcp 21m service=turbine webhook agent turbine websocketrelay clusterip 10 96 0 169 \<none> 15670/tcp 21m service=turbine websocketrelay the ports from the example output above will be different for every deployment run these commands to create firewall exceptions tcp ports 24361, 24964, 22626 have been assigned to our mongodb service for external access sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="24361" accept' sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="24964" accept' sudo firewall cmd permanent zone=public add rich rule='rule family="ipv4" port protocol="tcp" port="22626" accept' restart firewalld sudo firewall cmd reload see docid\ jhwb4tkprl ws43pk7g4w for instructions on how to specify the installer override file during the install and join node commands