-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flannel should be interoperable between ip_tables and nf_tables #1317
Comments
https://github.com/kubernetes-sigs/iptables-wrappers provides a great utility for installing the wrapper into |
As the PR necessary to make this happened has been merged, I am going to go ahead and close this issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Newer operating systems have introduced a change to move
iptables
to (by default) usenf_tables
as the backend packet filter rather thanip_tables
. This change is apparent with (at least) the following operating systems:CentOS 8
RHEL 8
Debian Buster
Expected Behavior
Flannel should work on a host and be able to detect whether the host is operating with
ip_tables
ornf_tables
and switch accordingly.Current Behavior
If you run Flannel on a CentOS 8/RHEL 8/Debian buster system, it will program legacy iptables rules in the host network namespace, which does not work well if the
kubelet
orkube-proxy
is either a. using a containerized userspace and programmingnf_tables
rules or b. using the host utilities which will be programmingnf_tables
. On a Debian Buster system, it is possible toupdate-alternatives
on the host to use thelegacy
iptables
binaries, but this is essentially reverting the host to using the legacy binaries.Possible Solution
The upstream Kubernetes project has implemented a change into its Debian Buster based images that allows for alternative switching (based on rule count) between
nf_tables
andlegacy
. This does however, depend on some other tool on the system creatingiptables
rules in the host network namespace that can be counted. In the case of Kubernetes, the Kubelet will always have been running (which should create iptables rules). I am not sure what other use cases exist with the flannel container image.A very extensive issue in the
kubernetes/kubernetes
project exists here: kubernetes/kubernetes#71305Context
Your Environment
Additional Information
The text was updated successfully, but these errors were encountered: