Document iptables dependency

[pazepaze]

Overview

I ran into issues with DNS resolving for services in kubernetes via telepresence not working when trying to run telepresence within a container/ci pipeline.
In the end, the issue was that my container that executes the ci job did not have "iptables" installed. I only found out about this by using "telepresence gather-logs" and seeing an error indicating, that the iptables command was not found.

Request

Maybe this dependency on iptables should be documented somewhere? Maybe an error could also be displayed more prominently if it is missing but needed?

My scenario in more detail

I wrote an e2e test starting minikube and telepresence (v2.22.2) in gitlab-ci using docker:dind as service to provide the docker daemon. I used the kubernetes executor for gitlab-ci with privileged=true. I needed requests to hosts like "name.namespace.svc.cluster.local" to be routed to the service in the cluster, even if the testcode itself was running in the job container outside of minikube.

I used a golang:1.23 image, which is debian based. telepresence helm install and telepresence connect seemed to work and telepresence status did not display anything looking like an error.

But resolving service URLs did not work. After starting a hello-world deployment and service, it could not be resolved:

$ nslookup hello-world-service.default.svc.cluster.local
;; Got recursion not available from 10.34.204.10
;; Got recursion not available from 10.34.204.10
;; Got recursion not available from 10.34.204.10
;; Got recursion not available from 10.34.204.10
Server:		10.34.204.10
Address:	10.34.204.10#53
** server can't find hello-world-service.default.svc.cluster.local: NXDOMAIN

With telepresence gather-logs I could see this line indicating an error in the connector.log

2025-04-03 13:52:04.5430 error   connector/session/dns/legacy/NAT-redirect : goroutine "/connector/session/dns/legacy/NAT-redirect" exited with error: exec: "iptables": executable file not found in $PATH

After doing a apt-get install iptables iproute2 (not sure if the second is needed) before telepresence connect, it worked.

[thallgren]

One way to address this is if you could create a PR that adds a section to docs/troubleshooting.md. All changes to docs are propagated to telepresence.io when we do the next release.

[pazepaze]

I don't think I know enough about telepresence to document this dependency to iptables properly myself.

• Is iptables always needed or just in some configurations?
• I read something about nftables being used instead of iptables in the changelog...

Are some of the questions I would have.