Bug Report
Description
Hi,
I'm using Talos Linux with Tailscale infrastructure (I'm only using 443 ports on machines for my apps, all other connections between nodes go through Tailscale)
I wanted to use Round Robin for port 443 with multiple nodes via Cloudflare. However, all incoming requests were reaching only a single Envoy pod. I verified that Cloudflare had the IP addresses of the other nodes for the LB subdomain, and that each node's port 443 was accessible from outside (with telnet, nc etc.). After about two weeks of testing, a friend mentioned adding an entry to the kernel routing table for the 100.64.0.0/10 address for Tailscale. After I tried this, everything started working smoothly. However, I hadn't configured my previous Kubernetes cluster this way. Tailscale should have automatically handled this via iptables/nftables. When I ran the command "iptables -L" on both systems, I noticed that the entries on Talos were corrupted.
Logs
Environment
- Talos version:
-
Client:
Tag: v1.12.5
SHA: undefined
Built:
Go version: go1.25.7
OS/Arch: linux/amd64
Server:
NODE: fd7a:115c:a1e0::ef39:9352
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/arm64
Enabled: RBAC
NODE: 100.89.147.82
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/arm64
Enabled: RBAC
NODE: fd7a:115c:a1e0::c39:1c03
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/amd64
Enabled: RBAC
NODE: 100.119.28.3
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/amd64
Enabled: RBAC
NODE: 100.89.146.104
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/amd64
Enabled: RBAC
NODE: fd7a:115c:a1e0::3b39:9268
Tag: v1.12.4
SHA: fc8e600b
Built:
Go version: go1.25.7
OS/Arch: linux/amd64
Enabled: RBAC
- Kubernetes version:
-
Client Version: v1.34.3
Kustomize Version: v5.7.1
Server Version: v1.35.1
- Platform: Linux
- Manifests: https://github.com/mt190502/k8s.tf/tree/29437b286f3237763604fcb2027e62aa40eaa461/tofu/prod
Bug Report
Description
Hi,
I'm using Talos Linux with Tailscale infrastructure (I'm only using 443 ports on machines for my apps, all other connections between nodes go through Tailscale)
I wanted to use Round Robin for port 443 with multiple nodes via Cloudflare. However, all incoming requests were reaching only a single Envoy pod. I verified that Cloudflare had the IP addresses of the other nodes for the LB subdomain, and that each node's port 443 was accessible from outside (with telnet, nc etc.). After about two weeks of testing, a friend mentioned adding an entry to the kernel routing table for the 100.64.0.0/10 address for Tailscale. After I tried this, everything started working smoothly. However, I hadn't configured my previous Kubernetes cluster this way. Tailscale should have automatically handled this via iptables/nftables. When I ran the command "iptables -L" on both systems, I noticed that the entries on Talos were corrupted.
Logs
Environment