Fischerman Fischerman - 1 year ago 268
Linux Question

Iptables error prevents Pod starting in Kubernetes

I'm setting up a Kubernetes cluster following Kelseys Lab:

I have only set up one node so far. When trying to deploy a Pod, the following error prevents it from getting started:

Warning FailedSync Error syncing pod, skipping: failed to "SetupNetwork" for "nginx-3137573019-pjbie_default" with SetupNetworkError: "Failed to setup network for pod \"nginx-3137573019-pjbie_default(b4128fc1-6707-11e6-a8b3-005056a2068d)\" using network plugins \"kubenet\": Failed to execute iptables-restore: exit status 1 (Can't open /tmp/kube-temp-iptables-restore-214792160: Permission denied\n); Skipping pod"

The kubelet runs as root. The files mentioned in the log also belong to root.

System is Linux OEL 7 (Kernel: UEK 4.1.12)

Does anyone have an idea, what the cause could be or how to investigate further?

Answer Source

Sounds like SELinux is preventing kubelet from performing changes on IPtables. Search for messages containing the string 'AVC' inside /var/log/audit/audit.log in order to confirm that theory.

The easiest workaround is to disable SELinux altogether with the shell command setenforce 0. This doesn't survive a reboot, so make sure you also disable SELinux in /etc/selinux/config.

If you don't want to disable SELinux completely, which I'd recommend, you will have to use tools like audit2allow and semodule in order to build your own SELinux module for kubelet and kube-proxy.

Check these references for further guidance:

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download