From 305641bd4c572588cf0851304e26ea02e3155049 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 29 Dec 2022 16:21:33 -0500 Subject: [PATCH] Add iptablesKubeletJumpChains to iptables proxier Some of the chains kube-proxy creates are also created by kubelet; we need to ensure that those chains exist but we should not delete them in CleanupLeftovers(). --- pkg/proxy/iptables/proxier.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 8c142698102..277fc5e1332 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -373,6 +373,13 @@ var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainForward, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil}, +} + +// Duplicates of chains created in pkg/kubelet/kubelet_network_linux.go; we create these +// on startup but do not delete them in CleanupLeftovers. +var iptablesKubeletJumpChains = []iptablesJumpChain{ + // Move this to iptablesJumpChains once IPTablesOwnershipCleanup is GA and kubelet + // no longer creates this chain, {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, } @@ -875,7 +882,7 @@ func (proxier *Proxier) syncProxyRules() { // already exist, so we'll skip this step when doing a partial sync, to // save us from having to invoke /sbin/iptables 20 times on each sync // (which will be very slow on hosts with lots of iptables rules). - for _, jump := range iptablesJumpChains { + for _, jump := range append(iptablesJumpChains, iptablesKubeletJumpChains...) { if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil { klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain) return