Workaround default forward policy
Default forward policy for ucp deployment is DROP.
The patch allows to forward packets to/from floating network.
Related-Prod: PRODX-2195
Change-Id: I5bca5f65161f6b2edde96d6191bc6907489b8824
diff --git a/de/heat-templates/scripts/instance_boot.sh b/de/heat-templates/scripts/instance_boot.sh
index c03f7b2..84ca81a 100644
--- a/de/heat-templates/scripts/instance_boot.sh
+++ b/de/heat-templates/scripts/instance_boot.sh
@@ -12,6 +12,7 @@
OS_CODENAME=$(lsb_release -c -s)
KUBECTL_VERSION=${KUBECTL_VERSION:-v1.14.0}
NODE_DEPLOYMENT_RETRIES=${NODE_DEPLOYMENT_RETRIES:-15}
+FLOATING_NETWORK_PREFIXES=${FLOATING_NETWORK_PREFIXES:-10.11.12.0/24}
NODE_TYPE=$node_type
UCP_MASTER_HOST=$ucp_master_host
@@ -163,6 +164,13 @@
systemctl restart systemd-resolved
}
+function workaround_default_forward_policy {
+ for net in $FLOATING_NETWORK_PREFIXES; do
+ iptables -I DOCKER-USER -d ${net} -j ACCEPT
+ iptables -I DOCKER-USER -s ${net} -j ACCEPT
+ done
+}
+
case "$NODE_TYPE" in
ucp)
@@ -175,6 +183,7 @@
download_bundles
rm_ucp_config
install_kubectl
+ workaround_default_forward_policy
wait_for_node
;;
master)
@@ -184,6 +193,7 @@
download_bundles
join_node manager
install_kubectl
+ workaround_default_forward_policy
wait_for_node
;;
worker)
@@ -193,6 +203,7 @@
download_bundles
join_node worker
install_kubectl
+ workaround_default_forward_policy
wait_for_node
;;
*)