Error on Apple M1: iptables v1.6.0: can't initialize iptables table `nat': iptables

Question

Error on Apple M1: iptables v1.6.0: can't initialize iptables table `nat': iptables

harishkadamudi opened this issue 3 years ago · comments

Hi there,

I am following below url in setting up OPA & Envoy on my Apple M1 Macbook. After kubelct apply on below url, Init container proxy_init is failing to come up and throwing below error.

Could you please help me on this.

Error : iptables v1.6.0: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

https://raw.githubusercontent.com/open-policy-agent/opa-envoy-plugin/main/quick_start.yaml

Harish Kadamudi · Answer 1 · Wed Nov 24 2021 01:23:58 GMT+0800 (China Standard Time)

Providing minikube details

~ minikube version
minikube version: v1.23.2
commit: 0a0ad764652082477c00d51d2475284b5d39ceed

kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5", GitCommit:"aea7bbadd2fc0cd689de94a54e5b7b758869d691", GitTreeState:"clean", BuildDate:"2021-09-15T21:10:45Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"darwin/arm64"}
Server Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:32:41Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/arm64"}

Charles Daniels · Answer 2 · Tue Dec 21 2021 02:28:09 GMT+0800 (China Standard Time)

This is because the image is only built for AMD64 at present. As a workaround, you can build the image locally (it is important to do this on your M1 Mac, so you can build the image with the arm64 architecture).

Modify envoy_iptables/Makefile to change VERSION to vlocal
- This is needed to make sure Kubernetes will use your locally built image, since the vlocal version won't exist in any registry.
eval $(minikube docker-env)
- This will cause any built images to be stored in the Docker instance inside of the Minikube VM.
make image
Modify your Kubernetes manifest to use proxy_init:vlocal instead of whatever version it is presently using.
Apply the manifest as normal.

It is surprising that it gets far enough to try to initialize iptables. I would expect it to fail sooner. In any case, these steps worked around the issue on my machine.

My environment:

Macbook Pro w/ M1 Pro

macOS 12.1

minikube version: v1.24.0
commit: 76b94fb3c4e8ac5062daf70d60cf03ddcc0a741b

Charles Daniels · Answer 3 · Sat May 07 2022 03:12:13 GMT+0800 (China Standard Time)

Update:

The proxy_init container has been migrated to live in the opa-envoy-plugin repository.
We have built a version of the image with arm64 support and published it to Docker Hub (currently only under the :latest tag). The image with digest 9687373cd9504660030bc7fb75e1cfbe65af8ae97da9ef9795ad50fcbfa04a5b works correctly on my M1 Mac.

Anders Eknert · Answer 4 · Thu Sep 22 2022 16:46:59 GMT+0800 (China Standard Time)

Closing since issue seems to be resolved. Let me know if you're still having problems with this, and I'll re-open.