Missing sysctls on podSecurityContext. "The user running cloudflared process has a GID (group ID) that is not within ping_group_range"

[yevon]

When executing the helm charts with default params, it says that it has not set a proper sysctls group id set, so it is unable to make pings to validate the tunnel, and the tunnel gets dropped constantly. If anybody had issues with this, the solution is manually set the values for the security context.

      - name: "podSecurityContext.sysctls[0].name"
        value: "net.ipv4.ping_group_range"
      - name: "podSecurityContext.sysctls[0].value"
        value: "65532           65532"   

[justinas-b]

I guess this would work on cloudflare-tunnel, however I see cloudflare-tunnel-remote even though it has values for podSecurityContext, it does not do anything with them on deployment itself :(

[yevon]

I guess this would work on cloudflare-tunnel, however I see cloudflare-tunnel-remote even though it has values for podSecurityContext, it does not do anything with them on deployment itself :(

Yes, I did see that also. I don't quite understand why there are two different helm charts for that, if the unique difference is that one uses the token and the other one the credentials.json inside a Secret. They should be just one helm chart with a bit of documentation and available in artifacthub. I ended up using the cloudflare-tunnel helm chart as seems a bit more complete, and this repo says that it has the recommended best practices. The bad part is that I had to manually create the tunnel again with cloudflared cli, create the secret etc, and after that migrate the tunnel to be managed within the UI because is much easier to manager, because the ingress settings do not automatically publish the dns changes as the UI does. Some things to improve in order to be fully usable as other kubernetes manifests. I would expect the ingress to automatically apply the dns roules and be able to easily specify the private network CIDR of the tunnel, or even the ZeroTrust application roules and login methods. It could be awesome, right now is quite difficult to automate this with argocd and keep the Devops way with the cloudflare tunnel. I want to avoid using third party helm charts.

[discostur]

i added a pull request which should fix the issue; tried it locally - works perfect