oem-gce.service is not permitted to create routes in 2905.2.0

[ribbybibby]

We front our kube-apiservers on GCE with a TCP load balancer. We've found that requests via the load balancer to nodes running 2905.2.0 stable are timing out.

It seems that the oem-gce service isn't permitted to create routes for eth0 that are required for ip forwarding:

Jul 29 10:31:26 master-k8s-exp-1-98sv.c.uw-dev.internal google-ip-forwarding[1468]: WARNING Non-zero exit status running ['ip', 'route', 'add', 'to', 'local', u'35.243.174.185/32', 'scope', 'host', 'dev', 'eth0', 'proto', '66']. RTNETLINK answers: Operation not permitted.

If I add --capability=CAP_NET_ADMIN to the systemd-nspawn command that runs the container then the routes are created and requests through the LB start to succeed.

[pothos]

Thanks for reporting and providing the fix, I'll look into adding it.

[keymon]

Oh! now I read about this!

The solution I had was as poor as just building and running the google-guest-agent in my flat instance, but this is the proper solution.

[keymon]

Actually, in my case the problem is that after flatcar upgrade, the oem-gce service definition is still using rkt.

[pothos]

Fixed in https://kinvolk.io/flatcar-container-linux/releases/#release-2905.2.1