nftables monitor disable flag

Author: cheina97

cmd/fabric/main.go

@@ -160,7 +160,7 @@ func run(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("unable to create firewall configuration reconciler: %w", err)
 	}
 
-	if err := fwcr.SetupWithManager(cmd.Context(), mgr); err != nil {
+	if err := fwcr.SetupWithManager(cmd.Context(), mgr, options.EnableNftMonitor); err != nil {
 		return fmt.Errorf("unable to setup firewall configuration reconciler: %w", err)
 	}
 

cmd/gateway/main.go

@@ -201,7 +201,7 @@ func run(cmd *cobra.Command, _ []string) error {
 		return fmt.Errorf("unable to create firewall configuration reconciler: %w", err)
 	}
 
-	if err := fwcr.SetupWithManager(cmd.Context(), mgr); err != nil {
+	if err := fwcr.SetupWithManager(cmd.Context(), mgr, true); err != nil {
 		return fmt.Errorf("unable to setup firewall configuration reconciler: %w", err)
 	}
 

deployments/liqo/templates/liqo-fabric-daemonset.yaml

@@ -48,6 +48,7 @@ spec:
           {{- if .Values.requirements.kernel.disabled }}
           - --disable-kernel-version-check
           {{- end }}
+          - --enable-nft-monitor={{ .Values.networking.fabric.config.nftablesMonitor }}
           {{- if .Values.common.extraArgs }}
           {{- toYaml .Values.common.extraArgs | nindent 10 }}
           {{- end }}

deployments/liqo/values.yaml

@@ -130,6 +130,11 @@ networking:
       # This is useful in scenarios where CNIs masquerade the traffic from pod to nodes.
       # For example this is required when using the Azure CNI or Kindnet.
       gatewayMasqueradeBypass: false
+      # -- Enable/Disable the nftables monitor for the fabric pod.
+      # It means that the fabric pod will monitor the nftables rules and will restore them in case of changes.
+      # In some cases (like K3S), this monitor can cause a huge amount of CPU usage.
+      # If you are experiencing high CPU usage, you can disable this feature.
+      nftablesMonitor: true
 
 authentication:
   # -- Enable/Disable the authentication module.

pkg/fabric/flags.go

@@ -40,6 +40,9 @@ const (
 	// FlagNameDisableARP is the flag to enable ARP.
 	FlagNameDisableARP FlagName = "disable-arp"
 
+	// FlagNameEnableNftMonitor is the flag to enable the nftables monitor.
+	FlagNameEnableNftMonitor FlagName = "enable-nft-monitor"
+
 	// FlagNameDisableKernelVersionCheck is the flag to enable the kernel version check.
 	FlagNameDisableKernelVersionCheck FlagName = "disable-kernel-version-check"
 	// FlagNameMinimumKernelVersion is the minimum kernel version required to run the wireguard interface.
@@ -63,6 +66,7 @@ func InitFlags(flagset *pflag.FlagSet, opts *Options) {
 	flagset.StringVar(&opts.ProbeAddr, FlagNameProbeAddr.String(), ":8081", "Address for the health probe endpoint")
 
 	flagset.BoolVar(&opts.DisableARP, FlagNameDisableARP.String(), false, "Disable ARP")
+	flagset.BoolVar(&opts.EnableNftMonitor, FlagNameEnableNftMonitor.String(), true, "Enable nftables monitor")
 
 	flagset.BoolVar(&opts.DisableKernelVersionCheck, FlagNameDisableKernelVersionCheck.String(), false, "Disable the kernel version check")
 	flagset.Var(&opts.MinimumKernelVersion, string(FlagNameMinimumKernelVersion), "Minimum kernel version required to run the wireguard interface")

pkg/fabric/options.go

@@ -26,7 +26,8 @@ type Options struct {
 	MetricsAddress string
 	ProbeAddr      string
 
-	DisableARP bool
+	DisableARP       bool
+	EnableNftMonitor bool
 
 	DisableKernelVersionCheck bool
 	MinimumKernelVersion      kernelversion.KernelVersion

pkg/firewall/firewallconfiguration_controller.go

@@ -162,17 +162,19 @@ func (r *FirewallConfigurationReconciler) Reconcile(ctx context.Context, req ctr
 }
 
 // SetupWithManager register the FirewallConfigurationReconciler to the manager.
-func (r *FirewallConfigurationReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager) error {
+func (r *FirewallConfigurationReconciler) SetupWithManager(ctx context.Context, mgr ctrl.Manager, enableNftMonitor bool) error {
 	klog.Infof("Starting FirewallConfiguration controller with labels %v", r.LabelsSets)
 	filterByLabelsPredicate, err := forgeLabelsPredicate(r.LabelsSets)
 	if err != nil {
 		return err
 	}
 
 	src := make(chan event.GenericEvent)
-	go func() {
-		utilruntime.Must(netmonitor.InterfacesMonitoring(ctx, src, &netmonitor.Options{Nftables: &netmonitor.OptionsNftables{Delete: true}}))
-	}()
+	if enableNftMonitor {
+		go func() {
+			utilruntime.Must(netmonitor.InterfacesMonitoring(ctx, src, &netmonitor.Options{Nftables: &netmonitor.OptionsNftables{Delete: true}}))
+		}()
+	}
 	return ctrl.NewControllerManagedBy(mgr).Named(consts.CtrlFirewallConfiguration).
 		For(&networkingv1beta1.FirewallConfiguration{}, builder.WithPredicates(filterByLabelsPredicate)).
 		WatchesRawSource(NewFirewallWatchSource(src, NewFirewallWatchEventHandler(r.Client, r.LabelsSets))).

pkg/liqoctl/install/k3s/provider.go

@@ -67,5 +67,13 @@ func (o *Options) Initialize(_ context.Context) error {
 
 // Values returns the customized provider-specifc values file parameters.
 func (o *Options) Values() map[string]interface{} {
-	return map[string]interface{}{}
+	return map[string]interface{}{
+		"networking": map[string]interface{}{
+			"fabric": map[string]interface{}{
+				"config": map[string]interface{}{
+					"nftablesMonitor": false,
+				},
+			},
+		},
+	}
 }