Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flannel should be interoperable between ip_tables and nf_tables #1317

Closed
Oats87 opened this issue Jun 26, 2020 · 2 comments
Closed

Flannel should be interoperable between ip_tables and nf_tables #1317

Oats87 opened this issue Jun 26, 2020 · 2 comments

Comments

@Oats87
Copy link
Member

Oats87 commented Jun 26, 2020

Newer operating systems have introduced a change to move iptables to (by default) use nf_tables as the backend packet filter rather than ip_tables. This change is apparent with (at least) the following operating systems:

CentOS 8
RHEL 8
Debian Buster

Expected Behavior

Flannel should work on a host and be able to detect whether the host is operating with ip_tables or nf_tables and switch accordingly.

Current Behavior

If you run Flannel on a CentOS 8/RHEL 8/Debian buster system, it will program legacy iptables rules in the host network namespace, which does not work well if the kubelet or kube-proxy is either a. using a containerized userspace and programming nf_tables rules or b. using the host utilities which will be programming nf_tables. On a Debian Buster system, it is possible to update-alternatives on the host to use the legacy iptables binaries, but this is essentially reverting the host to using the legacy binaries.

Possible Solution

The upstream Kubernetes project has implemented a change into its Debian Buster based images that allows for alternative switching (based on rule count) between nf_tables and legacy. This does however, depend on some other tool on the system creating iptables rules in the host network namespace that can be counted. In the case of Kubernetes, the Kubelet will always have been running (which should create iptables rules). I am not sure what other use cases exist with the flannel container image.

A very extensive issue in the kubernetes/kubernetes project exists here: kubernetes/kubernetes#71305

Context

Your Environment

  • Flannel version: Any
  • Backend used (e.g. vxlan or udp): vxlan
  • Etcd version: n/a
  • Kubernetes version (if used): n/a
  • Operating System and version: CentOS 8, RHEL 8, Debian Buster, etc.
  • Link to your project (optional): not relevant

Additional Information
@Oats87 Oats87 mentioned this issue Jun 26, 2020
Closed
@Oats87
Copy link
Member Author

Oats87 commented Jun 26, 2020

https://github.com/kubernetes-sigs/iptables-wrappers provides a great utility for installing the wrapper into alpine

@Oats87 Oats87 mentioned this issue Jun 26, 2020
Merged
@Oats87
Copy link
Member Author

Oats87 commented Aug 6, 2020

As the PR necessary to make this happened has been merged, I am going to go ahead and close this issue.

@Oats87 Oats87 closed this as completed Aug 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Oats87