coilyco-flight-deck/infrastructure
1
0
Fork 0
Code Issues 101 Pull requests Projects Releases Packages Wiki Activity Actions 1

kubectl logs/exec 502 against tailnet-joined nodes #10

New issue
Open
opened 2026-05-23 20:54:26 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:26 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-22T13:55:43Z - https://github.com/coilysiren/infrastructure/issues/279

Symptom - kubectl logs <pod> and kubectl exec against pods on kai-macbook-pro-vm return 502 Bad Gateway: proxy error from 127.0.0.1:6443 while dialing 100.96.209.24:10250.

Ruled out

  • kubelet is listening on *:10250
  • the VM reaches its own kubelet on the tailnet IP: https://100.96.209.24:10250/healthz returns 401, so the endpoint is up
  • no firewall: ufw is inactive in the VM
  • the kubelet serving cert SAN includes 100.96.209.24
  • tailnet path is healthy: tailscale ping kai-server returns a direct pong at 24ms

Likely root - either the k3s egress-selector-mode=agent konnectivity tunnel, or a kai-server-initiated tailnet path asymmetry (the VM is double-NATed behind the Mac). The apiserver-to-kubelet direction specifically.

Context - kai-macbook-pro-vm is a Lima VM on the Mac, joined over Tailscale, intentionally cordoned. Pod scheduling and local container execution work (verified via crictl logs on the node). Only the apiserver-proxied logs/exec path is affected. The kai-desktop-tower-wsl node likely has the same class of issue, worse: its InternalIP 172.27.244.126 is a WSL NAT address that is not control-plane-routable at all.

Found while standing up the Mac as a learning node.

_Originally filed by @coilysiren on 2026-05-22T13:55:43Z - [https://github.com/coilysiren/infrastructure/issues/279](https://github.com/coilysiren/infrastructure/issues/279)_ **Symptom** - `kubectl logs <pod>` and `kubectl exec` against pods on `kai-macbook-pro-vm` return `502 Bad Gateway`: `proxy error from 127.0.0.1:6443 while dialing 100.96.209.24:10250`. **Ruled out** - kubelet is listening on `*:10250` - the VM reaches its own kubelet on the tailnet IP: `https://100.96.209.24:10250/healthz` returns 401, so the endpoint is up - no firewall: `ufw` is inactive in the VM - the kubelet serving cert SAN includes `100.96.209.24` - tailnet path is healthy: `tailscale ping kai-server` returns a direct pong at 24ms **Likely root** - either the k3s `egress-selector-mode=agent` konnectivity tunnel, or a kai-server-initiated tailnet path asymmetry (the VM is double-NATed behind the Mac). The apiserver-to-kubelet direction specifically. **Context** - `kai-macbook-pro-vm` is a Lima VM on the Mac, joined over Tailscale, intentionally cordoned. Pod scheduling and local container execution work (verified via `crictl logs` on the node). Only the apiserver-proxied logs/exec path is affected. The `kai-desktop-tower-wsl` node likely has the same class of issue, worse: its InternalIP `172.27.244.126` is a WSL NAT address that is not control-plane-routable at all. **Found while** standing up the Mac as a learning node.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 07:00:55 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-294
tangled-knot
dispatch/issue-216
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/infrastructure#10
No description provided.