Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Liqo installation is failing in a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider. #2135

Open
mouad-eh opened this issue Nov 9, 2023 · 5 comments
Open

Liqo installation is failing in a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider. #2135

mouad-eh opened this issue Nov 9, 2023 · 5 comments
Labels
fix Fixes a bug in the codebase.

Comments

@mouad-eh
Copy link

mouad-eh commented Nov 9, 2023

What happened:

Liqo-route and Liqo-gateway pod creation failed on a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider (nodes are Docker containers).
After inspecting the logs of the Liqo-route DaemonSet, I discovered that this issue was caused by a pod security configuration. Specifically, the default Liqo namespace has a baseline pod security level in enforce mode, preventing Liqo-route and Liqo-gateway pods from being scheduled correctly.
As a workaround, I added labels to the Liqo namespace to change the pod security level to 'privileged,' allowing the pods to be scheduled correctly.

What you expected to happen:

A successfull installation process using the liqoctl CLI tool.

How to reproduce it (as minimally and precisely as possible):

Create a workload cluster using ClusterAPI with Docker as an infrastructure provider and install liqo using the liqoctl CLI tool.

Anything else we need to know?:

Environment:

  • Liqo version: latest
  • Liqoctl version: v0.10.0
  • Kubernetes version (use kubectl version): v1.28
  • Cloud provider or hardware configuration: docker
  • Node image:
  • Network plugin and version:
  • Install tools:
  • Others:
@cheina97
Copy link
Member

Hi @mouad-eh, thanks for your support. Can you give us more details about your workaround?

@mouad-eh
Copy link
Author

Yes for sure.
I am installing liqo using helm so I run the following commands:

helm repo add liqo https://helm.liqo.io/
helm repo update
liqoctl install kubeadm --service-type NodePort --only-output-values --dump-values-path 1-values.yaml --kubeconfig workload-1.kubeconfig
helm install liqo liqo/liqo --namespace liqo --values 1-values.yaml --create-namespace --kubeconfig workload-1.kubeconfig

the installation process will start After this. so, I opened a new terminal window, checked if the liqo namespace was created and run the following command:

kubectl --kubeconfig workload-1.kubeconfig label ns liqo pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/enforce-version=v1.28

@cheina97
Copy link
Member

Thanks for the information. Just an off-topic tip, you can install liqo using liqoctl install without generating the values file with --only-output-values and --dump-values-path flags.

@mouad-eh
Copy link
Author

Yes, I am aware of that. the reason I did that is that I thought I can change liqo namespace properties through the values.yaml file but that was not the case.

@yoctozepto
Copy link

I hit the same issue on Talos Linux (https://www.talos.dev/) because of this security-by-default approach.

The bottom line is - we are missing a way to specify liqo's namespaces' labels via Helm. These should be configurable.

@cheina97 cheina97 removed the kind/bug label Dec 20, 2024
@aleoli aleoli added the fix Fixes a bug in the codebase. label Dec 23, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
fix Fixes a bug in the codebase.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yoctozepto @cheina97 @aleoli @mouad-eh