Auto-detect iptables mode

[hakman]

What would you like to be added:

#2155 adds support for setting the iptables mode using the ENABLE_NFTABLES env var.

AWS VPC CNI should default to the same logic as kube-proxy to auto-detect the iptables mode of the host:
https://github.com/kubernetes/release/blob/31530bf54df0322e8f112affdb15cb65e6f9e2e3/images/build/debian-iptables/bullseye/iptables-wrapper

The iptables-wrapper logic is pretty simple and already used by other CNI plugins:
https://github.com/projectcalico/calico/blob/d433a29710de512716479870a3937c3a730431f2/felix/environment/feature_detect_linux.go#L326

Why is this needed:

The most obvious use case is that operators are migrating from older distro versions to newer ones and getting the new default, which is iptables-nft (for example ubuntu-20.04 to ubuntu-22.04).

There are also cases of (more rare) clusters with mixed distros.

[jdn5126]

@hakman the reason we did not use the iptables-wrapper script initially is that all the implementation did was count which mode (iptables-nft vs iptables-legacy) had more entries present. This would cause issues as customers upgraded or dealt with other components still relying on iptables-legacy, so we introduced ENABLE_NFTABLES to be more explicit.

Newer versions of iptables-wrapper look for rules explicitly installed by kubelet, and are implemented in Golang, so it does seem like it would be good to move to iptables-wrapper going forward and deprecate ENABLE_NFTABLES.

[jdn5126]

Closing as this is added in v1.13.2 release

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.