diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 8d559bd40c..8d4e1d6a1d 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -889,6 +889,16 @@ docker: - "dm.use_deferred_removal=true" ``` +### networking + +In order for containers started with `docker run` instead of Kubernetes to have network and internet access you need to enable the necessary [iptables](https://docs.docker.com/network/iptables/) rules: + +```yaml +docker: + ipMasq: true + ipTables: true +``` + ## sshKeyName In some cases, it may be desirable to use an existing AWS SSH key instead of allowing kops to create a new one. diff --git a/docs/releases/1.18-NOTES.md b/docs/releases/1.18-NOTES.md index 7890c58ffa..e2f0494220 100644 --- a/docs/releases/1.18-NOTES.md +++ b/docs/releases/1.18-NOTES.md @@ -42,7 +42,9 @@ * Support for the Debian 8 (Jessie) OS distribution has been removed. -* The Docker `health-check` service is now disabled by default. It shouldn't be needed anymore, but it can still be enabled by setting `spec.docker.healthCheck: true`. It is recommended to also check [node-problem-detector](https://github.com/kubernetes/node-problem-detector) and [draino](https://github.com/planetlabs/draino) as replacements. See Required Actions below. +* The Docker `health-check` service has been disabled by default. It shouldn't be needed anymore, but it can still be enabled by setting `spec.docker.healthCheck: true`. It is recommended to also check [node-problem-detector](https://github.com/kubernetes/node-problem-detector) and [draino](https://github.com/planetlabs/draino) as replacements. See Required Actions below. + +* Network and internet access for `docker run` containers has been disabled by default, to avoid any unwanted interaction between the Docker firewall rules and the firewall rules of netwok plugins. This was the default since the early days of Kops, but a race condition in the Docker startup sequence changed this behaviour in more recent years. To re-enable, set `spec.docker.ipTables: true` and `spec.docker.ipMasq: true`. * Lyft CNI plugin default subnet tags changed from from `Type: pod` to `KubernetesCluster: myclustername.mydns.io`. Subnets intended for use by the plugin will need to be tagged with this new tag and [additional tag filters](https://github.com/lyft/cni-ipvlan-vpc-k8s#other-configuration-flags) may need to be added to the cluster spec in order to achieve the desired set of subnets.