Missing sysctls on podSecurityContext. "The user running cloudflared process has a GID (group ID) that is not within ping_group_range" #85
Comments
yevon
changed the title
|
I guess this would work on cloudflare-tunnel, however I see cloudflare-tunnel-remote even though it has values for |
Yes, I did see that also. I don't quite understand why there are two different helm charts for that, if the unique difference is that one uses the token and the other one the credentials.json inside a Secret. They should be just one helm chart with a bit of documentation and available in artifacthub. I ended up using the cloudflare-tunnel helm chart as seems a bit more complete, and this repo says that it has the recommended best practices. The bad part is that I had to manually create the tunnel again with cloudflared cli, create the secret etc, and after that migrate the tunnel to be managed within the UI because is much easier to manager, because the ingress settings do not automatically publish the dns changes as the UI does. Some things to improve in order to be fully usable as other kubernetes manifests. I would expect the ingress to automatically apply the dns roules and be able to easily specify the private network CIDR of the tunnel, or even the ZeroTrust application roules and login methods. It could be awesome, right now is quite difficult to automate this with argocd and keep the Devops way with the cloudflare tunnel. I want to avoid using third party helm charts. |
When executing the helm charts with default params, it says that it has not set a proper sysctls group id set, so it is unable to make pings to validate the tunnel, and the tunnel gets dropped constantly. If anybody had issues with this, the solution is manually set the values for the security context.
The text was updated successfully, but these errors were encountered: