Merge pull request #20647 from dcbw/allow-disabling-bridge-nf-call-iptables

Auto commit by PR queue bot
2025-07-30 06:54:01 +00:00 · 2016-02-25 01:27:47 -08:00 · 2016-02-25 01:27:47 -08:00 · 33ef7a93a4
commit 33ef7a93a4
parent 5f86dd1b2f 6248939e11
3 changed files with 39 additions and 6 deletions
--- a/docs/admin/network-plugins.md
+++ b/docs/admin/network-plugins.md
@ -42,6 +42,12 @@ The kubelet has a single default network plugin, and a default network common to
 * `network-plugin-dir`: Kubelet probes this directory for plugins on startup
 * `network-plugin`: The network plugin to use from `network-plugin-dir`.  It must match the name reported by a plugin probed from the plugin directory.  For CNI plugins, this is simply "cni".

+## Network Plugin Requirements
+
+Besides providing the [`NetworkPlugin` interface](../../pkg/kubelet/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy.  The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.  For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.  If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
+
+By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like docker with a bridge) work correctly with the iptables proxy.
+
 ### Exec

 Place plugins in `network-plugin-dir/plugin-name/plugin-name`, i.e if you have a bridge plugin and `network-plugin-dir` is `/usr/lib/kubernetes`, you'd place the bridge plugin executable at `/usr/lib/kubernetes/bridge/bridge`. See [this comment](../../pkg/kubelet/network/exec/exec.go) for more details.
--- a/pkg/kubelet/network/plugins.go
+++ b/pkg/kubelet/network/plugins.go
@ -28,6 +28,8 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	utilerrors "k8s.io/kubernetes/pkg/util/errors"
+	utilexec "k8s.io/kubernetes/pkg/util/exec"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	"k8s.io/kubernetes/pkg/util/validation"
 )

@ -93,6 +95,9 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H
 	if networkPluginName == "" {
 		// default to the no_op plugin
 		plug := &noopNetworkPlugin{}
+		if err := plug.Init(host); err != nil {
+			return nil, err
+		}
 		return plug, nil
 	}

@ -135,7 +140,22 @@ func UnescapePluginName(in string) string {
 type noopNetworkPlugin struct {
 }

+const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
+
 func (plugin *noopNetworkPlugin) Init(host Host) error {
+	// Set bridge-nf-call-iptables=1 to maintain compatibility with older
+	// kubernetes versions to ensure the iptables-based kube proxy functions
+	// correctly.  Other plugins are responsible for setting this correctly
+	// depending on whether or not they connect containers to Linux bridges
+	// or use some other mechanism (ie, SDN vswitch).
+
+	// Ensure the netfilter module is loaded on kernel >= 3.18; previously
+	// it was built-in.
+	utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
+	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
+		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+	}
+
 	return nil
 }

--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -26,6 +26,7 @@ import (
 	"encoding/base32"
 	"fmt"
 	"net"
+	"os"
 	"reflect"
 	"strconv"
 	"strings"
@ -190,12 +191,18 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
 	}

-	// Load the module.  It's OK if this fails (e.g. the module is not present)
-	// because we'll catch the error on the sysctl, which is what we actually
-	// care about.
-	exec.Command("modprobe", "br-netfilter").CombinedOutput()
-	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
-		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
+	// are connected to a Linux bridge (but not SDN bridges).  Until most
+	// plugins handle this, log when config is missing
+	warnBrNetfilter := false
+	if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
+		warnBrNetfilter = true
+	}
+	if val, err := utilsysctl.GetSysctl(sysctlBridgeCallIptables); err == nil && val != 1 {
+		warnBrNetfilter = true
+	}
+	if warnBrNetfilter {
+		glog.Infof("missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended")
 	}

 	// Generate the masquerade mark to use for SNAT rules.