From 749df8e022655390cb563483f18812018211fa0d Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Fri, 18 Feb 2022 12:51:14 -0500 Subject: [PATCH 1/2] Move iptables consts to kubelet_network_linux.go. --- pkg/kubelet/kubelet_network.go | 16 ---------------- pkg/kubelet/kubelet_network_linux.go | 15 +++++++++++++++ 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/pkg/kubelet/kubelet_network.go b/pkg/kubelet/kubelet_network.go index 5b68d10efb4..bacbc27c7ff 100644 --- a/pkg/kubelet/kubelet_network.go +++ b/pkg/kubelet/kubelet_network.go @@ -22,22 +22,6 @@ import ( "k8s.io/api/core/v1" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1" "k8s.io/klog/v2" - utiliptables "k8s.io/kubernetes/pkg/util/iptables" -) - -const ( - // KubeMarkMasqChain is the mark-for-masquerade chain - // TODO: clean up this logic in kube-proxy - KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ" - - // KubeMarkDropChain is the mark-for-drop chain - KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP" - - // KubePostroutingChain is kubernetes postrouting rules - KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING" - - // KubeFirewallChain is kubernetes firewall rules - KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL" ) // providerRequiresNetworkingConfiguration returns whether the cloud provider diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go index 2aee3fb540c..613275c57f1 100644 --- a/pkg/kubelet/kubelet_network_linux.go +++ b/pkg/kubelet/kubelet_network_linux.go @@ -30,6 +30,21 @@ import ( utilnet "k8s.io/utils/net" ) +const ( + // KubeMarkMasqChain is the mark-for-masquerade chain + // TODO: clean up this logic in kube-proxy + KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ" + + // KubeMarkDropChain is the mark-for-drop chain + KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP" + + // KubePostroutingChain is kubernetes postrouting rules + KubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING" + + // KubeFirewallChain is kubernetes firewall rules + KubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL" +) + func (kl *Kubelet) initNetworkUtil() { exec := utilexec.New() // TODO: @khenidak review when there is no IPv6 iptables exec what should happen here (note: no error returned from this func) From edbce228cb02dbd9b37c23cb8275a48aaeaff4af Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Sat, 26 Mar 2022 11:26:20 -0400 Subject: [PATCH 2/2] Create a KUBE-IPTABLES-HINT chain for other components Components that run in a container but modify the host network namespace iptables rules need to know whether the system is using iptables-legacy or iptables-nft. Given that kubelet will run before any container-based components, it is well-positioned to help them figure this out. So create a chain with a well-known name that they can look for. --- pkg/kubelet/kubelet_network_linux.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go index 613275c57f1..ae7d9235a55 100644 --- a/pkg/kubelet/kubelet_network_linux.go +++ b/pkg/kubelet/kubelet_network_linux.go @@ -31,6 +31,10 @@ import ( ) const ( + // KubeIPTablesHintChain is the chain whose existence in either iptables-legacy + // or iptables-nft indicates which version of iptables the system is using + KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT" + // KubeMarkMasqChain is the mark-for-masquerade chain // TODO: clean up this logic in kube-proxy KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ" @@ -184,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool { return false } + // Create hint chain so other components can see whether we are using iptables-legacy + // or iptables-nft. + if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil { + klog.ErrorS(err, "Failed to ensure that iptables hint chain exists") + return false + } + return true }