iptables – Disables Source NAT for Calico

The default settings that kubeadm + calico uses are NAT for all inbound connections that are not from a pod_ip.

I've published the service network on my external LAN and I want the service pods to use the actual client IPs and not translated IPs.

In particular, it adds

-A KUBE-SERVICES ! -s -d -p tcp -m comment --comment "telemetry/pipeline-cdn:http cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ

to iptables.

Although this is not an immediate problem, it does pose a risk of temporary port exhaustion and general difficulties in tracking connections and logging clients accessing my web services.

Amazon Web Services – Kube dashboard and Calico network in pending state

I follow the following blog to create a Kubernetes cluster (on AWS EC2).


I have finished executing the commands until the master configuration. However, the Dashboard and Calico network depend on the status. Googled and found many resources that are not useful in my case, for example: Some problems were due to the unavailability of the scheduler. Here I have it. And I am very sure that I have necessarily done all these steps one after the other. Here is the result:

kubectl gets pods -o wide -all-namespaces

kube-system calico-kube-controller-694687c474-r55p7 0/1 Pending 0 18m                            

kube system coredns-86c58d9df4-25fxt 0/1 Pending 0 33m                            

kube system coredns-86c58d9df4-w6mfx 0/1 Pending 0 33m                            

kube system etcd-kmaster 1/1 running 0 37m kmaster              

kube-system kube-apiserver-kmaster 1/1 Running 0 37m kmaster              

kube-system kube-controller-manager-kmaster 1/1 Running 0 37m kmaster              

kube-system kube-proxy-l4wr6 1/1 running 0 38m kmaster              

kube-system kube-scheduler-kmaster 1/1 Running 0 37m kmaster              

kube system kubernetes-dashboard-57df4db6b-s7pzt 0/1 Pending 16m                            

As you can see, it has been in Calico and Kube Dashboard status for more than 15 minutes. All other solutions / ideas would be really grateful.