exec: \"iptables\": executable file not found in $PATH"

[asiekkowa]

I try to deploy working deployment of jupyterhub on OpenShift cluster.

I use https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/jupyterhub/templates/hub/deployment.yaml, jupyterhub deployment works, but when I try to spin a new serwer I get error: Error: failed to start container "block-cloud-metadata": Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"iptables\": executable file not found in $PATH"

Used images: k8s-hub:0.9-b51ffeb k8s-singleuser-sample:0.9-b51ffeb configurable-http-proxy:4.1.0

OpenShift Version: openshift v3.9.0+ba7faec-1 kubernetes v1.9.1+a0ce1bc657

I configured firewalld on openshift using https://docs.openshift.com/container-platform/3.9/install_config/install/prerequisites.html#install-config-network-using-firewalld

[minrk]

This command is normally run in the k8s-network-tools image. Have you changed the singleuser.networkTools image?

[consideRatio]

I'm closing this as something we can't reproduce, I assume it could be caused by modifying the user running the container or similarly, which would perhaps hide access to the iptools utility, which we require root to run.

Note that you can rely on blocking the insecure cloud metadata server IP for users by using the NetworkPolicy resources that come with the Helm chart and are in the latest development release, and future 0.10.0 version, enabled by default - but, they require a network policy controller in the k8s cluster. By relying on that, you can disable this tool that requires root privileges by singleuser.cloudMetadata.enabled=false or the new syntax in the latest development release singleuser.cloudMetadata.blockWithIptables=true.