agent.host.iptables=true doesn't work w/ helm chart deployment

[jkroepke]

Hi,

today i tried kiam first time using the helm chart.

I'm using the 5.9.0 version, but the 5.10 is affected, too.

After setting agent.host.iptables=true, the agents did not start anymore:

2020-11-23T22:11:50.295363147+01:00 {"level":"info","msg":"configuring iptables","time":"2020-11-23T21:11:50Z"}
2020-11-23T22:11:50.299331187+01:00 {"level":"error","msg":"error configuring iptables: running [/sbin/iptables -t nat -C PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 10.240.1.23:8181 -i cali+ --wait]: exit status 3: DNAT: Could not determine whether revision 2 is supported, assuming it is.\nDNAT: Could not determine whether revision 2 is supported, assuming it is.\niptables v1.8.3 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n","time":"2020-11-23T21:11:50Z"}
2020-11-23T22:11:50.299425318+01:00 {"level":"fatal","msg":"fatal error: running [/sbin/iptables -t nat -C PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 10.240.1.23:8181 -i cali+ --wait]: exit status 3: DNAT: Could not determine whether revision 2 is supported, assuming it is.\nDNAT: Could not determine whether revision 2 is supported, assuming it is.\niptables v1.8.3 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n","time":"2020-11-23T21:11:50Z"}

System Info:

• Kubernetes 1.19.4
• cri-o 1.19
• Ubuntu 20.04

Kubernetes was setup with kubeadm, no special security rules applied. SELinux is not available on Ubuntu.

What did I do wrong? Do I miss something?

[wd]

This is the root cause: iptables v1.8.3 (legacy): can't initialize iptables tablenat': Permission denied (you must be root)` ?

[jkroepke]

Sure, the chart miss some settings