Merge pull request #53148 from rpothier/plugins-ipv6

Automatic merge from submit-queue (batch tested with PRs 54436, 53148, 55153, 55614, 55484). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. ip6tables should be set in the noop plugin **What this PR does / why we need it**: The noop plugin currently sets the iptables for IPv4. This updates that to also set the iptables for IPv6 so IPv6 can have parity with IPv4. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #53147 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2025-08-03 17:30:00 +00:00 · 2017-11-15 12:57:56 -08:00 · 2017-11-15 12:57:56 -08:00 · dca71e0a23
commit dca71e0a23
parent 5c59d66a41 0fd30adb3d
3 changed files with 44 additions and 1 deletions
--- a/pkg/kubelet/network/plugins.go
+++ b/pkg/kubelet/network/plugins.go
@ -157,6 +157,7 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H
 	if networkPluginName == "" {
 		// default to the no_op plugin
 		plug := &NoopNetworkPlugin{}
+		plug.Sysctl = utilsysctl.New()
 		if err := plug.Init(host, hairpinMode, nonMasqueradeCIDR, mtu); err != nil {
 			return nil, err
 		}
@ -200,9 +201,11 @@ func UnescapePluginName(in string) string {
 }

 type NoopNetworkPlugin struct {
+	Sysctl utilsysctl.Interface
 }

 const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"
+const sysctlBridgeCallIP6Tables = "net/bridge/bridge-nf-call-ip6tables"

 func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.HairpinMode, nonMasqueradeCIDR string, mtu int) error {
 	// Set bridge-nf-call-iptables=1 to maintain compatibility with older
@ -214,9 +217,16 @@ func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.Hairp
 	// Ensure the netfilter module is loaded on kernel >= 3.18; previously
 	// it was built-in.
 	utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput()
-	if err := utilsysctl.New().SetSysctl(sysctlBridgeCallIPTables, 1); err != nil {
+	if err := plugin.Sysctl.SetSysctl(sysctlBridgeCallIPTables, 1); err != nil {
 		glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIPTables, err)
 	}
+	if val, err := plugin.Sysctl.GetSysctl(sysctlBridgeCallIP6Tables); err == nil {
+		if val != 1 {
+			if err = plugin.Sysctl.SetSysctl(sysctlBridgeCallIP6Tables, 1); err != nil {
+				glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIP6Tables, err)
+			}
+		}
+	}

 	return nil
 }
--- a/pkg/kubelet/network/testing/BUILD
+++ b/pkg/kubelet/network/testing/BUILD
@ -35,7 +35,9 @@ go_test(
        "//pkg/kubelet/apis/kubeletconfig:go_default_library",
        "//pkg/kubelet/container:go_default_library",
        "//pkg/kubelet/network:go_default_library",
+        "//pkg/util/sysctl/testing:go_default_library",
        "//vendor/github.com/golang/mock/gomock:go_default_library",
+        "//vendor/github.com/stretchr/testify/assert:go_default_library",
        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
    ],
 )
--- a/pkg/kubelet/network/testing/plugins_test.go
+++ b/pkg/kubelet/network/testing/plugins_test.go
@ -26,8 +26,10 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig"
 	kubecontainer "k8s.io/kubernetes/pkg/kubelet/container"
 	"k8s.io/kubernetes/pkg/kubelet/network"
+	sysctltest "k8s.io/kubernetes/pkg/util/sysctl/testing"

 	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/assert"
 )

 func TestSelectDefaultPlugin(t *testing.T) {
@ -44,6 +46,35 @@ func TestSelectDefaultPlugin(t *testing.T) {
 	}
 }

+func TestInit(t *testing.T) {
+	tests := []struct {
+		setting     string
+		expectedLen int
+	}{
+		{
+			setting:     "net/bridge/bridge-nf-call-iptables",
+			expectedLen: 1,
+		},
+		{
+			setting:     "net/bridge/bridge-nf-call-ip6tables",
+			expectedLen: 2,
+		},
+	}
+	for _, tt := range tests {
+		sysctl := sysctltest.NewFake()
+		sysctl.Settings[tt.setting] = 0
+		plug := &network.NoopNetworkPlugin{}
+		plug.Sysctl = sysctl
+		plug.Init(NewFakeHost(nil), kubeletconfig.HairpinNone, "10.0.0.0/8", network.UseDefaultMTU)
+		// Verify the sysctl specified is set
+		assert.Equal(t, 1, sysctl.Settings[tt.setting], tt.setting+" sysctl should have been set")
+		// Verify iptables is always set
+		assert.Equal(t, 1, sysctl.Settings["net/bridge/bridge-nf-call-iptables"], "net/bridge/bridge-nf-call-iptables sysctl should have been set")
+		// Verify ip6tables is only set if it existed
+		assert.Len(t, sysctl.Settings, tt.expectedLen, "length wrong for "+tt.setting)
+	}
+}
+
 func TestPluginManager(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	fnp := NewMockNetworkPlugin(ctrl)