diff --git a/pkg/kubelet/network/plugins.go b/pkg/kubelet/network/plugins.go index 1714af8005d..24e358943e9 100644 --- a/pkg/kubelet/network/plugins.go +++ b/pkg/kubelet/network/plugins.go @@ -157,6 +157,7 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H if networkPluginName == "" { // default to the no_op plugin plug := &NoopNetworkPlugin{} + plug.Sysctl = utilsysctl.New() if err := plug.Init(host, hairpinMode, nonMasqueradeCIDR, mtu); err != nil { return nil, err } @@ -200,9 +201,11 @@ func UnescapePluginName(in string) string { } type NoopNetworkPlugin struct { + Sysctl utilsysctl.Interface } const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables" +const sysctlBridgeCallIP6Tables = "net/bridge/bridge-nf-call-ip6tables" func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.HairpinMode, nonMasqueradeCIDR string, mtu int) error { // Set bridge-nf-call-iptables=1 to maintain compatibility with older @@ -214,9 +217,16 @@ func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.Hairp // Ensure the netfilter module is loaded on kernel >= 3.18; previously // it was built-in. utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput() - if err := utilsysctl.New().SetSysctl(sysctlBridgeCallIPTables, 1); err != nil { + if err := plugin.Sysctl.SetSysctl(sysctlBridgeCallIPTables, 1); err != nil { glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIPTables, err) } + if val, err := plugin.Sysctl.GetSysctl(sysctlBridgeCallIP6Tables); err == nil { + if val != 1 { + if err = plugin.Sysctl.SetSysctl(sysctlBridgeCallIP6Tables, 1); err != nil { + glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIP6Tables, err) + } + } + } return nil } diff --git a/pkg/kubelet/network/testing/BUILD b/pkg/kubelet/network/testing/BUILD index f0aa262005c..9107cd2297e 100644 --- a/pkg/kubelet/network/testing/BUILD +++ b/pkg/kubelet/network/testing/BUILD @@ -35,7 +35,9 @@ go_test( "//pkg/kubelet/apis/kubeletconfig:go_default_library", "//pkg/kubelet/container:go_default_library", "//pkg/kubelet/network:go_default_library", + "//pkg/util/sysctl/testing:go_default_library", "//vendor/github.com/golang/mock/gomock:go_default_library", + "//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", ], ) diff --git a/pkg/kubelet/network/testing/plugins_test.go b/pkg/kubelet/network/testing/plugins_test.go index 07ba256a250..6398948fa3c 100644 --- a/pkg/kubelet/network/testing/plugins_test.go +++ b/pkg/kubelet/network/testing/plugins_test.go @@ -26,8 +26,10 @@ import ( "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" "k8s.io/kubernetes/pkg/kubelet/network" + sysctltest "k8s.io/kubernetes/pkg/util/sysctl/testing" "github.com/golang/mock/gomock" + "github.com/stretchr/testify/assert" ) func TestSelectDefaultPlugin(t *testing.T) { @@ -44,6 +46,35 @@ func TestSelectDefaultPlugin(t *testing.T) { } } +func TestInit(t *testing.T) { + tests := []struct { + setting string + expectedLen int + }{ + { + setting: "net/bridge/bridge-nf-call-iptables", + expectedLen: 1, + }, + { + setting: "net/bridge/bridge-nf-call-ip6tables", + expectedLen: 2, + }, + } + for _, tt := range tests { + sysctl := sysctltest.NewFake() + sysctl.Settings[tt.setting] = 0 + plug := &network.NoopNetworkPlugin{} + plug.Sysctl = sysctl + plug.Init(NewFakeHost(nil), kubeletconfig.HairpinNone, "10.0.0.0/8", network.UseDefaultMTU) + // Verify the sysctl specified is set + assert.Equal(t, 1, sysctl.Settings[tt.setting], tt.setting+" sysctl should have been set") + // Verify iptables is always set + assert.Equal(t, 1, sysctl.Settings["net/bridge/bridge-nf-call-iptables"], "net/bridge/bridge-nf-call-iptables sysctl should have been set") + // Verify ip6tables is only set if it existed + assert.Len(t, sysctl.Settings, tt.expectedLen, "length wrong for "+tt.setting) + } +} + func TestPluginManager(t *testing.T) { ctrl := gomock.NewController(t) fnp := NewMockNetworkPlugin(ctrl)