IPTables default drop on ubuntu 16.04

[berndtj]

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version (use kubeadm version): v1.7.3

Environment:

• Kubernetes version (use kubectl version): v1.7.3
• Cloud provider or hardware configuration: openstack
• OS (e.g. from /etc/os-release): ubuntu 16.04.2 LTS
• Kernel (e.g. uname -a): Linux bjung-master 4.4.0-62-generic --service-cidr option should set DNS server IP #83-Ubuntu SMP Wed Jan 18 14:10:15 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
• Others:

What happened?

Nodeport is inaccessible externally.

What you expected to happen?

Nodeport works out of the box

How to reproduce it (as minimally and precisely as possible)?

Install kubernetes on a single ubuntu 16.04 node using flannel:

kubeadm init --pod-network-cidr=10.244.0.0/16
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml
kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel-rbac.yml
kubectl taint nodes --all node-role.kubernetes.io/master-

Install sockshop, and try to access via nodeport

Anything else we need to know?

The following workaround fixes the issue:

sudo iptables -P FORWARD ACCEPT

[jamiehannaford]

I think this was because flannel didn't support the portmap CNI plugin by default until this PR coreos/flannel-cni#5. Would you mind retrying with a newer flannel version?

[luxas]

Yeah, I think this is a flannel issue. If you still can reproduce this, please consider opening an issue in the flannel repo instead.
Thank you!