search

angelnu / pod-gateway

Container image used to set a pod gateway
Apache License 2.0
56 stars 29 forks source link

Startup/liveness/readiness probe fails #19

Closed arana198 closed 1 year ago

arana198 commented 1 year ago

Details

What steps did you take and what happened:

After weeks of trying I finally have traffic routed through transmission -> pod-gateway -> vpn.

I can see that all routed pod has IP address location of VPN.

After I got the above working strangely the liveness probe stopped working with the following error:

Unhealthy 4m34s (x6698 over 18h) kubelet Startup probe failed: dial tcp 10.244.1.58:7878: i/o timeout

I've set very high threshold and frequency before pod is killed

The weird thing is can exec into any pod (including any routed pod e.g. transmission/radarr) and i can curl 10.244.1.58:7878 and I get successful response. I am also able to port-forward and display the page correctly for all instances of routed pods

Helm chart: angelnu/pod-gateway CNI: Flannel with Canal

pod-gateway settings

image:
  tag: v1.8.1

routed_namespaces:
 - mediaserver

settings:
  VPN_INTERFACE: "tun0"
  VPN_BLOCK_OTHER_TRAFFIC: true
  VPN_TRAFFIC_PORT: 443
  NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8"

addons:
  vpn:
    enabled: true
    type: gluetun
    env:
      - name: VPN_SERVICE_PROVIDER
        value: "nordvpn"
      - name: VPN_TYPE
        value: "openvpn"
      - name: OPENVPN_PROTOCOL
        value: "tcp"

    securityContext:
      capabilities:
        add:
          - NET_ADMIN

    networkPolicy:
      enabled: false
      policyTypes:
        - Ingress
        - Egress
      ingress:
        - from:
            # Only allow ingress from K8S
            - ipBlock:
                cidr: 10.0.0.0/8
      egress:
        # Allow only VPN traffic to Internet
        - to:
          - ipBlock:
              cidr: 0.0.0.0/0
          ports:
            # VPN traffic port - change if your provider uses a different port
            - port: 443
              protocol: TCP
        - to:
            # Allow traffic within K8S - change if your K8S cluster uses a different CIDR
          - ipBlock:
              cidr: 10.0.0.0/8

Network policy is set to false

Why would this be?

gwelican commented 1 year ago

I had a similar issue. I had to whitelist the host ip(192.168.1.x) as when I was curling from the actual host where the pod was deployed. It did not work. But it did work from the kube master. Try add host ip to: NOT_ROUTED_TO_GATEWAY_CIDRS

angelnu commented 1 year ago

Did this solve it @arana198 ?

arana198 commented 1 year ago

Yes I will close it. Although I changed a lot of config and k8s cni so I don't remember what I did in the end