kubelet: use util/iptables, which uses -w (lock wait) where safe

2025-07-27 21:47:07 +00:00 · 2016-07-28 16:01:00 -04:00 · 2016-07-28 16:01:00 -04:00 · d6427cd0d7
commit d6427cd0d7
parent c669778333
3 changed files with 16 additions and 21 deletions
--- a/pkg/kubelet/container_bridge.go
+++ b/pkg/kubelet/container_bridge.go
@ -18,6 +18,7 @@ package kubelet
 import (
 	"bytes"
 	"fmt"
 	"net"
 	"os"
 	"os/exec"
@ -25,6 +26,7 @@ import (
 	"github.com/golang/glog"
 	"k8s.io/kubernetes/pkg/util"
 	"k8s.io/kubernetes/pkg/util/iptables"
 )
 var cidrRegexp = regexp.MustCompile(`inet ([0-9a-fA-F.:]*/[0-9]*)`)
@ -140,28 +142,17 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool {
 	return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask)
 }
-// TODO(dawnchen): Using pkg/util/iptables
+// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs
-// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs outside this range will use IP masquerade.
+// outside this range will use IP masquerade.
-func ensureIPTablesMasqRule(nonMasqueradeCIDR string) error {
+func ensureIPTablesMasqRule(client iptables.Interface, nonMasqueradeCIDR string) error {
-	// Check if the MASQUERADE rule exist or not
+	if _, err := client.EnsureRule(iptables.Append, iptables.TableNAT,
-	if err := exec.Command("iptables",
+		iptables.ChainPostrouting,
-		"-t", "nat",
+		"-m", "comment", "--comment", "kubelet: SNAT outbound cluster traffic",
 		"-C", "POSTROUTING",
 		"!", "-d", nonMasqueradeCIDR,
 		"-m", "addrtype", "!", "--dst-type", "LOCAL",
 		"-j", "MASQUERADE").Run(); err == nil {
 		// The MASQUERADE rule exists
 		return nil
 	}
 	glog.Infof("MASQUERADE rule doesn't exist, recreate it (with nonMasqueradeCIDR %s)", nonMasqueradeCIDR)
 	if err := exec.Command("iptables",
 		"-t", "nat",
 		"-A", "POSTROUTING",
 		"!", "-d", nonMasqueradeCIDR,
-		"-m", "addrtype", "!", "--dst-type", "LOCAL",
+		"-j", "MASQUERADE"); err != nil {
-		"-j", "MASQUERADE").Run(); err != nil {
+		return fmt.Errorf("Failed to ensure masquerading for %s chain %s: %v",
-		return err
+			iptables.TableNAT, iptables.ChainPostrouting, err)
 	}
 	return nil
 }
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -75,10 +75,12 @@ import (
 	"k8s.io/kubernetes/pkg/types"
 	"k8s.io/kubernetes/pkg/util/bandwidth"
 	"k8s.io/kubernetes/pkg/util/clock"
 	utildbus "k8s.io/kubernetes/pkg/util/dbus"
 	utilerrors "k8s.io/kubernetes/pkg/util/errors"
 	utilexec "k8s.io/kubernetes/pkg/util/exec"
 	"k8s.io/kubernetes/pkg/util/flowcontrol"
 	kubeio "k8s.io/kubernetes/pkg/util/io"
 	utilipt "k8s.io/kubernetes/pkg/util/iptables"
 	"k8s.io/kubernetes/pkg/util/mount"
 	"k8s.io/kubernetes/pkg/util/oom"
 	"k8s.io/kubernetes/pkg/util/procfs"
@ -360,6 +362,7 @@ func NewMainKubelet(
 		enableCustomMetrics:          enableCustomMetrics,
 		babysitDaemons:               babysitDaemons,
 		enableControllerAttachDetach: enableControllerAttachDetach,
 		iptClient:                    utilipt.New(utilexec.New(), utildbus.New(), utilipt.ProtocolIpv4),
 	}
 	if klet.flannelExperimentalOverlay {
@ -560,6 +563,7 @@ type Kubelet struct {
 	dockerClient  dockertools.DockerInterface
 	runtimeCache  kubecontainer.RuntimeCache
 	kubeClient    clientset.Interface
 	iptClient     utilipt.Interface
 	rootDirectory string
 	// podWorkers handle syncing Pods in response to events.
--- a/pkg/kubelet/kubelet_network.go
+++ b/pkg/kubelet/kubelet_network.go
@ -255,7 +255,7 @@ func (kl *Kubelet) syncNetworkStatus() {
 			}
 			kl.updatePodCIDR(podCIDR)
 		}
-		if err := ensureIPTablesMasqRule(kl.nonMasqueradeCIDR); err != nil {
+		if err := ensureIPTablesMasqRule(kl.iptClient, kl.nonMasqueradeCIDR); err != nil {
 			err = fmt.Errorf("Error on adding ip table rules: %v", err)
 			glog.Error(err)
 			kl.runtimeState.setNetworkState(err)