Skip to content

Commit

Permalink
don't set conntrack parameters in kube-proxy
Browse files Browse the repository at this point in the history 
It seems the kernel doesn't allow to set some conntrack fields
from non-init netns:

netfilter: conntrack: Make global sysctls readonly in non-init netns
torvalds/linux@671c54e

By default kube-proxy tries to set them, hence failing and the pods
crashlooping.

We can configure kube-proxy to net try to set these values in kubeadm.
  • Loading branch information
Antonio Ojea committed May 11, 2021
1 parent 1d4788d commit bd84d28
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions pkg/cluster/internal/kubeadm/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,13 @@ mode: "{{ .KubeProxyMode }}"
{{end}}{{end}}
iptables:
minSyncPeriod: 1s
conntrack:
# Skip setting sysctl value "net.netfilter.nf_conntrack_max"
maxPerCore: 0
# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
tcpEstablishedTimeout: 0s
# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"
tcpCloseWaitTimeout: 0s
{{end}}
`

Expand Down Expand Up @@ -411,14 +418,14 @@ mode: "{{ .KubeProxyMode }}"
{{end}}{{end}}
iptables:
minSyncPeriod: 1s
{{if .RootlessProvider}}conntrack:
conntrack:
# Skip setting sysctl value "net.netfilter.nf_conntrack_max"
maxPerCore: 0
# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
tcpEstablishedTimeout: 0s
# Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"
tcpCloseWaitTimeout: 0s
{{end}}{{end}}
{{end}}
`

// Config returns a kubeadm config generated from config data, in particular
Expand Down

0 comments on commit bd84d28

Please sign in to comment.