Skip to content

Add iptables NETMAP init container to Plex for local network treatment#946

Draft
Copilot wants to merge 4 commits intomainfrom
copilot/add-init-container-for-iptable-rules
Draft

Add iptables NETMAP init container to Plex for local network treatment#946
Copilot wants to merge 4 commits intomainfrom
copilot/add-init-container-for-iptable-rules

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 19, 2025
edited
Loading

Plex running on Wanda with Cilium CNI only treats clients as "local" when they originate from the same /16 subnet as the pod. Traffic arriving via LoadBalancer IP 10.151.24.161 appears to come from different subnets than the pod network 10.42.0.0/16, causing remote treatment.

Changes

  • Added init container to kubernetes/apps/wanda/plex-patch.yaml that installs iptables and applies NETMAP SNAT rule
  • Dynamic subnet detection extracts pod network prefix from pod IP at runtime
  • Security context grants only NET_ADMIN and NET_RAW capabilities (no privileged mode)
initContainers:
  - name: setup-iptables
    image: alpine:3.21
    command:
      - /bin/sh
      - -c
      - |
        apk add --no-cache iptables
        POD_IP=$(hostname -i | awk '{print $1}')
        POD_SUBNET=$(echo $POD_IP | cut -d'.' -f1-2)
        iptables -t nat -A PREROUTING -p tcp --dport 32400 -j NETMAP --to ${POD_SUBNET}.0.0/16
    securityContext:
      capabilities:
        add: [NET_ADMIN, NET_RAW]

The NETMAP rule rewrites source addresses in PREROUTING to appear as though they originate from the pod network. Operates at pod network namespace level, compatible with Cilium eBPF datapath.

Original prompt

Problem

Plex running on the Wanda Kubernetes cluster with Cilium CNI only treats clients as "local" if they come from the same subnet as the Plex server pod. Currently:

  • Plex pod IP: 10.42.9.231 (Kubernetes cluster network)
  • LoadBalancer IP: 10.151.24.161 (native Unifi network range)
  • Clients connecting through the LoadBalancer appear to come from different subnets and are not treated as "local"

Solution

Add an init container to the Plex deployment that sets up iptables SNAT rules to make incoming traffic appear to originate from the pod network (10.42.0.0/16). This will make Plex treat all clients as "local".

Implementation

Modify kubernetes/apps/wanda/plex-patch.yaml to add:

  1. An initContainers section with:

    • Alpine-based init container
    • Privileged security context with NET_ADMIN and NET_RAW capabilities
    • Script to install iptables and configure NETMAP rules
    • Dynamic detection of pod subnet

  2. The init container should:

    • Install iptables package
    • Get the pod's IP address dynamically
    • Extract the pod subnet (e.g., 10.42.0.0/16)
    • Apply NETMAP SNAT rules to port 32400 to make traffic appear from pod network
    • Log the applied rules for debugging

Technical Details

The iptables rule should use NETMAP target in the PREROUTING chain:

iptables -t nat -A PREROUTING -p tcp --dport 32400 -j NETMAP --to ${POD_SUBNET}.0.0/16

This approach operates at the pod network namespace level and works within Cilium's eBPF-based CNI.

Files to Modify

  • kubernetes/apps/wanda/plex-patch.yaml - Add initContainers configuration under spec.values

Expected Behavior

After deployment:

  • Plex will see all incoming connections as originating from the 10.42.0.0/16 network
  • Clients will be treated as "local" regardless of their actual source network
  • No changes required to Cilium configuration

Security Considerations

The init container requires elevated privileges (NET_ADMIN capability) to modify iptables. This is scoped to the pod's network namespace only and the init container terminates after setup.

This pull request was created from Copilot chat.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Dec 19, 2025
Copilot AI and others added 2 commits December 19, 2025 20:42
@bancey
Add iptables SNAT init container to Plex deployment for local network…
009c2c4 
… treatment

Co-authored-by: bancey <23360105+bancey@users.noreply.github.com>
@bancey
Remove privileged flag, use specific capabilities for better security…
c3544c9 
… isolation

Co-authored-by: bancey <23360105+bancey@users.noreply.github.com>
@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (test_vpn_gateway)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (generate_ansible_inventory)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (prod_twingate)

No changes. Your infrastructure matches the configuration.

@bancey
Add error checking for pod IP detection to improve reliability
91e5ae2 
Co-authored-by: bancey <23360105+bancey@users.noreply.github.com>
@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (test_gameserver)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (prod_vpn_gateway)

No changes. Your infrastructure matches the configuration.

Copilot AI changed the title [WIP] Add init container to configure iptables SNAT rules for Plex Add iptables NETMAP init container to Plex for local network treatment Dec 19, 2025
Copilot AI requested a review from bancey December 19, 2025 20:47
@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (prod_gameserver)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (prod_dns)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (wanda_virtual_machines)

No changes. Your infrastructure matches the configuration.

@autonomous-bancey
Copy link
Copy Markdown
Contributor

autonomous-bancey bot commented Dec 19, 2025

Plan Result (tiny_virtual_machines)

No changes. Your infrastructure matches the configuration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bancey bancey Awaiting requested review from bancey

At least 1 approving review is required to merge this pull request.

Assignees

@bancey bancey

Copilot code review Copilot

Labels

generate_ansible_inventory/no-changes prod_dns/no-changes prod_gameserver/no-changes prod_twingate/no-changes prod_vpn_gateway/no-changes test_gameserver/no-changes test_vpn_gateway/no-changes tiny_virtual_machines/no-changes wanda_virtual_machines/no-changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bancey