kubeadm preflight support for nftables kube-proxy / hosts with no iptables #3132
Comments
k8s-ci-robot
added
sig/cluster-lifecycle
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-triage
|
/transfer kubeadm |
neolit123
added
priority/backlog
parsing the kube-proxy config and then making a choice sounds like the correct thing to do, but it might be a bit entangled code wise. maybe we can go for a simpler solution. how about we throw a warning when both |
yet, given these different modes, perhaps we might want to pipe the kube-proxy config to preflight and check for the various diff binaries. problem is that on kubeadm join the kube-proxy config must be fetched from the cluster first. i think, it's done before preflight runs but there might be caveats. |
|
alternatively, all this be documented at the website and we can remove these preflight checks. |
|
Like swap preflight, we can warn if swap is enabled. But things here are different. How about
The current workaround for v1.32 is |
yes, but IPVS mode is also in the picture. i think kube-proxy should document it requirements for various modes at k/website and kubeadm can link to that page. happy to hear more votes on this topic, though. |
|
Wait, wait, sorry, I'm confused; kube-proxy needs iptables/ipset/nft in the kube-proxy image, but the user/kubeadm doesn't need to worry about that. kubeadm is checking for Even if you're running kube-proxy in So, the But OTOH, if you don't have iptables installed, then that necessarily means you aren't using an iptables-based firewall or other things that kube-proxy would need to worry about, so it doesn't really matter whether kube-proxy decides to use So yeah, maybe no errors no warnings? |
|
It sounds like that what we need do is to remove the iptables check. And yes, kubelet only prints an error log there: |
|
+1 for removing it. but we need to consider how to handle the error message. kubelet may print 1 time per 1 minute. |
|
thanks for the additional context. sounds messy... |
that sounds like a kubelet issue. there seems like 2 steps:
@pacoxu @carlory also, we need to audit what of these tools are no longer needed @danwinship do you have context on ip, ethtool, tc and if we can stop checking for these too? |
The |
I'm pretty sure no part of core kubernetes or any of the stock CNI plugins currently use any of those. (They may have in the past, but these days pretty much everybody has switched to netlink-based APIs rather than running commands.) |
|
Can we stop checking for |
|
BTW, do we need to update the kinder dockerfiler |
thanks
sounds like we can have one (or two) PRs for kubeadm that cleans up most of the checked binaries. |
that base image is not actively used. we use the upstream kind official kinder/base images. |
The kubeadm preflight checks currently consider the
iptablesbinary to be mandatory. This is not correct if you are running kube-proxy in nftables mode, and while it mostly doesn't cause problems now (since pretty much everyone hasiptablesinstalled anyway), it will eventually be a problem on RHEL10, where there won't be anyiptablesbinaries.It appears that kubeadm has a standard way of overriding the kube-proxy configuration, so it should be able to parse the provided config to see if it overrides the
modeto benftables, and in that case, it should require thenftbinary and not require theiptablesbinary.(For extra credit:
ipvsmode requires theiptablesandipsetbinaries. It doesn't actually require any IPVS-specific binaries because it uses the netlink API to program IPVS.)/sig cluster-lifecycle
/area kubeadm
The text was updated successfully, but these errors were encountered: