-
Hello, I'm experiencing an issue using Talos with Tailscale. My cluster has two network interfaces:
When I create a NodePort service to expose my cluster through my router, it is only accessible via the Tailscale interface and not through the local network. On a standard Talos setup with a single network interface, the service is accessible as expected, which leads me to believe this may be an issue related to multi-interface configurations. Service Configuration: ➜ kubectl get svc -n nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx-controller-ingress-nginx-controller NodePort 10.110.75.96 <none> 80:30080/TCP,443:30443/TCP 12d Accessing via Tailscale (Working): ➜ curl -I 100.101.249.122:30080
HTTP/1.1 404 Not Found Accessing via Local Network (Not Working): ➜ curl -v 192.168.1.186:30080
* connect to 192.168.1.186 port 30080 failed: Connection refused
➜ nmap -p 30080 192.168.1.186
PORT STATE SERVICE
30080/tcp closed unknown I reviewed the Talos ingress firewall documentation and created a apiVersion: v1alpha1
kind: NetworkDefaultActionConfig
ingress: accept In a Talos cluster without Tailscale, this setup works without issues, so the problem doesn’t appear to be router-related. Below is my control plane configuration: machine:
type: controlplane
certSANs:
# - 100.101.249.122 even with this uncommented, nothing change
- 192.168.1.186
network: {}
cluster:
controlPlane:
endpoint: https://192.168.1.186:6443
apiServer:
image: registry.k8s.io/kube-apiserver:v1.31.1
certSANs:
- 192.168.1.186
allowSchedulingOnControlPlanes: true According to Kubernetes documentation, NodePort services should be accessible across all interfaces. Do you have any insights into why my service isn't accessible through the local network interface? Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
First of all, it's not Talos Ingress Firewall, as it's disabled by default. Talos doesn't do any filtering unless you enable it. From Kubernetes documentation:
From
I don't know what kind of CNI you're using, but the answer is somewhere in the CNI land (if you don't run kube-proxy), or in kube-proxy (if you do run it). But certainly it's not Talos blocking connections. |
Beta Was this translation helpful? Give feedback.
-
Thanks it works ! I added this to my controleplane config : cluster:
proxy:
image: registry.k8s.io/kube-proxy:v1.31.1 # The container image used in the kube-proxy manifest.
extraArgs:
nodeport-addresses: 0.0.0.0/0 Applied the config : talosctl apply-config -f controlplane.yaml -p @patch.yaml And updated the cluster to update the static manifest in the cluster : talosctl upgrade-k8s And everything worked like a charm ➜ curl -I 192.168.1.186:30080
HTTP/1.1 404 Not Found Thanks a lot for your help ! I am not used to work with kube-proxy. |
Beta Was this translation helpful? Give feedback.
First of all, it's not Talos Ingress Firewall, as it's disabled by default. Talos doesn't do any filtering unless you enable it.
From Kubernetes documentation:
From
kube-proxy
docs: