don't set conntrack parameters in kube-proxy

It seems the kernel doesn't allow to set some conntrack fields from non-init netns because they are global, so setting it in a namespaces leaks it to other namespace: netfilter: conntrack: Make global sysctls readonly in non-init netns torvalds/linux@671c54e By default kube-proxy tries to set nf_conntrack_max, that is readonly, hence failing and the kproxy pods fail to start crashlooping.
kubernetes-sigs · May 12, 2021 · a66e833 · a66e833
1 parent 1d4788d
commit a66e833
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/pkg/cluster/internal/kubeadm/config.go b/pkg/cluster/internal/kubeadm/config.go
@@ -278,6 +278,10 @@ mode: "{{ .KubeProxyMode }}"
 {{end}}{{end}}
 iptables:
   minSyncPeriod: 1s
+conntrack:
+# Skip setting sysctl value "net.netfilter.nf_conntrack_max"
+# It is a global variable that affects other namespaces
+  maxPerCore: 0
 {{end}}
 `
 
@@ -411,9 +415,11 @@ mode: "{{ .KubeProxyMode }}"
 {{end}}{{end}}
 iptables:
   minSyncPeriod: 1s
-{{if .RootlessProvider}}conntrack:
+conntrack:
 # Skip setting sysctl value "net.netfilter.nf_conntrack_max"
+# It is a global variable that affects other namespaces
   maxPerCore: 0
+{{if .RootlessProvider}}
 # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
   tcpEstablishedTimeout: 0s
 # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"