Skip to content

Kubernetes operator can't open tuntap device in proxy #10814

New issue
New issue
Open
Open
Kubernetes operator can't open tuntap device in proxy#10814
Labels
L1 Very fewLikelihoodP3 Can't get startedPriority levelbugBugkubernetes
@OneMoreByte

Description

@OneMoreByte
OneMoreByte
opened on Jan 11, 2024

What is the issue?

When trying to use the LoadBalancer or ExternalName services with the Kubernetes operator, the proxy container that gets created fails to start and prints out the following:

boot: 2024/01/11 01:36:41 Unable to create tuntap device file: operation not permitted

It seems like for some reason the securityContext the operator gives the pod with NET_ADMIN isn't enough for my setup.

I modified this file to look like this

# This file is not a complete manifest, it's a skeleton that the operator embeds
# at build time and then uses to construct Tailscale proxy pods.
apiVersion: apps/v1
kind: StatefulSet
metadata: {}
spec:
  replicas: 1
  template:
    metadata:
      deletionGracePeriodSeconds: 10
    spec:
      serviceAccountName: proxies
      initContainers:
        - name: sysctler
          securityContext:
            privileged: true
          command: ["/bin/sh"]
          args:
            - -c
            - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
      resources:
        requests:
          cpu: 1m
          memory: 1Mi
      containers:
        - name: tailscale
          imagePullPolicy: Always
          env:
            - name: TS_USERSPACE
              value: "false"
            - name: TS_AUTH_ONCE
              value: "true"
          securityContext:
            privileged: true

and after building an image and using it I was able to use the LoadBalancer and ExternalName the way the documentation describes.

Steps to reproduce

  1. Install the tailscale operator helm chart
  2. Create an ExternalName or Loadbalancer:
apiVersion: v1
kind: Service
metadata:
  annotations:
    tailscale.com/tailnet-fqdn: service-name.example-name.ts.net
  name: service-name
spec:
  externalName: placeholder
  type: ExternalName

or

apiVersion: v1
kind: Service
metadata:
  name: example-service
spec:
  type: LoadBalancer
  loadBalancerClass: tailscale
  ports:
  - name: http
    port: 8888
    protocol: TCP
    targetPort: http
  selector:
    app.kubernetes.io/instance: example
    app.kubernetes.io/name:  example

Are there any recent changes that introduced the issue?

I don't know. I just recently started using tailscale.

OS

Linux, Other

OS version

Fedora 38

Tailscale version

1.56.1

Other software

Kubernetes: v1.26.5
Crio: 1.26.3

Bug report

BUG-42e65eedd3327119eb9fd14521e340d737025b2302499169c670a093e8bc4b98-20240111011724Z-21eb645710405b28

Metadata

Metadata

Assignees

No one assigned

    Labels

    L1 Very fewLikelihoodP3 Can't get startedPriority levelbugBugkubernetes

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions