Closed wfchair closed 2 years ago
aleoli
commented
2 years ago Hi @wfchair!
Can you please check if there is a RoleBinding in the liqo-tenant-<remote-cluster-id> in your clusters allowing actions on NetworkConfigs?
And, (in case there is no binding) if you enable the bidirectional peering (add the edge cluster from the cloud one) is this issue solved?
wfchair
commented
2 years ago if there is a RoleBinding in the liqo-tenant-
in your clusters allowing actions on NetworkConfigs?
on edge node, I got liqo-remote-peering-outgoing
user@node04:~$ kubectl get rolebinding -n liqo-tenant-04f81cf9-f45c-43e2-9204-bfc70e09de6d NAME ROLE AGE liqo-binding-liqo-remote-peering-basic ClusterRole/liqo-remote-peering-basic 16h liqo-binding-liqo-remote-peering-outgoing ClusterRole/liqo-remote-peering-outgoing 16h
but on cloud vm, I didnot get liqo-remote-peering-outgoing root@iZ2ze9x1lrje9ccyfnjhfxZ:~# kubectl get rolebinding -n liqo-tenant-c9f5d669-16f0-4a1c-ae6b-7b23901fb0ef NAME ROLE AGE liqo-binding-liqo-remote-peering-basic ClusterRole/liqo-remote-peering-basic 16h
if you enable the bidirectional peering (add the edge cluster from the cloud one) is this issue solved?
no.
At edge, the cloud cluster auth-url https://39.107.54.254:32688 is reachable; at cloud, the edge cluster auth-url https://10.0.20.41:31324 (private ip behind NAT) is unreachable.
Is this case supported by Liqo?
alacuku
commented
2 years ago Hi @wfchair,
at cloud, the edge cluster auth-url https://10.0.20.41:31324 (private ip behind NAT) is unreachable.
Liqo does not support clusters behind NAT. The api server and auth-url has to be reachable on every cluster that you are peering with liqo.
wfchair
commented
2 years ago Liqo does not support clusters behind NAT.
Do you have plan to support clusters behind NAT? or we have to use netmaker etc. to tunnel the physical network first before we use liqo?
I think the case about cloud cluster and edge cluster behind NAT is a must-support case.
alacuku
commented
2 years ago Do you have plan to support clusters behind NAT?
We are working on that, soon a new version of liqoctl supporting clusters behind NAT will be available.
alacuku
commented
2 years ago alacuku
commented
2 years ago Hi @wfchair, here you can find a liqo's version that support clusters behind NAT. For more info check #1107.
wfchair
commented
2 years ago = the following New Feature? liqoctl connect by @alacuku in https://github.com/liqotech/liqo/pull/1132
alacuku
commented
2 years ago @wfchair, yes, and in the following issue #1107 you can find instructions how to use liqoctl connect and liqoctl disconnect. We haven't updated the docs yet but will do it in the near future.
aleoli
commented
2 years ago This feature will be renamed to liqoctl peer in-band in the new release.
Closing since the issue seems to be resolved. @wfchair feel free to reopen if necessary.
What happened:
I created a single node k3s cluster on an aliyun cloud vm, liqoctl install k3s also OK; I created a single node k3s cluster on edge PC (On-premise behind NAT), liqoctl install k3s also OK;
$ liqoctl add cluster cluster-c1 --auth-url https://39.107.54.254:32688 --id someid --token sometoken succeeded at edge PC,
$ kubectl get foreigncluster NAME OUTGOING PEERING PHASE INCOMING PEERING PHASE NETWORKING STATUS AUTHENTICATION STATUS AGE cluster-c1 Established None None Established 3h47m
$ kubectl logs deployment.apps/liqo-crd-replicator -n liqo reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.1/tools/cache/reflector.go:167: Failed to watch unstructured.Unstructured: failed to list unstructured.Unstructured: networkconfigs.net.liqo.io is forbidden: User "8b574087-5518-46ea-afa5-1d2453516788" cannot list resource "networkconfigs" in API group "net.liqo.io" in the namespace "liqo-tenant-8b574087-5518-46ea-afa5-1d2453516788"
What you expected to happen:
peering succeed
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version): v1.22.3+k3s1