Create a KUBE-IPTABLES-HINT chain for other components

Components that run in a container but modify the host network namespace iptables rules need to know whether the system is using iptables-legacy or iptables-nft. Given that kubelet will run before any container-based components, it is well-positioned to help them figure this out. So create a chain with a well-known name that they can look for.
2025-07-29 14:37:00 +00:00 · 2022-03-26 11:26:20 -04:00 · 2022-03-26 11:26:20 -04:00 · edbce228cb
commit edbce228cb
parent 749df8e022
1 changed files with 11 additions and 0 deletions
--- a/pkg/kubelet/kubelet_network_linux.go
+++ b/pkg/kubelet/kubelet_network_linux.go
@ -31,6 +31,10 @@ import (
 )

 const (
+	// KubeIPTablesHintChain is the chain whose existence in either iptables-legacy
+	// or iptables-nft indicates which version of iptables the system is using
+	KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT"
+
 	// KubeMarkMasqChain is the mark-for-masquerade chain
 	// TODO: clean up this logic in kube-proxy
 	KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ"
@ -184,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool {
 		return false
 	}

+	// Create hint chain so other components can see whether we are using iptables-legacy
+	// or iptables-nft.
+	if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil {
+		klog.ErrorS(err, "Failed to ensure that iptables hint chain exists")
+		return false
+	}
+
 	return true
 }