7.4. Troubleshooting ufw

If your system is running the ufw firewall, it is necessary to allow traffic from K3s' pod subnet (by default 10.42.0.0/16) and service subnet (by default 10.43.0.0/16) via ufw for K3s to work properly 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:

Allow traffic from 10.42.0.0/16 and 10.43.0.0/16 via ufw?

Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).

Caution

If you opt out of the proposed remediation, K3s may malfunction.

The remediation attempted by configure-firewall is equivalent to 3:

ufw allow from 10.42.0.0/16 to any

ufw allow from 10.43.0.0/16 to any

ufw reload

By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16, but if you customized your K3s installation to use other subnets, you should substitute them here.

Tip

If your system did not initially use ufw at the time K3s was installed, but later does (for example because ufw becomes enabled), run this command in the lockss user's lockss-installer directory as a privileged user who can become root via sudo 4:

scripts/configure-firewall

Footnotes

1

References:

2

See Installing K3s.

3

By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16.

4

See Running Commands as a Privileged User.