Folks, Bringing this to atomic-devel because I'm not sure that it isn't an issue with centos Atomic ISOs as well. Also, I'm not quite sure where the rule is coming from.
Currently, the Fedora Atomic ISOs come with an iptables setup which includes a reject-by-default rule, which results in making it impossible to expose any services through Kubernetes. Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:otv /* vxlan */ ACCEPT all -- anywhere anywhere /* kube-proxy redirects */ ... REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere /* flannel subnet */ ACCEPT all -- anywhere anywhere /* flannel subnet */ ... REJECT all -- anywhere anywhere reject-with icmp-host-prohibited This creates a terrible out-of-box experience for setting up a new bare-metal cluster with Atomic, especially as most admins are not adept at reading IPtables (it required the help of Tim Wright to figure out that this was the issue). Where's the best place to fix this? -- -- Josh Berkus Project Atomic Red Hat OSAS
