What is the purpose of the sysctls image? #26
Comments
|
I think I need to improve the README :P The k8s example is not just how to deploy wireguard in a k8s cluster, it also contains the additional configuration to be able to communicate from outside the cluster to all the pods. That's the purpose of enabling ip routing and it can be done in a different container because it is a system-wide configuration (affects the entire k8s node). I don't remember, but I guess I used the busybox image in the initContainer to avoid installing sysctl in the wireguard image. Anyway, now it seems that there is a better way to do it with k8s. Something like this should work as well (but I haven't tried): apiVersion: apps/v1
kind: Deployment
metadata:
name: wireguard
spec:
replicas: 1
selector:
matchLabels:
app: wireguard
template:
metadata:
labels:
app: wireguard
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
- name: net.ipv4.conf.all.forwarding
value: "1"
containers:
- name: wireguard
image: masipcat/wireguard-go:latest
...I hope this answers your questions :) If this works for you, feel free to open a PR to improve the readme with this change. |
|
Thanks for the prompt reply :) I think I am running into some issues
trying to get it running on macOS, but once I can get this image up and
functional I will be happy to send a PR as it's been a big timesaver.
…On Fri, Apr 15, 2022 at 8:11 PM Jordi Masip ***@***.***> wrote:
I think I need to improve the README :P The k8s example is not just how to
deploy wireguard in a k8s cluster, it also contains the additional
configuration to be able to communicate from outside the cluster to all the
pods. That's the purpose of enabling ip routing and it can be done in a
different container because it is a system-wide configuration (affects the
entire k8s node).
I don't remember, but I guess I used the busybox image in the
initContainer to avoid installing sysctl in the wireguard image. Anyway,
now it seems that there is a better way to do it with k8s. Something like
this should work as well (but I haven't tried):
apiVersion: apps/v1kind: Deploymentmetadata:
name: wireguardspec:
replicas: 1
selector:
matchLabels:
app: wireguard
template:
metadata:
labels:
app: wireguard
spec:
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
- name: net.ipv4.conf.all.forwarding
value: "1"
containers:
- name: wireguard
image: masipcat/wireguard-go:latest
...
I hope this answers your questions :) If this works for you, feel free to
open a PR to improve the readme with this change.
—
Reply to this email directly, view it on GitHub
<#26 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAM3E5EIS74UXRZRVUWUID3VFGWMNANCNFSM5TQQHBWA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
I'm trying to get this container to work on a k8s deployment and am a bit perplexed: the
initContainer'sysctls' is created and enables ipv4 routing but it doesn't seem to be accessed or used anywhere else. Can I remove this safely? It is quite possible that I don't understand how images are composed as I am new to k8s, but I don't understand its relationship to the wg container. Thanks for the image, by the way! I am slowly understanding what it's up to 8^)The text was updated successfully, but these errors were encountered: