Set iptables mode automatically and deprecate ENABLE_NFTABLES

README.md

@@ -620,7 +620,7 @@ configured to operate in IPv6 mode. Prefix delegation is only supported on nitro
 
 ---
 
-#### `ENABLE_NFTABLES` (v1.12.1+)
+#### `ENABLE_NFTABLES` (introduced in v1.12.1, deprecated in v1.13.1+)
 
 Type: Boolean as a String
 

cmd/aws-vpc-cni/main.go

@@ -76,7 +76,6 @@ const (
 	defaultEnableIPv6            = false
 	defaultEnableIPv6Egress      = false
 	defaultRandomizeSNAT         = "prng"
-	defaultEnableNftables        = false
 	awsConflistFile              = "/10-aws.conflist"
 	vpcCniInitDonePath           = "/vpc-cni-init/done"
 	defaultEnBandwidthPlugin     = false
@@ -100,7 +99,6 @@ const (
 	envEnIPv6                = "ENABLE_IPv6"
 	envEnIPv6Egress          = "ENABLE_V6_EGRESS"
 	envRandomizeSNAT         = "AWS_VPC_K8S_CNI_RANDOMIZESNAT"
-	envEnableNftables        = "ENABLE_NFTABLES"
 )
 
 // NetConfList describes an ordered list of networks.
@@ -362,26 +360,6 @@ func validateEnvVars() bool {
 	return true
 }
 
-func configureNftablesIfEnabled() error {
-	// By default, VPC CNI container uses iptables-legacy. Update to iptables-nft when env var is set
-	nftables := utils.GetBoolAsStringEnvVar(envEnableNftables, defaultEnableNftables)
-	if nftables {
-		log.Infof("Updating iptables mode to nft")
-		var cmd *exec.Cmd
-		// Command output is not suppressed so that log shows iptables mode being set
-		cmd = exec.Command("update-alternatives", "--set", "iptables", "/usr/sbin/iptables-nft")
-		if err := cmd.Run(); err != nil {
-			return errors.Wrap(err, "Failed to use iptables-nft")
-		}
-		cmd = exec.Command("update-alternatives", "--set", "ip6tables", "/usr/sbin/ip6tables-nft")
-		if err := cmd.Run(); err != nil {
-			log.WithError(err).Errorf("Failed to use ip6tables-nft")
-			return errors.Wrap(err, "Failed to use iptables6-nft")
-		}
-	}
-	return nil
-}
-
 func main() {
 	os.Exit(_main())
 }
@@ -392,10 +370,6 @@ func _main() int {
 		return 1
 	}
 
-	if err := configureNftablesIfEnabled(); err != nil {
-		log.WithError(err).Error("Failed to enable nftables")
-	}
-
 	pluginBins := []string{"aws-cni", "egress-cni"}
 	hostCNIBinPath := utils.GetEnv(envHostCniBinPath, defaultHostCNIBinPath)
 	err := cp.InstallBinaries(pluginBins, hostCNIBinPath)

docs/troubleshooting.md

@@ -247,6 +247,8 @@ The [CNI image](../scripts/dockerfiles/Dockerfile.release) built for the `aws-no
 
   In v1.12.1+, `iptables-legacy` and `iptables-nft` are present in the VPC CNI container image. Setting `ENABLE_NFTABLES` environment variable to `true` instructs VPC CNI to use `iptables-nft`. By default, `iptables-legacy` is used.
 
+  In v1.13.1+, `ENABLE_NFTABLES` is deprecated and the iptables mode is set automatically based on the mode kubelet is using.
+
 ## cni-metrics-helper
 
 See the [cni-metrics-helper README](../cmd/cni-metrics-helper/README.md).

scripts/dockerfiles/Dockerfile.release

@@ -23,4 +23,7 @@ COPY --from=builder /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/egress-cni \
     /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-vpc-cni /app/
 
+# Set iptables mode automatically based on kubelet hint
+RUN ["update-alternatives", "--set", "iptables", "/usr/sbin/iptables-wrapper"]
+
 ENTRYPOINT ["/app/aws-vpc-cni"]