Create a KUBE-IPTABLES-HINT chain for other components

Components that run in a container but modify the host network
namespace iptables rules need to know whether the system is using
iptables-legacy or iptables-nft. Given that kubelet will run before
any container-based components, it is well-positioned to help them
figure this out. So create a chain with a well-known name that they
can look for.
This commit is contained in:
Dan Winship 2022-03-26 11:26:20 -04:00
parent 749df8e022
commit edbce228cb

View File

@ -31,6 +31,10 @@ import (
)
const (
// KubeIPTablesHintChain is the chain whose existence in either iptables-legacy
// or iptables-nft indicates which version of iptables the system is using
KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT"
// KubeMarkMasqChain is the mark-for-masquerade chain
// TODO: clean up this logic in kube-proxy
KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
@ -184,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool {
return false
}
// Create hint chain so other components can see whether we are using iptables-legacy
// or iptables-nft.
if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil {
klog.ErrorS(err, "Failed to ensure that iptables hint chain exists")
return false
}
return true
}