Warn if firewalld service is enabled.

In future we might try to verify ports are actually exposed in firewalld policy, but this can be quite complex. Instead lets just warn the user if we see firewalld is running.
2025-07-30 06:54:01 +00:00 · 2016-11-25 14:58:00 -04:00 · 2016-11-25 14:58:00 -04:00 · 16e01c65c4
commit 16e01c65c4
parent 545f749a0d
1 changed files with 27 additions and 0 deletions
--- a/cmd/kubeadm/app/preflight/checks.go
+++ b/cmd/kubeadm/app/preflight/checks.go
@ -80,6 +80,32 @@ func (sc ServiceCheck) Check() (warnings, errors []error) {
 	return warnings, errors
 }

+// FirewalldCheck checks if firewalld is enabled or active, and if so outputs a warning.
+type FirewalldCheck struct {
+	ports []int
+}
+
+func (fc FirewalldCheck) Check() (warnings, errors []error) {
+	initSystem, err := initsystem.GetInitSystem()
+	if err != nil {
+		return []error{err}, nil
+	}
+
+	warnings = []error{}
+
+	if !initSystem.ServiceExists("firewalld") {
+		return nil, nil
+	}
+
+	if initSystem.ServiceIsActive("firewalld") {
+		warnings = append(warnings,
+			fmt.Errorf("firewalld is active, please ensure ports %v are open or your cluster may not function correctly",
+				fc.ports))
+	}
+
+	return warnings, errors
+}
+
 // PortOpenCheck ensures the given port is available for use.
 type PortOpenCheck struct {
 	port int
@ -220,6 +246,7 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
 		HostnameCheck{},
 		ServiceCheck{Service: "kubelet"},
 		ServiceCheck{Service: "docker"},
+		FirewalldCheck{ports: []int{int(cfg.API.BindPort), int(cfg.Discovery.BindPort), 10250}},
 		PortOpenCheck{port: int(cfg.API.BindPort)},
 		PortOpenCheck{port: 2379},
 		PortOpenCheck{port: 8080},