mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 14:37:00 +00:00
Create a KUBE-IPTABLES-HINT chain for other components
Components that run in a container but modify the host network namespace iptables rules need to know whether the system is using iptables-legacy or iptables-nft. Given that kubelet will run before any container-based components, it is well-positioned to help them figure this out. So create a chain with a well-known name that they can look for.
This commit is contained in:
parent
749df8e022
commit
edbce228cb
@ -31,6 +31,10 @@ import (
|
||||
)
|
||||
|
||||
const (
|
||||
// KubeIPTablesHintChain is the chain whose existence in either iptables-legacy
|
||||
// or iptables-nft indicates which version of iptables the system is using
|
||||
KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT"
|
||||
|
||||
// KubeMarkMasqChain is the mark-for-masquerade chain
|
||||
// TODO: clean up this logic in kube-proxy
|
||||
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
|
||||
@ -184,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool {
|
||||
return false
|
||||
}
|
||||
|
||||
// Create hint chain so other components can see whether we are using iptables-legacy
|
||||
// or iptables-nft.
|
||||
if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil {
|
||||
klog.ErrorS(err, "Failed to ensure that iptables hint chain exists")
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user