cluster: configure nftables mode for kube-proxy

(based on a patch from Antonio Ojea)
2025-07-30 15:05:27 +00:00 · 2024-04-18 10:02:00 -04:00 · 2024-04-18 10:02:00 -04:00 · 9f580afa66
commit 9f580afa66
parent 2055a490e8
2 changed files with 7 additions and 1 deletions
--- a/cluster/gce/config-test.sh
+++ b/cluster/gce/config-test.sh
@ -532,7 +532,7 @@ KUBE_PROXY_DAEMONSET=${KUBE_PROXY_DAEMONSET:-false} # true, false
 # as an addon daemonset.
 KUBE_PROXY_DISABLE="${KUBE_PROXY_DISABLE:-false}" # true, false

-# Optional: Change the kube-proxy implementation. Choices are [iptables, ipvs].
+# Optional: Change the kube-proxy implementation. Choices are [iptables, ipvs, nftables].
 KUBE_PROXY_MODE=${KUBE_PROXY_MODE:-iptables}

 # Will be passed into the kube-proxy via `--detect-local-mode`
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1774,6 +1774,12 @@ function prepare-kube-proxy-manifest-variables {
      fi
      params+=" --proxy-mode=ipvs --ipvs-sync-period=1m --ipvs-min-sync-period=10s"
      ;;
+    nftables)
+      # Pass --conntrack-tcp-be-liberal so we can test that this makes the
+      # "proxy implementation should not be vulnerable to the invalid conntrack state bug"
+      # test pass. https://issues.k8s.io/122663#issuecomment-1885024015
+      params+=" --proxy-mode=nftables --conntrack-tcp-be-liberal"
+      ;;
  esac

  if [[ -n "${KUBEPROXY_TEST_ARGS:-}" ]]; then