liqo
liqo copied to clipboard
Liqo installation is failing in a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider.
What happened:
Liqo-route and Liqo-gateway pod creation failed on a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider (nodes are Docker containers). After inspecting the logs of the Liqo-route DaemonSet, I discovered that this issue was caused by a pod security configuration. Specifically, the default Liqo namespace has a baseline pod security level in enforce mode, preventing Liqo-route and Liqo-gateway pods from being scheduled correctly. As a workaround, I added labels to the Liqo namespace to change the pod security level to 'privileged,' allowing the pods to be scheduled correctly.
What you expected to happen:
A successfull installation process using the liqoctl CLI tool.
How to reproduce it (as minimally and precisely as possible):
Create a workload cluster using ClusterAPI with Docker as an infrastructure provider and install liqo using the liqoctl CLI tool.
Anything else we need to know?:
Environment:
- Liqo version: latest
- Liqoctl version: v0.10.0
- Kubernetes version (use
kubectl version
): v1.28 - Cloud provider or hardware configuration: docker
- Node image:
- Network plugin and version:
- Install tools:
- Others:
Hi @mouad-eh, thanks for your support. Can you give us more details about your workaround?
Yes for sure. I am installing liqo using helm so I run the following commands:
helm repo add liqo https://helm.liqo.io/
helm repo update
liqoctl install kubeadm --service-type NodePort --only-output-values --dump-values-path 1-values.yaml --kubeconfig workload-1.kubeconfig
helm install liqo liqo/liqo --namespace liqo --values 1-values.yaml --create-namespace --kubeconfig workload-1.kubeconfig
the installation process will start After this. so, I opened a new terminal window, checked if the liqo namespace was created and run the following command:
kubectl --kubeconfig workload-1.kubeconfig label ns liqo pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/enforce-version=v1.28
Thanks for the information. Just an off-topic tip, you can install liqo using liqoctl install without generating the values file with --only-output-values
and --dump-values-path
flags.
Yes, I am aware of that. the reason I did that is that I thought I can change liqo namespace properties through the values.yaml file but that was not the case.
I hit the same issue on Talos Linux (https://www.talos.dev/) because of this security-by-default approach.
The bottom line is - we are missing a way to specify liqo's namespaces' labels via Helm. These should be configurable.