From 02c0f41c8811b9f63c54a39a6317f7197fba87a7 Mon Sep 17 00:00:00 2001 From: Yifan Gu Date: Mon, 11 Apr 2016 12:06:26 -0700 Subject: [PATCH] kubenet: Load bridge netfilter module in Init(). Also set 'bridge-nf-call-iptables' to true. --- pkg/kubelet/network/kubenet/kubenet_linux.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/pkg/kubelet/network/kubenet/kubenet_linux.go b/pkg/kubelet/network/kubenet/kubenet_linux.go index c73c543e7fc..507dff6f39d 100644 --- a/pkg/kubelet/network/kubenet/kubenet_linux.go +++ b/pkg/kubelet/network/kubenet/kubenet_linux.go @@ -32,12 +32,16 @@ import ( "k8s.io/kubernetes/pkg/kubelet/dockertools" "k8s.io/kubernetes/pkg/kubelet/network" "k8s.io/kubernetes/pkg/util/bandwidth" + utilexec "k8s.io/kubernetes/pkg/util/exec" + utilsysctl "k8s.io/kubernetes/pkg/util/sysctl" ) const ( KubenetPluginName = "kubenet" BridgeName = "cbr0" DefaultCNIDir = "/opt/cni/bin" + + sysctlBridgeCallIptables = "net/bridge/bridge-nf-call-iptables" ) type kubenetNetworkPlugin struct { @@ -72,6 +76,17 @@ func (plugin *kubenetNetworkPlugin) Init(host network.Host) error { glog.Warningf("Failed to find default bridge MTU: %v", err) } + // Since this plugin uses a Linux bridge, set bridge-nf-call-iptables=1 + // is necessary to ensure kube-proxy functions correctly. + // + // This will return an error on older kernel version (< 3.18) as the module + // was built-in, we simply ignore the error here. A better thing to do is + // to check the kernel version in the future. + utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput() + if err := utilsysctl.SetSysctl(sysctlBridgeCallIptables, 1); err != nil { + glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIptables, err) + } + return nil }