You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The most obvious use case is that operators are migrating from older distro versions to newer ones and getting the new default, which is iptables-nft (for example ubuntu-20.04 to ubuntu-22.04).
There are also cases of (more rare) clusters with mixed distros.
The text was updated successfully, but these errors were encountered:
@hakman the reason we did not use the iptables-wrapper script initially is that all the implementation did was count which mode (iptables-nft vs iptables-legacy) had more entries present. This would cause issues as customers upgraded or dealt with other components still relying on iptables-legacy, so we introduced ENABLE_NFTABLES to be more explicit.
Newer versions of iptables-wrapper look for rules explicitly installed by kubelet, and are implemented in Golang, so it does seem like it would be good to move to iptables-wrapper going forward and deprecate ENABLE_NFTABLES.
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
What would you like to be added:
#2155 adds support for setting the iptables mode using the
ENABLE_NFTABLES
env var.AWS VPC CNI should default to the same logic as
kube-proxy
to auto-detect theiptables
mode of the host:https://github.com/kubernetes/release/blob/31530bf54df0322e8f112affdb15cb65e6f9e2e3/images/build/debian-iptables/bullseye/iptables-wrapper
The
iptables-wrapper
logic is pretty simple and already used by other CNI plugins:https://github.com/projectcalico/calico/blob/d433a29710de512716479870a3937c3a730431f2/felix/environment/feature_detect_linux.go#L326
Why is this needed:
The most obvious use case is that operators are migrating from older distro versions to newer ones and getting the new default, which is
iptables-nft
(for example ubuntu-20.04 to ubuntu-22.04).There are also cases of (more rare) clusters with mixed distros.
The text was updated successfully, but these errors were encountered: