Need help setting "allow_ip_forwarding" to true

christian-r · August 16, 2021, 9:50am

Hi,
I am setting up a k3s-cluster with embedded etcd, with calico as CNI.
When changing “allow_ip_forwarding” to true - cni-config keeps resetting to defaults:
setting “allow_ip_forwarding” to false

My initial settings are as follows:

The master node:

k3sup install \
  --ip $SERVER_IP_MASTER \
  --user $USER \
  --ssh-key $SSH_KEY \
  --cluster \
  --k3s-version=$k3s_version \
  --k3s-extra-args "--flannel-backend=none --disable-network-policy --service-cidr=10.43.0.0/16 --cluster-cidr=192.168.0.0/16 --write-kubeconfig-mode 644" \
  --local-path $HOME/.kube/config \
  --context k3s-ha

Then I create the tigera-operator.yaml with

kubectl create -f docs.projectcalico.org/manifests/tigera-operator.yaml

Edit the custom-resources.yaml to:

apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:

 calicoNetwork:
    ipPools:
    - blockSize: 26
      cidr: 192.168.0.0/16
      encapsulation: IPIP
      natOutgoing: Enabled
      nodeSelector: all()
  CalicoNetworkSpec:
---

apiVersion: operator.tigera.io/v1
kind: APIServer 
metadata: 
  name: default 
spec: {}

---

create it with:
kubectl create -f custom-resources . yaml


edit /etc/cni/net.d/10-calico.conflist on the server to:
"allow_ip_forwarding": true
....

Edit 
KUBE_EDITOR=nano kubectl edit cm cni-config -n calico-system
to:
"allow_ip_forwarding": true'
....

reboot server.

Then when looking at the cni-config file afer boot it had reset the setting to:
 "allow_ip_forwarding": false'
....

What am I missing?

TSutton · December 3, 2021, 2:46pm

Were you ever able to solve this, I am having the same problem.

galtland · July 9, 2022, 7:02pm

If anyone is struggling with this, try adding containerIPForwarding: “Enabled” to custom-resources.yaml

$ cat custom-resources.yaml 
# This section includes base Calico installation configuration.
# For more information, see: https://projectcalico.docs.tigera.io/v3.23/reference/installation/api#operator.tigera.io/v1.Installation
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
  name: default
spec:
  # Configures Calico networking.
  calicoNetwork:
    # Note: The ipPools section cannot be modified post-install.
    ipPools:
    - blockSize: 26
      cidr: 192.168.0.0/16
      encapsulation: VXLANCrossSubnet
      natOutgoing: Enabled
      nodeSelector: all()
    containerIPForwarding: "Enabled"

---

# This section configures the Calico API server.
# For more information, see: https://projectcalico.docs.tigera.io/v3.23/reference/installation/api#operator.tigera.io/v1.APIServer
apiVersion: operator.tigera.io/v1
kind: APIServer 
metadata: 
  name: default 
spec: {}

Then just kubectl apply or create it