From f73f27a568c1cff1bb19215eb259c3c5279e318c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:38:11 +0000 Subject: [PATCH 1/4] Initial plan From 009c2c40479d0c78471154a11ff4ba50dde82955 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:42:24 +0000 Subject: [PATCH 2/4] Add iptables SNAT init container to Plex deployment for local network treatment Co-authored-by: bancey <23360105+bancey@users.noreply.github.com> --- kubernetes/apps/wanda/plex-patch.yaml | 32 +++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/kubernetes/apps/wanda/plex-patch.yaml b/kubernetes/apps/wanda/plex-patch.yaml index 7e945684e..99ab2c49d 100644 --- a/kubernetes/apps/wanda/plex-patch.yaml +++ b/kubernetes/apps/wanda/plex-patch.yaml @@ -21,6 +21,38 @@ spec: lbipam.cilium.io/ips: 10.151.24.161 pms: configExistingClaim: plex-config-pvc-nfs-static + initContainers: + - name: setup-iptables + image: alpine:3.21 + command: + - /bin/sh + - -c + - | + set -e + echo "Installing iptables..." + apk add --no-cache iptables + + echo "Getting pod IP address..." + POD_IP=$(hostname -i) + echo "Pod IP: $POD_IP" + + # Extract the subnet (e.g., 10.42.9.231 -> 10.42) + POD_SUBNET=$(echo $POD_IP | cut -d'.' -f1-2) + echo "Pod Subnet: $POD_SUBNET.0.0/16" + + echo "Setting up iptables NETMAP rule for port 32400..." + iptables -t nat -A PREROUTING -p tcp --dport 32400 -j NETMAP --to ${POD_SUBNET}.0.0/16 + + echo "Listing NAT table rules:" + iptables -t nat -L PREROUTING -n -v + + echo "iptables setup complete" + securityContext: + privileged: true + capabilities: + add: + - NET_ADMIN + - NET_RAW extraVolumes: - name: data persistentVolumeClaim: From c3544c9bf6c604cf0be3fb4fdc22880c10a38e99 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:43:34 +0000 Subject: [PATCH 3/4] Remove privileged flag, use specific capabilities for better security isolation Co-authored-by: bancey <23360105+bancey@users.noreply.github.com> --- kubernetes/apps/wanda/plex-patch.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/kubernetes/apps/wanda/plex-patch.yaml b/kubernetes/apps/wanda/plex-patch.yaml index 99ab2c49d..0f854a36f 100644 --- a/kubernetes/apps/wanda/plex-patch.yaml +++ b/kubernetes/apps/wanda/plex-patch.yaml @@ -48,7 +48,6 @@ spec: echo "iptables setup complete" securityContext: - privileged: true capabilities: add: - NET_ADMIN From 91e5ae27aed51a3911af2f5bde4667cc0ea4da98 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 19 Dec 2025 20:44:46 +0000 Subject: [PATCH 4/4] Add error checking for pod IP detection to improve reliability Co-authored-by: bancey <23360105+bancey@users.noreply.github.com> --- kubernetes/apps/wanda/plex-patch.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kubernetes/apps/wanda/plex-patch.yaml b/kubernetes/apps/wanda/plex-patch.yaml index 0f854a36f..a0e8a316f 100644 --- a/kubernetes/apps/wanda/plex-patch.yaml +++ b/kubernetes/apps/wanda/plex-patch.yaml @@ -33,7 +33,11 @@ spec: apk add --no-cache iptables echo "Getting pod IP address..." - POD_IP=$(hostname -i) + POD_IP=$(hostname -i | awk '{print $1}') + if [ -z "$POD_IP" ]; then + echo "ERROR: Could not determine pod IP address" + exit 1 + fi echo "Pod IP: $POD_IP" # Extract the subnet (e.g., 10.42.9.231 -> 10.42)