fix: set proxyMode to nftables on rhel10#17920
fix: set proxyMode to nftables on rhel10#17920k8s-ci-robot merged 1 commit intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
area/nodeup
size/M
|
/test ? |
|
/test pull-kops-gce-distro-rhel10 |
|
Unfortunately the presubmit jobs for different distros all use cilium including its kube-proxy replacement, so none of them run kube-proxy |
I'll propose adding some more optional presubmits! (Edit: doing so in kubernetes/test-infra#36368 ) |
|
/test ? |
|
/test pull-kops-aws-kindnet-rhel10arm64 |
|
/test pull-kops-gce-ipalias-rhel10 Might as well |
|
OK some progress here, AWS RHEL10 passes with this PR, fails without it. One complication is that the GCE RHEL10 test passes without this PR. Trying to figure out why here: #17922 (comment) |
|
So it looks like GCE rhel10 has nft_ct loaded and AWS rhel10 does not have that module loaded: #17922 (comment) So this PR is one way to handle it, but we could also try loading nft_ct. I feel like if we're using nftables telling kube-proxy to use nftables feels "right", but I do not have much knowledge here. |
|
AWS is also in better shape with this PR: kubernetes/test-infra#36364 https://testgrid.k8s.io/kops-distro-rhel10#kops-grid-kindnet-rhel10arm64-k33 so i think we can be confident that --proxy-mode=nftables is the right approach here. |
|
Awesome. Do you think we should ask users to set that manually, or do you think we should set it for them if we're installing nftables? My 2c: we should set if for them because we're managing nftables installation, and if we make the user configure something based on whether we choose to install nftables that's going to be super confusing. But very open to different thoughts here! |
We force the use of nftables on rhel10, but kube-proxy was defaulting to iptables and failing to start on rhel10 because of a missing kernel module (nft_ct). The module is available in the GCE images, but not the AWS images.
justinsb
force-pushed
the
set_proxymode_for_nftables
branch
from
f97e21f to
c40d993
Compare
justinsb
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
We discussed in office hours: the plan is to force kube-proxy to nftables only on rhel10, where we are also installing the nftables packages (and not the iptables packages). We can tweak this for other distros in future, but right now these seem to be the only distros that are failing with this error. And we want to unblock the release! /test pull-kops-gce-ipalias-rhel10 /test pull-kops-aws-kindnet-rhel10arm64 |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest |
4 participants
We force the use of nftables on rhel10, but kube-proxy was defaulting to iptables
and failing to start on rhel10 because of a missing kernel module (nft_ct).
The module is available in the GCE images, but not the AWS images.
Issue #17915