From a66e833a105a367ba0e7889450dce1cbc1ff432d Mon Sep 17 00:00:00 2001
From: Antonio Ojea <aojea@redhat.com>
Date: Tue, 11 May 2021 22:12:13 +0200
Subject: [PATCH] don't set conntrack parameters in kube-proxy

It seems the kernel doesn't allow to set some conntrack fields
from non-init netns because they are global, so setting it in a
namespaces leaks it to other namespace:

netfilter: conntrack: Make global sysctls readonly in non-init netns
https://github.com/torvalds/linux/commit/671c54ea8c7ff47bd88444f3fffb65bf9799ce43

By default kube-proxy tries to set nf_conntrack_max, that is readonly,
hence failing and the kproxy pods fail to start crashlooping.
---
 pkg/cluster/internal/kubeadm/config.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkg/cluster/internal/kubeadm/config.go b/pkg/cluster/internal/kubeadm/config.go
index b49501e97d..c1241b3d92 100644
--- a/pkg/cluster/internal/kubeadm/config.go
+++ b/pkg/cluster/internal/kubeadm/config.go
@@ -278,6 +278,10 @@ mode: "{{ .KubeProxyMode }}"
 {{end}}{{end}}
 iptables:
   minSyncPeriod: 1s
+conntrack:
+# Skip setting sysctl value "net.netfilter.nf_conntrack_max"
+# It is a global variable that affects other namespaces
+  maxPerCore: 0
 {{end}}
 `
 
@@ -411,9 +415,11 @@ mode: "{{ .KubeProxyMode }}"
 {{end}}{{end}}
 iptables:
   minSyncPeriod: 1s
-{{if .RootlessProvider}}conntrack:
+conntrack:
 # Skip setting sysctl value "net.netfilter.nf_conntrack_max"
+# It is a global variable that affects other namespaces
   maxPerCore: 0
+{{if .RootlessProvider}}
 # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_established"
   tcpEstablishedTimeout: 0s
 # Skip setting "net.netfilter.nf_conntrack_tcp_timeout_close"