wireguard: switch to iptables-nft so PostUp MASQUERADE works

Wireguard pod CrashLoopBackOff'd for hours with wg-quick's PostUp failing: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Table does not exist (do you need to insmod?) sclevine/wg's default `iptables` symlink points to iptables-legacy, which talks to the kernel's xt-tables. K8s nodes nowadays initialize their nat table via nftables (calico-node sets it up), so iptables-legacy in the container sees "no nat table" and bails. Reproduced by ephemerally debugging the live pod's namespaces (kubectl debug --copy-to + same mounts as the real pod) — wg-quick output matched verbatim. Fix: postStart now calls update-alternatives to point iptables and ip6tables at iptables-nft/ip6tables-nft (already present in the image) before exec'ing wg-quick. The wg0.conf PostUp MASQUERADE then writes to the nftables-backed nat table calico already populated. Verified: new pod went 2/2 Running with 0 restarts after apply. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-17 10:13:37 +00:00 · 2026-05-17 10:13:37 +00:00 · 62efded1b6
commit 62efded1b6
parent 45c8e88e89
1 changed files with 13 additions and 1 deletions
--- a/stacks/wireguard/modules/wireguard/main.tf
+++ b/stacks/wireguard/modules/wireguard/main.tf
@ -110,8 +110,20 @@ resource "kubernetes_deployment" "wireguard" {
          image_pull_policy = "IfNotPresent"
          lifecycle {
            post_start {
+              # Switch the container's `iptables` symlink to iptables-nft
+              # before running wg-quick. The Debian-based sclevine/wg image
+              # defaults to iptables-legacy, which talks to the kernel's
+              # xt-tables interface. K8s nodes initialize their nat table
+              # via nftables (kernel `nf_tables`), so iptables-legacy in the
+              # container fails the wg0.conf PostUp MASQUERADE with:
+              #     can't initialize iptables table `nat': Table does not
+              #     exist (do you need to insmod?)
+              # Reproduced inside the live pod's namespaces 2026-05-17. The
+              # `update-alternatives` call points iptables/ip6tables at the
+              # `-nft` binaries so the same wg0.conf PostUp/PostDown writes
+              # to the nftables-backed nat table calico already set up.
              exec {
-                command = ["wg-quick", "up", "wg0"]
+                command = ["sh", "-c", "update-alternatives --set iptables /usr/sbin/iptables-nft >/dev/null && update-alternatives --set ip6tables /usr/sbin/ip6tables-nft >/dev/null && exec wg-quick up wg0"]
              }
            }
            pre_stop {