So from last time I have a Kubernetes cluster built on top of
RancherOS with a HAProxy loadbalancer on CentOS 8 sitting in front of it. Lately,
I’ve been working on tightening down my home firewall rules and had restricted
traffic to the loadbalancer to only ports
443. That didn’t have any effect
on the different web services I was running but the next time I pulled out
kubectl I couldn’t get a connection. Turns out, duh, you also need to pass the
Kubernetes API port
6443 through the load balancer if you want to connect.
Seems simple enough to fix, add the two entries below to
and reboot the service.
# ---------- # /etc/haproxy/haproxy.cfg # ---------- ... frontend rancher_k8s_api bind *:6443 mode tcp default_backend rancher_k8s_api_backend ... backend rancher_k8s_api_backend mode tcp option tcp-check server rancher-1 rancher-1.example.com:6443 check server rancher-2 rancher-2.example.com:6443 check server rancher-3 rancher-3.example.com:6443 check
$ sudo systemctl restart haproxy
Except of course it isn’t! Looking at
sudo journalctl -xe it turns out SELinux
was blocking HAProxy from binding to port
6443. Fortunately, it did provide
some options for how to resolve the problem. Since the Kubernetes API is effectively
HTTP traffic I reconfigured SELinux to tag
6443 appropriately and restarted
$ sudo semanage port -a -t http_port_t -p tcp 6443 $ sudo systemctl restart haproxy
The last thing to do is login to Rancher real quick and pull down a new copy of my Kubeconfig that points to the load balancer instead of at one of the control plane nodes. With that we’re back up and running!