7.4. Troubleshooting ufw
If your system is running the ufw firewall, it is necessary to allow traffic from K3s' pod subnet (by default 10.42.0.0/16) and service subnet (by default 10.43.0.0/16) via ufw for K3s to work properly 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:
Allow traffic from 10.42.0.0/16 and 10.43.0.0/16 via ufw?
Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).
Caution
If you opt out of the proposed remediation, K3s may malfunction.
The remediation attempted by configure-firewall is equivalent to 3:
ufw allow from 10.42.0.0/16 to any
ufw allow from 10.43.0.0/16 to any
ufw reload
By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16, but if you customized your K3s installation to use other subnets, you should substitute them here.
Tip
If your system did not initially use ufw at the time K3s was installed, but later does (for example because ufw becomes enabled), run this command in the lockss
user's lockss-installer
directory as a privileged user who can become root via sudo 4:
scripts/configure-firewall
Footnotes
- 1
References:
- 2
See Installing K3s.
- 3
By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16.
- 4