Merge pull request #5853 from imcsk8/flannel-iptables

Automatic merge from submit-queue.

Add iptables rules for flannel

[WIP] When using flannel there are iptables rules that need
to be added as stated here:

https://access.redhat.com/documentation/en-us/reference_architectures/2017/html-single/deploying_red_hat_openshift_container_platform_3.4_on_red_hat_openstack_platform_10/#run_ansible_installer

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1493955

2 files changed, 14 insertions, 0 deletions

diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml
index 7d79bd3d4..f94399fab 100644
--- a/roles/flannel/handlers/main.yml
+++ b/roles/flannel/handlers/main.yml
@@ -21,3 +21,7 @@
   until: not (l_restart_node_result is failed)
   retries: 3
   delay: 30
+
+- name: save iptable rules
+  become: yes
+  command: 'iptables-save'
diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml
index 4627bf69c..11981fb80 100644
--- a/roles/flannel/tasks/main.yml
+++ b/roles/flannel/tasks/main.yml
@@ -41,3 +41,13 @@
   notify:
     - restart docker
     - restart node
+
+- name: Enable Pod to Pod communication
+  command: /sbin/iptables --wait -I FORWARD -d {{ hostvars[groups.oo_first_master.0].openshift.master.sdn_cluster_network_cidr }} -i {{ flannel_interface }} -j ACCEPT -m comment --comment "Pod to Pod communication"
+  notify:
+    - save iptable rules
+
+- name: Allow external network access
+  command: /sbin/iptables -t nat -A POSTROUTING -o {{ flannel_interface }}  -j MASQUERADE -m comment --comment "Allow external network access"
+  notify:
+    - save iptable rules