Merge pull request #20647 from dcbw/allow-disabling-bridge-nf-call-iptables

Auto commit by PR queue bot
This commit is contained in:
k8s-merge-robot 2016-02-25 01:27:47 -08:00
commit 33ef7a93a4
3 changed files with 39 additions and 6 deletions

View File

@ -42,6 +42,12 @@ The kubelet has a single default network plugin, and a default network common to
* `network-plugin-dir`: Kubelet probes this directory for plugins on startup
* `network-plugin`: The network plugin to use from `network-plugin-dir`. It must match the name reported by a plugin probed from the plugin directory. For CNI plugins, this is simply "cni".
## Network Plugin Requirements
Besides providing the [`NetworkPlugin` interface](../../pkg/kubelet/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy. The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables. For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly. If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like docker with a bridge) work correctly with the iptables proxy.
### Exec
Place plugins in `network-plugin-dir/plugin-name/plugin-name`, i.e if you have a bridge plugin and `network-plugin-dir` is `/usr/lib/kubernetes`, you'd place the bridge plugin executable at `/usr/lib/kubernetes/bridge/bridge`. See [this comment](../../pkg/kubelet/network/exec/exec.go) for more details.

View File

@ -28,6 +28,8 @@ import (
"k8s.io/kubernetes/pkg/api/unversioned"
kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
utilerrors "k8s.io/kubernetes/pkg/util/errors"
utilexec "k8s.io/kubernetes/pkg/util/exec"
utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
"k8s.io/kubernetes/pkg/util/validation"
)
@ -93,6 +95,9 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H
if networkPluginName == "" {
// default to the no_op plugin
plug := &noopNetworkPlugin{}
if err := plug.Init(host); err != nil {
return nil, err
}
return plug, nil
}
@ -135,7 +140,22 @@ func UnescapePluginName(in string) string {
type noopNetworkPlugin struct {
}
const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
func (plugin *noopNetworkPlugin) Init(host Host) error {
// Set bridge-nf-call-iptables=1 to maintain compatibility with older
// kubernetes versions to ensure the iptables-based kube proxy functions
// correctly. Other plugins are responsible for setting this correctly
// depending on whether or not they connect containers to Linux bridges
// or use some other mechanism (ie, SDN vswitch).
// Ensure the netfilter module is loaded on kernel >= 3.18; previously
// it was built-in.
utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
}
return nil
}

View File

@ -26,6 +26,7 @@ import (
"encoding/base32"
"fmt"
"net"
"os"
"reflect"
"strconv"
"strings"
@ -190,12 +191,18 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
}
// Load the module. It's OK if this fails (e.g. the module is not present)
// because we'll catch the error on the sysctl, which is what we actually
// care about.
exec.Command("modprobe", "br-netfilter").CombinedOutput()
if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
// are connected to a Linux bridge (but not SDN bridges). Until most
// plugins handle this, log when config is missing
warnBrNetfilter := false
if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
warnBrNetfilter = true
}
if val, err := utilsysctl.GetSysctl(sysctlBridgeCallIptables); err == nil && val != 1 {
warnBrNetfilter = true
}
if warnBrNetfilter {
glog.Infof("missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended")
}
// Generate the masquerade mark to use for SNAT rules.