istio proxy configuration for worker nodes on linux 8 & 9 #1009
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
When we create an oke node pool with linux 8 or 9, we cant start any side car proxy container e.g istio proxy container. It will give an error like this
2023-06-14T21:31:53.746789Z error Command error output: xtables parameter problem: iptables-restore: unable to initialize table 'nat'
This is not seen in linux 7.9
To mitigate, this we have to update the cloud init file for worker node.
The suggestion is why not add it by default if the selected worker node os is ol 8 or 9
Many users are not aware of this and this is especially problematic for customers who are coming from a different csp and expect things to work out of box.
New or Affected Resource(s)
Potential Terraform Configuration
worker_cloud_init = [
{
content = <<-EOT
runcmd:
- 'echo "Kernel module configuration for Istio and worker node initialization"'
- 'modprobe br_netfilter'
- 'modprobe nf_nat'
- 'modprobe xt_REDIRECT'
- 'modprobe xt_owner'
- 'modprobe iptable_nat'
- 'modprobe iptable_mangle'
- 'modprobe iptable_filter'
- '/usr/libexec/oci-growfs -y'
- 'timedatectl set-timezone Australia/Sydney'
- 'curl --fail -H "Authorization: Bearer Oracle" -L0 http://169.254.169.254/opc/v2/instance/metadata/oke_init_script | base64 --decode >/var/run/oke-init.sh'
- 'bash -x /var/run/oke-init.sh'
EOT
content_type = "text/cloud-config",
}
]
}