liqo icon indicating copy to clipboard operation
liqo copied to clipboard

Liqo installation is failing in a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider.

Open mouad-eh opened this issue 1 year ago • 5 comments

What happened:

Liqo-route and Liqo-gateway pod creation failed on a kubeadm cluster bootstrapped through ClusterAPI with Docker as the infrastructure provider (nodes are Docker containers). After inspecting the logs of the Liqo-route DaemonSet, I discovered that this issue was caused by a pod security configuration. Specifically, the default Liqo namespace has a baseline pod security level in enforce mode, preventing Liqo-route and Liqo-gateway pods from being scheduled correctly. As a workaround, I added labels to the Liqo namespace to change the pod security level to 'privileged,' allowing the pods to be scheduled correctly.

What you expected to happen:

A successfull installation process using the liqoctl CLI tool.

How to reproduce it (as minimally and precisely as possible):

Create a workload cluster using ClusterAPI with Docker as an infrastructure provider and install liqo using the liqoctl CLI tool.

Anything else we need to know?:

Environment:

  • Liqo version: latest
  • Liqoctl version: v0.10.0
  • Kubernetes version (use kubectl version): v1.28
  • Cloud provider or hardware configuration: docker
  • Node image:
  • Network plugin and version:
  • Install tools:
  • Others:

mouad-eh avatar Nov 09 '23 20:11 mouad-eh

Hi @mouad-eh, thanks for your support. Can you give us more details about your workaround?

cheina97 avatar Nov 10 '23 11:11 cheina97

Yes for sure. I am installing liqo using helm so I run the following commands:

helm repo add liqo https://helm.liqo.io/
helm repo update
liqoctl install kubeadm --service-type NodePort --only-output-values --dump-values-path 1-values.yaml --kubeconfig workload-1.kubeconfig
helm install liqo liqo/liqo --namespace liqo --values 1-values.yaml --create-namespace --kubeconfig workload-1.kubeconfig

the installation process will start After this. so, I opened a new terminal window, checked if the liqo namespace was created and run the following command:

kubectl --kubeconfig workload-1.kubeconfig label ns liqo pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/enforce-version=v1.28

mouad-eh avatar Nov 10 '23 12:11 mouad-eh

Thanks for the information. Just an off-topic tip, you can install liqo using liqoctl install without generating the values file with --only-output-values and --dump-values-path flags.

cheina97 avatar Nov 10 '23 13:11 cheina97

Yes, I am aware of that. the reason I did that is that I thought I can change liqo namespace properties through the values.yaml file but that was not the case.

mouad-eh avatar Nov 10 '23 13:11 mouad-eh

I hit the same issue on Talos Linux (https://www.talos.dev/) because of this security-by-default approach.

The bottom line is - we are missing a way to specify liqo's namespaces' labels via Helm. These should be configurable.

yoctozepto avatar Nov 22 '23 14:11 yoctozepto