From edbce228cb02dbd9b37c23cb8275a48aaeaff4af Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Sat, 26 Mar 2022 11:26:20 -0400 Subject: [PATCH] Create a KUBE-IPTABLES-HINT chain for other components Components that run in a container but modify the host network namespace iptables rules need to know whether the system is using iptables-legacy or iptables-nft. Given that kubelet will run before any container-based components, it is well-positioned to help them figure this out. So create a chain with a well-known name that they can look for. --- pkg/kubelet/kubelet_network_linux.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go index 613275c57f1..ae7d9235a55 100644 --- a/pkg/kubelet/kubelet_network_linux.go +++ b/pkg/kubelet/kubelet_network_linux.go @@ -31,6 +31,10 @@ import ( ) const ( + // KubeIPTablesHintChain is the chain whose existence in either iptables-legacy + // or iptables-nft indicates which version of iptables the system is using + KubeIPTablesHintChain utiliptables.Chain = "KUBE-IPTABLES-HINT" + // KubeMarkMasqChain is the mark-for-masquerade chain // TODO: clean up this logic in kube-proxy KubeMarkMasqChain utiliptables.Chain = "KUBE-MARK-MASQ" @@ -184,6 +188,13 @@ func (kl *Kubelet) syncNetworkUtil(iptClient utiliptables.Interface) bool { return false } + // Create hint chain so other components can see whether we are using iptables-legacy + // or iptables-nft. + if _, err := iptClient.EnsureChain(utiliptables.TableMangle, KubeIPTablesHintChain); err != nil { + klog.ErrorS(err, "Failed to ensure that iptables hint chain exists") + return false + } + return true }