I am running into an issue with Google Container Engine where I am unable to add capabilities to the running of my Docker container.
I need to be able to alter the iptables so that I can forward traffic through my Docker VPN container.
The docker container runs fine when I am able to pass --cap-add=NET_ADMIN into the run command, but since GCE is (seemingly) only able to run images this does not seem possible. I get an insufficient permissions error when running my docker image and so it fails to deploy.
Is there anyway around this so I can alter theiptables? Or does GCE just not have this ability?
I have checked out this issue. Which references building an image with privileges but it doesn't seem to be close to resolved.
My iptables commands for reference:
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -o eth0 -j MASQUERADE
There was a pull request filed yesterday to add this feature to Kubernetes. Once it has been added to Kubernetes you should be able to test it by building from head and deploying your cluster to GCE.
This feature will show up in Google Container Engine shortly after the next release of Kubernetes.