IP forwarding issue

[electrical]

I ran into the issue it wouldn't allow me to connect to any of my services in a private network. My fix was to add a small init container to execute sysctl -w net.ipv4.ip_forward=1 because I couldn't do this from the openvpn container ( read only filesystem ) Not sure how others have made it work since I couldn't connect to anything without this.

[suda]

Do you mean Kubernetes services? Because this chart is not supposed to have access to them. The idea here was to have a VPN for the internet traffic rather than access to the inside of the Kubernetes cluster.

[electrical]

Ahh I see. Yeah, I'm using it to access services within the kubernetes cluster. At the moment everything is exposed via ingresses on an internal network. I'm still working on accessing the kubernetes services directly.

[suda]

You could remove the network policy that is blocking the access to the local cluster but it might be easier to use the openvpn chart

[electrical]

I did manage to get it to work yeah. Disabled the network policy and added a small init container for the mentioned ip_forward call. You can close this if you want :-)

[lknite]

@electrical how did you add the init container to do the ip_forward, i don't see a values option to set the init container, did you fork the repo to add it?

[lknite]

@electrical I've noticed the ip_forward value is set to '1' by default, yet when we run it in kubernetes it is turned off and we have to turn it back on. Have you looked into:

• https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
• https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/
• allowedUnsafeSysctls ?

Could that be turning it off? If so, instead of an init container maybe we are supposed to be setting that allowedUnsafeSysctls on a particular node via the kubelet config, then in the deployment adding the sysctl setting to be 1, and then using taints and tolerances to target the configured node. I'm a little out of my element here ...

I've set the taints and tolerances and tried to configure allowedUnsafeSysctls on a node, not sure if I've done so successfully yet. Looking into how I could set the value on the deployment ...

[electrical]

Hi. We've added a small init container to it indeed.

  initContainers:
  - args:
    - -c
    - sysctl -w net.ipv4.ip_forward=1
    command:
    - /bin/sh
    image: busybox:1.29
    name: sysctl
    securityContext:
        privileged: true

[lknite]

@electrical thank you, i tried this but left off the security context of the init container, thanks for the example, it got me up and working.