Internet access from pods

[dontlaugh]

I needed to make the flannel daemonset privileged: true to allow it to run iptables commands like the following

[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.672089       1 iptables.go:155] Adding iptables rule: -d 10.244.0.0/16 -j ACCEPT 
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.870918       1 iptables.go:155] Adding iptables rule: -d 10.244.0.0/16 -j ACCEPT 
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.672391       1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN 
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.871904       1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully 
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.873028       1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN 
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.673408       1 iptables.go:155] Adding iptables rule: -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully 
[kube-flannel-ds-amd64-btkx4 kube-flannel] I1117 00:32:04.873897       1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully 
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.674312       1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.2.0/24 -j RETURN 
[kube-flannel-ds-amd64-mhn4w kube-flannel] I1117 00:30:49.770506       1 iptables.go:155] Adding iptables rule: ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE --random-fully 

Here is the config I adjusted: https://github.com/schu/kubedee/blob/master/manifests/kube-flannel.yml#L199-L202

This is the nuclear option, of course. Perhaps there is a more restricted capability to add that lets us avoid privileged: true?