Merge pull request #3799 from vardhaman22/add-br-netfilter-env

[release/v1.8] added EnableBrNetfilter configuration
2025-09-17 15:40:07 +00:00 · 2025-03-03 13:34:20 +05:30
parent 279017ab70 5bfbbfcfaf
commit 9afed4cff1
4 changed files with 28 additions and 0 deletions
--- a/cluster/defaults.go
+++ b/cluster/defaults.go
@@ -762,6 +762,12 @@ func (c *Cluster) setClusterDNSDefaults() error {
 func (c *Cluster) setClusterNetworkDefaults() {
 	setDefaultIfEmpty(&c.Network.Plugin, DefaultNetworkPlugin)

+	// set enable_br_netfilter to true by default since it is required for network plugins
+	if c.Network.EnableBrNetfilter == nil {
+		enableBrNetfilter := true
+		c.Network.EnableBrNetfilter = &enableBrNetfilter
+	}
+
 	if c.Network.Options == nil {
 		// don't break if the user didn't define options
 		c.Network.Options = make(map[string]string)
--- a/cluster/plan.go
+++ b/cluster/plan.go
@@ -68,6 +68,7 @@ const (
 	KubeletDualStackNameEnv          = "RKE_KUBELET_CRIDOCKERD_DUALSTACK"
 	CRIDockerdStreamServerAddressEnv = "CRIDOCKERD_STREAM_SERVER_ADDRESS"
 	CRIDockerdStreamServerPortEnv    = "CRIDOCKERD_STREAM_SERVER_PORT"
+	KubeProxyBrNetfilterNameEnv      = "RKE_KUBE_PROXY_BR_NETFILTER"
 )

 var (
@@ -775,6 +776,10 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, serviceOptions v3.Kube
 		Env = append(Env, c.getWindowsEnv(host)...)
 	}

+	if c.EnableBrNetfilter() {
+		Env = append(Env, fmt.Sprintf("%s=%s", KubeProxyBrNetfilterNameEnv, "true"))
+	}
+
 	for arg, value := range host.GetExtraArgs(kubeproxy.BaseService) {
 		CommandArgs[arg] = value
 	}
@@ -1324,6 +1329,16 @@ func (c *Cluster) IsCRIDockerdEnabled() bool {
 	return false
 }

+func (c *Cluster) EnableBrNetfilter() bool {
+	if c == nil {
+		return false
+	}
+	if c.Network.EnableBrNetfilter != nil && *c.Network.EnableBrNetfilter {
+		return true
+	}
+	return false
+}
+
 func (c *Cluster) multipleCIDRsConfigured() bool {
 	if c == nil {
 		logrus.Debug("multipleCIDRsConfigured: Returning false, cluster object is nil")
--- a/types/rke_types.go
+++ b/types/rke_types.go
@@ -409,6 +409,8 @@ type NetworkConfig struct {
 	UpdateStrategy *DaemonSetUpdateStrategy `yaml:"update_strategy" json:"updateStrategy,omitempty"`
 	// Tolerations for Deployments
 	Tolerations []v1.Toleration `yaml:"tolerations" json:"tolerations,omitempty"`
+	// Enable/Disable br_netfilter on nodes
+	EnableBrNetfilter *bool `yaml:"enable_br_netfilter" json:"enableBrNetfilter" norman:"default=true"`
 }

 type AuthWebhookConfig struct {
--- a/types/zz_generated_deepcopy.go
+++ b/types/zz_generated_deepcopy.go
@@ -1267,6 +1267,11 @@ func (in *NetworkConfig) DeepCopyInto(out *NetworkConfig) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.EnableBrNetfilter != nil {
+		in, out := &in.EnableBrNetfilter, &out.EnableBrNetfilter
+		*out = new(bool)
+		**out = **in
+	}
 	return
 }