Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
In-cluster building doesn't work on DigitalOcean (doks) #877
Currently, in-cluster building doesn't work with DigitalOcean doks clusters.
For in-cluster building to work, same as on GKE, AKS etc.
Try configuring a doks cluster environment in the
Use the default
We need to reach out to DO to figure out why hostPort services refuse connections.
Same thing on my side with a Kops provisioned cluster on AWS. Using default Kops settings. No fancy networking stuff. I'm basically getting the same error.
By investigating more and looking into the logs of the registry-proxy DaemonSet, I've found that requests have been filtered out. That's mostly due to the range parameter used on
Initial command in registry-proxy:
I updated it for the moment to make it work by removing the range param (I'm sure there are some security implications I'm not aware of, but at least it makes things work):
TLDR: This should be fixed with a new DOKS image shipping this week.
This is due to the currently used version of our CNI (Cilium) not supporting hostPort out of the box. A newer version adds a flag that makes enabling it easy. A new version of DOKS should be shipping this week that enables this.
I've been told you this can be used as a workaround for the time being https://github.com/snormore/cilium-portmap.
@clems71 Ah, we probably need to dynamically work out the correct address range. Key thing was to make sure we're not allowing outside traffic accidentally, as a side-effect of our little trickery to get the in-cluster registry going. I'll dig into this, see how we might best solve this across the board.
@eddiezane Thanks for the quick response! Once it's released, I expect I need to update my existing cluster(s)?
Ok duly noted! Will check ASAP. Thanks for the feedback.…
On Sun, 7 Jul 2019 at 20:46, Jon Edvald ***@***.***> wrote: @clems71 <https://github.com/clems71> I believe #930 <#930> solves your issue. Just tried it myself on a kops cluster and seems to do the trick. It'll be in v0.10.1, so you can get rid of the workaround then .) — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#877?email_source=notifications&email_token=AAQUSQ7QKD7HG3FN7BJLLPTP6I2ZZA5CNFSM4H274UH2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZLQ6OY#issuecomment-509022011>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAQUSQ4CGZEOMDUBNIGEHITP6I2ZZANCNFSM4H274UHQ> .
-- *Clément JACOB*