Merge pull request #20647 from dcbw/allow-disabling-bridge-nf-call-iptables

Auto commit by PR queue bot
2026-01-13 19:36:22 +00:00 · 2016-02-25 01:27:47 -08:00
parent 5f86dd1b2f 6248939e11
commit 33ef7a93a4
3 changed files with 39 additions and 6 deletions
--- a/pkg/kubelet/network/plugins.go
+++ b/pkg/kubelet/network/plugins.go
@@ -28,6 +28,8 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	utilerrors "k8s.io/kubernetes/pkg/util/errors"
+	utilexec "k8s.io/kubernetes/pkg/util/exec"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	"k8s.io/kubernetes/pkg/util/validation"
 )

@@ -93,6 +95,9 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H
 	if networkPluginName == "" {
 		// default to the no_op plugin
 		plug := &noopNetworkPlugin{}
+		if err := plug.Init(host); err != nil {
+			return nil, err
+		}
 		return plug, nil
 	}

@@ -135,7 +140,22 @@ func UnescapePluginName(in string) string {
 type noopNetworkPlugin struct {
 }

+const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
+
 func (plugin *noopNetworkPlugin) Init(host Host) error {
+	// Set bridge-nf-call-iptables=1 to maintain compatibility with older
+	// kubernetes versions to ensure the iptables-based kube proxy functions
+	// correctly.  Other plugins are responsible for setting this correctly
+	// depending on whether or not they connect containers to Linux bridges
+	// or use some other mechanism (ie, SDN vswitch).
+
+	// Ensure the netfilter module is loaded on kernel >= 3.18; previously
+	// it was built-in.
+	utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
+	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
+		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+	}
+
 	return nil
 }

--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -26,6 +26,7 @@ import (
 	"encoding/base32"
 	"fmt"
 	"net"
+	"os"
 	"reflect"
 	"strconv"
 	"strings"
@@ -190,12 +191,18 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
 	}

-	// Load the module.  It's OK if this fails (e.g. the module is not present)
-	// because we'll catch the error on the sysctl, which is what we actually
-	// care about.
-	exec.Command("modprobe", "br-netfilter").CombinedOutput()
-	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
-		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
+	// are connected to a Linux bridge (but not SDN bridges).  Until most
+	// plugins handle this, log when config is missing
+	warnBrNetfilter := false
+	if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
+		warnBrNetfilter = true
+	}
+	if val, err := utilsysctl.GetSysctl(sysctlBridgeCallIptables); err == nil && val != 1 {
+		warnBrNetfilter = true
+	}
+	if warnBrNetfilter {
+		glog.Infof("missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended")
 	}

 	// Generate the masquerade mark to use for SNAT rules.