pkg/proxy: only set sysctl if not already set

This will allow for kube-proxy to be run without `privileged` and with only adding the capability `NET_ADMIN`. Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
2026-01-04 23:17:50 +00:00 · 2018-09-17 20:25:54 -04:00
parent 817d420d68
commit f8ba640ced
3 changed files with 22 additions and 11 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@@ -293,8 +293,10 @@ func NewProxier(ipt utiliptables.Interface,
 	nodePortAddresses []string,
 ) (*Proxier, error) {
 	// Set the route_localnet sysctl we need for
-	if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil {
-		return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
+	if val, _ := sysctl.GetSysctl(sysctlRouteLocalnet); val != 1 {
+		if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil {
+			return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err)
+		}
 	}

 	// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers