Overview
You deployed the Tailscale operator on a Crusoe Managed Kubernetes (CMK) cluster and exposed a Kubernetes service using the operation. The exposed service is showing up under "Machines" in your tailscale account but the service is unreachable over the tailnet.
Prerequisites
- Crusoe Managed Kubernetes (CMK) cluster
- Tailscale account
Cause
Crusoe Managed Kubernetes (CMK) uses Cilium as the Container Network interface (CNI). In CMK, Cilium is configured to run in kube-proxy replacement mode to allow for better performance.
When Cilium runs in kube-proxy replacement mode with the socket load balancing in pods' namespaces enabled, connections from pods to clusterIPs go over a TCP socket (instead of going out via pods' veth devices) and thus bypasses the tailscale defined firewall rules that are attached to netfilter hooks.
Steps
Step 1: Patch the Cilium config to bypass socket loadbalancers in pod namespace:
# kubectl patch cm cilium-config -n kube-system --type merge -p '{"data":{"bpf-lb-sock-hostns-only":"true"}}'Step 2: Rollout restart the cilium operator and daemonset
# kubectl -n kube-system rollout restart deploy cilium-operator
# kubectl -n kube-system rollout restart ds cilium