Merge pull request #109059 from danwinship/kube-iptables-hint

Create a KUBE-IPTABLES-HINT chain
This commit is contained in:
Kubernetes Prow Robot 2022-03-28 15:24:04 -07:00 committed by GitHub
commit 4fdca04f35
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 26 additions and 16 deletions

View File

@ -22,22 +22,6 @@ import (
"k8s.io/api/core/v1"
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
"k8s.io/klog/v2"
utiliptables "k8s.io/kubernetes/pkg/util/iptables"
)
const (
// KubeMarkMasqChain is the mark-for-masquerade chain
// TODO: clean up this logic in kube-proxy
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
// KubeMarkDropChain is the mark-for-drop chain
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
// KubePostroutingChain is kubernetes postrouting rules
KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING"
// KubeFirewallChain is kubernetes firewall rules
KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
)
// providerRequiresNetworkingConfiguration returns whether the cloud provider

View File

@ -30,6 +30,25 @@ import (
utilnet "k8s.io/utils/net"
)
const (
// KubeIPTablesHintChain is the chain whose existence in either iptables-legacy
// or iptables-nft indicates which version of iptables the system is using
KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT"
// KubeMarkMasqChain is the mark-for-masquerade chain
// TODO: clean up this logic in kube-proxy
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
// KubeMarkDropChain is the mark-for-drop chain
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
// KubePostroutingChain is kubernetes postrouting rules
KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING"
// KubeFirewallChain is kubernetes firewall rules
KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
)
func (kl *Kubelet) initNetworkUtil() {
exec := utilexec.New()
// TODO: @khenidak review when there is no IPv6 iptables exec what should happen here (note: no error returned from this func)
@ -169,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool {
return false
}
// Create hint chain so other components can see whether we are using iptables-legacy
// or iptables-nft.
if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil {
klog.ErrorS(err, "Failed to ensure that iptables hint chain exists")
return false
}
return true
}