Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: xtables-nft-multi required for Oracle Kubernetes #8244

Open
rodrigc opened this issue May 31, 2023 · 6 comments
Open

FR: xtables-nft-multi required for Oracle Kubernetes #8244

rodrigc opened this issue May 31, 2023 · 6 comments
Labels
fr Feature request kubernetes L2 Few Likelihood P2 Aggravating Priority level T0 New feature Issue type

Comments

@rodrigc
Copy link
Contributor

rodrigc commented May 31, 2023
edited
Loading

What are you trying to do?

I mentioned this to @maisem at Tailescale up, who mentioned that this might be of interest to @danderson

Trying to run the Tailscale k8s operator in a managed Oracle Kubernetes (OKE) cluster. My colleague @cwiggs at QuickNode found that it was necessary to modify the tailscale image with this:

FROM --platform=linux/amd64 tailscale/tailscale:unstable

RUN apk update && apk add nftables

RUN rm -f /sbin/iptables && \
  ln -s /sbin/xtables-nft-multi /sbin/iptables && \
  rm -f /sbin/ip6tables && \
  ln -s /sbin/xtables-nft-multi /sbin/ip6tables

Without this, none of the Tailscale networking running in OKE worked.

How should we solve this?

Add nft support, maybe to the tailscale image, like how we did.

What is the impact of not solving this?

Running the tailscale operator inside an Oracle Kubernetes cluster will not work, due to lack of nft support

Anything else?

No response
@rodrigc rodrigc added fr Feature request needs-triage labels May 31, 2023
@DentonGentry
Copy link
Contributor

DentonGentry commented May 31, 2023
edited
Loading

Possibly related: #391, so as to not need iptables nor nftables to be installed.

@DentonGentry DentonGentry added kubernetes L2 Few Likelihood P2 Aggravating Priority level T5 Usability Issue type T0 New feature Issue type and removed needs-triage T5 Usability Issue type labels May 31, 2023
@rodrigc rodrigc changed the title FR: Oracle Kubernetes requires FR: xtables-nft-multi required for Oracle Kubernetes May 31, 2023
@DentonGentry
Copy link
Contributor

These likely won't be correct for all k8s environments:

  ln -s /sbin/xtables-nft-multi /sbin/iptables && \
  rm -f /sbin/ip6tables && \
  ln -s /sbin/xtables-nft-multi /sbin/ip6tables

We'll need to detect whether it is appropriate to do so.

@cwiggs
Copy link

cwiggs commented May 31, 2023

I believe this issue talks about what needs to be done, tldr: detech if iptables or nft should be used.

@rodrigc
Copy link
Contributor Author

rodrigc commented Jun 1, 2023

@cwiggs @DentonGentry Learned some details about this issue here:
#5621 (comment)

@rodrigc rodrigc mentioned this issue Jun 16, 2023
Closed
@Protozoan1369
Copy link

I used the new env var PROXY_FIREWALL_MODE that was added here: #9769 and it seems to work with the value nftables in OKE. The documentation still needs to be updated though.

@irbekrm
Copy link
Contributor

irbekrm commented Jan 2, 2024

The firewall mode autodiscovery should now correctly default to iptables/nftables in containers, so there shouldn't be a need for users to modify the PROXY_FIREWALL_MODE env var , however it is also configurable #9310 (comment).

Keen to hear whether anyone finds that the auto discovery does not work for them and they actually need to set the PROXY_FIREWALL_MODE - in that case, we should also add it to the docs. I will leave this issue open for a bit, to see if there is any feedback.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fr Feature request kubernetes L2 Few Likelihood P2 Aggravating Priority level T0 New feature Issue type
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DentonGentry @rodrigc @cwiggs @irbekrm @Protozoan1369