github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-15 06:01:50 +00:00
Code Issues Projects Releases Wiki Activity

Reorganize nftables proxy init

Browse Source 
Move the "nftables is supported" check into a separate function, and
call it before the --init-only return.
This commit is contained in:
Dan Winship
2024-01-30 17:30:48 -05:00
parent a2a5b67442
commit 912eca9e8b
1 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
pkg/proxy/nftables/proxier.go
View File

@@ -215,6 +215,11 @@ func NewProxier(ctx context.Context,
) (*Proxier, error) { ) (*Proxier, error) {
logger := klog.LoggerWithValues(klog.FromContext(ctx), "ipFamily", ipFamily) logger := klog.LoggerWithValues(klog.FromContext(ctx), "ipFamily", ipFamily)
nft, err := getNFTablesInterface(ipFamily)
if err != nil {
return nil, err
}
if initOnly { if initOnly {
logger.Info("System initialized and --init-only specified") logger.Info("System initialized and --init-only specified")
return nil, nil return nil, nil
@@ -229,17 +234,6 @@ func NewProxier(ctx context.Context,
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses, healthzServer) serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses, healthzServer)
var nftablesFamily knftables.Family
if ipFamily == v1.IPv4Protocol {
nftablesFamily = knftables.IPv4Family
} else {
nftablesFamily = knftables.IPv6Family
}
nft, err := knftables.New(nftablesFamily, kubeProxyTable)
if err != nil {
return nil, err
}
proxier := &Proxier{ proxier := &Proxier{
ipFamily: ipFamily, ipFamily: ipFamily,
svcPortMap: make(proxy.ServicePortMap), svcPortMap: make(proxy.ServicePortMap),
@@ -270,6 +264,31 @@ func NewProxier(ctx context.Context,
return proxier, nil return proxier, nil
} }
// Create a knftables.Interface and check if we can use the nftables proxy mode on this host.
func getNFTablesInterface(ipFamily v1.IPFamily) (knftables.Interface, error) {
var nftablesFamily knftables.Family
if ipFamily == v1.IPv4Protocol {
nftablesFamily = knftables.IPv4Family
} else {
nftablesFamily = knftables.IPv6Family
}
// We require (or rather, knftables.New does) that the nft binary be version 1.0.1
// or later, because versions before that would always attempt to parse the entire
// nft ruleset at startup, even if you were only operating on a single table.
// That's bad, because in some cases, new versions of nft have added new rule
// types in ways that triggered bugs in older versions of nft, causing them to
// crash. Thus, if kube-proxy used nft < 1.0.1, it could potentially get locked
// out of its rules because of something some other component had done in a
// completely different table.
nft, err := knftables.New(nftablesFamily, kubeProxyTable)
if err != nil {
return nil, err
}
return nft, nil
}
// internal struct for string service information // internal struct for string service information
type servicePortInfo struct { type servicePortInfo struct {
*proxy.BaseServicePortInfo *proxy.BaseServicePortInfo