FR: xtables-nft-multi required for Oracle Kubernetes

[rodrigc]

What are you trying to do?

I mentioned this to @maisem at Tailescale up, who mentioned that this might be of interest to @danderson

Trying to run the Tailscale k8s operator in a managed Oracle Kubernetes (OKE) cluster. My colleague @cwiggs at QuickNode found that it was necessary to modify the tailscale image with this:

FROM --platform=linux/amd64 tailscale/tailscale:unstable

RUN apk update && apk add nftables

RUN rm -f /sbin/iptables && \
  ln -s /sbin/xtables-nft-multi /sbin/iptables && \
  rm -f /sbin/ip6tables && \
  ln -s /sbin/xtables-nft-multi /sbin/ip6tables

Without this, none of the Tailscale networking running in OKE worked.

How should we solve this?

Add nft support, maybe to the tailscale image, like how we did.

What is the impact of not solving this?

Running the tailscale operator inside an Oracle Kubernetes cluster will not work, due to lack of nft support

Anything else?

No response

[DentonGentry]

Possibly related: #391, so as to not need iptables nor nftables to be installed.

[DentonGentry]

These likely won't be correct for all k8s environments:

  ln -s /sbin/xtables-nft-multi /sbin/iptables && \
  rm -f /sbin/ip6tables && \
  ln -s /sbin/xtables-nft-multi /sbin/ip6tables

We'll need to detect whether it is appropriate to do so.

[cwiggs]

I believe this issue talks about what needs to be done, tldr: detech if iptables or nft should be used.

[rodrigc]

@cwiggs @DentonGentry Learned some details about this issue here:
#5621 (comment)