mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #109059 from danwinship/kube-iptables-hint
Create a KUBE-IPTABLES-HINT chain
This commit is contained in:
commit
4fdca04f35
@ -22,22 +22,6 @@ import (
|
||||
"k8s.io/api/core/v1"
|
||||
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1"
|
||||
"k8s.io/klog/v2"
|
||||
utiliptables "k8s.io/kubernetes/pkg/util/iptables"
|
||||
)
|
||||
|
||||
const (
|
||||
// KubeMarkMasqChain is the mark-for-masquerade chain
|
||||
// TODO: clean up this logic in kube-proxy
|
||||
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
|
||||
|
||||
// KubeMarkDropChain is the mark-for-drop chain
|
||||
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
|
||||
|
||||
// KubePostroutingChain is kubernetes postrouting rules
|
||||
KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING"
|
||||
|
||||
// KubeFirewallChain is kubernetes firewall rules
|
||||
KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
|
||||
)
|
||||
|
||||
// providerRequiresNetworkingConfiguration returns whether the cloud provider
|
||||
|
@ -30,6 +30,25 @@ import (
|
||||
utilnet "k8s.io/utils/net"
|
||||
)
|
||||
|
||||
const (
|
||||
// KubeIPTablesHintChain is the chain whose existence in either iptables-legacy
|
||||
// or iptables-nft indicates which version of iptables the system is using
|
||||
KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT"
|
||||
|
||||
// KubeMarkMasqChain is the mark-for-masquerade chain
|
||||
// TODO: clean up this logic in kube-proxy
|
||||
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
|
||||
|
||||
// KubeMarkDropChain is the mark-for-drop chain
|
||||
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
|
||||
|
||||
// KubePostroutingChain is kubernetes postrouting rules
|
||||
KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING"
|
||||
|
||||
// KubeFirewallChain is kubernetes firewall rules
|
||||
KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
|
||||
)
|
||||
|
||||
func (kl *Kubelet) initNetworkUtil() {
|
||||
exec := utilexec.New()
|
||||
// TODO: @khenidak review when there is no IPv6 iptables exec what should happen here (note: no error returned from this func)
|
||||
@ -169,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// Create hint chain so other components can see whether we are using iptables-legacy
|
||||
// or iptables-nft.
|
||||
if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil {
|
||||
klog.ErrorS(err, "Failed to ensure that iptables hint chain exists")
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user