talos-vmtoolsd
talos-vmtoolsd copied to clipboard
siderolabs
Ingress firewall
Greetings!
I have a rough implementation for this, but I'm seeing a lot of I/O timeouts when trying to contact the API-server from the pods. In vCenter I do see that vmware tools is running, but DNS Name is reported as UNKNOWN, and nothing else is populated.
Our nodes run with ingress firewall - so I'm assuming that might be the culprit.
Has that been tested, and if not, what kind of rules should I expect to create?
The tool has two ways to connect to the Talos API:
- TCP socket to
apid(when running as a system extension, I recommend this) - UNIX socket to
machined(when running as a pod)
My guess is that you are using the latter, as there is no network traffic in the first one. I'm not really sure about this, but I'd expect you should see error messages in your pod, about the reachability of the Talos API. Could you check and post these messages? I'd like to improve talos-vmtoolsd to actually die/exit when not able to connect to apid.
Anyway, connection to Talos apid is typically over tcp/50000, so I think this is the one should open up.
Hmm, interesting. I must have missed something then, I was under the impression that I needed both the system-extension, AND the running pod.
So this should, using only the extension, just work without any config?
I am indeed using the latter now, but I do also include the extension (or so I thought!).
So, if I add an ingress firewall to tcp/50000, originating from cluster.network.podSubnets this should work?
I'll make sure to get back to you with some logs, with either scenarios.
Hi, sorry for not responding, somehow missed a load of GH notifications.. Yes, as an extension you should not need config or firewall rules. If you run it from a pod, your node should allow tcp ingress to 50000.
Can you confirm that this is working for you?
Can you confirm that this is working for you?
Everything works with just the extension now, all good from my side. Thanks! :-)