Recommended values

1
2
3
4
5
6
7
8
9
10
11
workload:
  type: statefulset
  replicas: 2

networking:
  mode: pod
  disableIPv6: true

tunDevice:
  enabled: true

Node image

  • Container-Optimized OS (cos_containerd): /dev/net/tun is
    available. Default and recommended.
  • Ubuntu (ubuntu_containerd): also works.
  • GKE Autopilot: unsupported. Pod mode is unprivileged, but
    Autopilot still blocks two things the chart needs:
    the hostPath mount for /dev/net/tun, and the
    NET_ADMIN/NET_RAW container capabilities. See the
    roadmap for
    what would have to change upstream. Use Standard GKE.

Egress

Use Cloud NAT with a reserved static external IP for the node pool
running the Publisher. Without it, GKE assigns ephemeral SNAT IPs that
change.

PodSecurity (GKE 1.25+)

The install namespace must allow privileged:

1
2
3
kubectl label namespace npa-publisher \
  pod-security.kubernetes.io/enforce=privileged \
  --overwrite

Workload Identity

Not required; the Publisher does not call any GCP API.