github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

Require kernel 5.13 for nftables kube-proxy

Browse Source
This commit is contained in:
Dan Winship 2024-01-30 17:32:04 -05:00
parent 912eca9e8b
commit 505f6833d9
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/proxy/nftables/proxier.go
View File

@ -40,6 +40,7 @@ import (
discovery "k8s.io/api/discovery/v1" discovery "k8s.io/api/discovery/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/sets"
"k8s.io/apimachinery/pkg/util/version"
"k8s.io/apimachinery/pkg/util/wait" "k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/events" "k8s.io/client-go/tools/events"
"k8s.io/klog/v2" "k8s.io/klog/v2"
@ -50,6 +51,7 @@ import (
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utilkernel "k8s.io/kubernetes/pkg/util/kernel"
utilexec "k8s.io/utils/exec" utilexec "k8s.io/utils/exec"
netutils "k8s.io/utils/net" netutils "k8s.io/utils/net"
"k8s.io/utils/ptr" "k8s.io/utils/ptr"
@ -286,6 +288,22 @@ func getNFTablesInterface(ipFamily v1.IPFamily) (knftables.Interface, error) {
return nil, err return nil, err
} }
// Likewise, we want to ensure that the host filesystem has nft >= 1.0.1, so that
// it's not possible that *our* rules break *the system's* nft. (In particular, we
// know that if kube-proxy uses nft >= 1.0.3 and the system has nft <= 0.9.8, that
// the system nft will become completely unusable.) Unfortunately, we can't easily
// figure out the version of nft installed on the host filesystem, so instead, we
// check the kernel version, under the assumption that the distro will have an nft
// binary that supports the same features as its kernel does, and so kernel 5.13
// or later implies nft 1.0.1 or later. https://issues.k8s.io/122743
kernelVersion, err := utilkernel.GetVersion()
if err != nil {
return nil, fmt.Errorf("could not check kernel version: %w", err)
}
if kernelVersion.LessThan(version.MustParseGeneric(utilkernel.NFTablesKubeProxyKernelVersion)) {
return nil, fmt.Errorf("kube-proxy in nftables mode requires kernel %s or later", utilkernel.NFTablesKubeProxyKernelVersion)
}
return nft, nil return nft, nil
} }

5
pkg/util/kernel/constants.go
View File

@ -49,3 +49,8 @@ const IPVSConnReuseModeFixedKernelVersion = "5.9"
const UserNamespacesSupportKernelVersion = "6.3" const UserNamespacesSupportKernelVersion = "6.3"
const TmpfsNoswapSupportKernelVersion = "6.4" const TmpfsNoswapSupportKernelVersion = "6.4"
// NFTablesKubeProxyKernelVersion is the lowest kernel version kube-proxy supports using
// nftables mode with by default. This is not directly related to any specific kernel
// commit; see https://issues.k8s.io/122743#issuecomment-1893922424
const NFTablesKubeProxyKernelVersion = "5.13"