Merge pull request #20647 from dcbw/allow-disabling-bridge-nf-call-iptables

Auto commit by PR queue bot
2025-07-26 21:17:23 +00:00 · 2016-02-25 01:27:47 -08:00 · 2016-02-25 01:27:47 -08:00 · 33ef7a93a4
commit 33ef7a93a4
parent 5f86dd1b2f 6248939e11
3 changed files with 39 additions and 6 deletions
--- a/docs/admin/network-plugins.md
+++ b/docs/admin/network-plugins.md
@ -42,6 +42,12 @@ The kubelet has a single default network plugin, and a default network common to
 * `network-plugin-dir`: Kubelet probes this directory for plugins on startup
 * `network-plugin`: The network plugin to use from `network-plugin-dir`.  It must match the name reported by a plugin probed from the plugin directory.  For CNI plugins, this is simply "cni".
 ## Network Plugin Requirements
 Besides providing the [`NetworkPlugin` interface](../../pkg/kubelet/network/plugins.go) to configure and clean up pod networking, the plugin may also need specific support for kube-proxy.  The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables.  For example, if the plugin connects containers to a Linux bridge, the plugin must set the `net/bridge/bridge-nf-call-iptables` sysctl to `1` to ensure that the iptables proxy functions correctly.  If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
 By default if no kubelet network plugin is specified, the `noop` plugin is used, which sets `net/bridge/bridge-nf-call-iptables=1` to ensure simple configurations (like docker with a bridge) work correctly with the iptables proxy.
 ### Exec
 Place plugins in `network-plugin-dir/plugin-name/plugin-name`, i.e if you have a bridge plugin and `network-plugin-dir` is `/usr/lib/kubernetes`, you'd place the bridge plugin executable at `/usr/lib/kubernetes/bridge/bridge`. See [this comment](../../pkg/kubelet/network/exec/exec.go) for more details.
--- a/pkg/kubelet/network/plugins.go
+++ b/pkg/kubelet/network/plugins.go
@ -28,6 +28,8 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	utilerrors "k8s.io/kubernetes/pkg/util/errors"
 	utilexec "k8s.io/kubernetes/pkg/util/exec"
 	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	"k8s.io/kubernetes/pkg/util/validation"
 )
@ -93,6 +95,9 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H
 	if networkPluginName == "" {
 		// default to the no_op plugin
 		plug := &noopNetworkPlugin{}
 		if err := plug.Init(host); err != nil {
 			return nil, err
 		}
 		return plug, nil
 	}
@ -135,7 +140,22 @@ func UnescapePluginName(in string) string {
 type noopNetworkPlugin struct {
 }
 const sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables"
 func (plugin *noopNetworkPlugin) Init(host Host) error {
 	// Set bridge-nf-call-iptables=1 to maintain compatibility with older
 	// kubernetes versions to ensure the iptables-based kube proxy functions
 	// correctly.  Other plugins are responsible for setting this correctly
 	// depending on whether or not they connect containers to Linux bridges
 	// or use some other mechanism (ie, SDN vswitch).
 	// Ensure the netfilter module is loaded on kernel >= 3.18; previously
 	// it was built-in.
 	utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
 	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
 		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
 	}
 	return nil
 }
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -26,6 +26,7 @@ import (
 	"encoding/base32"
 	"fmt"
 	"net"
 	"os"
 	"reflect"
 	"strconv"
 	"strings"
@ -190,12 +191,18 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
 	}
-	// Load the module.  It's OK if this fails (e.g. the module is not present)
+	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers
-	// because we'll catch the error on the sysctl, which is what we actually
+	// are connected to a Linux bridge (but not SDN bridges).  Until most
-	// care about.
+	// plugins handle this, log when config is missing
-	exec.Command("modprobe", "br-netfilter").CombinedOutput()
+	warnBrNetfilter := false
-	if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil {
+	if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
-		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err)
+		warnBrNetfilter = true
 	}
 	if val, err := utilsysctl.GetSysctl(sysctlBridgeCallIptables); err == nil && val != 1 {
 		warnBrNetfilter = true
 	}
 	if warnBrNetfilter {
 		glog.Infof("missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended")
 	}
 	// Generate the masquerade mark to use for SNAT rules.