http://bugzilla.opensuse.org/show_bug.cgi?id=1197490 http://bugzilla.opensuse.org/show_bug.cgi?id=1197490#c23 --- Comment #23 from Dirk Datzert <dirk.datzert@gmx.de> --- Firewall-rules for kube-system kube01:~ # get-services -n kube-system NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 38m k8s-app=kube-dns kube01:~ # iptables -n --list | grep kube-system REJECT udp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns has no endpoints */ udp dpt:53 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns-tcp has no endpoints */ tcp dpt:53 reject-with icmp-port-unreachable REJECT tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:metrics has no endpoints */ tcp dpt:9153 reject-with icmp-port-unreachable ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set weave-P.B|!ZhkAr5q=XZ?3}tMBA+0 dst /* DefaultAllow ingress isolation for namespace: kube-system */ WEAVE-NPC-EGRESS-ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src /* DefaultAllow egress isolation for namespace: kube-system */ RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set weave-E1ney4o[ojNrLk.6rOHi;7MPE src /* DefaultAllow egress isolation for namespace: kube-system */ kube01:~ # -- You are receiving this mail because: You are the assignee for the bug.