From 81944ddc2f7386b5be169e422efc6829d7521780 Mon Sep 17 00:00:00 2001 From: Jeff Nelson Date: Mon, 5 Jun 2023 16:34:15 +0000 Subject: [PATCH] deprecate ENABLE_NFTABLES and set iptables mode using iptables-wrapper script --- README.md | 2 +- cmd/aws-vpc-cni/main.go | 26 -------------------------- docs/troubleshooting.md | 2 ++ scripts/dockerfiles/Dockerfile.release | 3 +++ 4 files changed, 6 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index ad0919204c7..e333ccc675e 100644 --- a/README.md +++ b/README.md @@ -620,7 +620,7 @@ configured to operate in IPv6 mode. Prefix delegation is only supported on nitro --- -#### `ENABLE_NFTABLES` (v1.12.1+) +#### `ENABLE_NFTABLES` (introduced in v1.12.1, deprecated in v1.13.1+) Type: Boolean as a String diff --git a/cmd/aws-vpc-cni/main.go b/cmd/aws-vpc-cni/main.go index c76d93a83ff..9b6f98de9b4 100644 --- a/cmd/aws-vpc-cni/main.go +++ b/cmd/aws-vpc-cni/main.go @@ -76,7 +76,6 @@ const ( defaultEnableIPv6 = false defaultEnableIPv6Egress = false defaultRandomizeSNAT = "prng" - defaultEnableNftables = false awsConflistFile = "/10-aws.conflist" vpcCniInitDonePath = "/vpc-cni-init/done" defaultEnBandwidthPlugin = false @@ -100,7 +99,6 @@ const ( envEnIPv6 = "ENABLE_IPv6" envEnIPv6Egress = "ENABLE_V6_EGRESS" envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT" - envEnableNftables = "ENABLE_NFTABLES" ) // NetConfList describes an ordered list of networks. @@ -362,26 +360,6 @@ func validateEnvVars() bool { return true } -func configureNftablesIfEnabled() error { - // By default, VPC CNI container uses iptables-legacy. Update to iptables-nft when env var is set - nftables := utils.GetBoolAsStringEnvVar(envEnableNftables, defaultEnableNftables) - if nftables { - log.Infof("Updating iptables mode to nft") - var cmd *exec.Cmd - // Command output is not suppressed so that log shows iptables mode being set - cmd = exec.Command("update-alternatives", "--set", "iptables", "/usr/sbin/iptables-nft") - if err := cmd.Run(); err != nil { - return errors.Wrap(err, "Failed to use iptables-nft") - } - cmd = exec.Command("update-alternatives", "--set", "ip6tables", "/usr/sbin/ip6tables-nft") - if err := cmd.Run(); err != nil { - log.WithError(err).Errorf("Failed to use ip6tables-nft") - return errors.Wrap(err, "Failed to use iptables6-nft") - } - } - return nil -} - func main() { os.Exit(_main()) } @@ -392,10 +370,6 @@ func _main() int { return 1 } - if err := configureNftablesIfEnabled(); err != nil { - log.WithError(err).Error("Failed to enable nftables") - } - pluginBins := []string{"aws-cni", "egress-cni"} hostCNIBinPath := utils.GetEnv(envHostCniBinPath, defaultHostCNIBinPath) err := cp.InstallBinaries(pluginBins, hostCNIBinPath) diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 4a3c3d565b9..b631b8608fd 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -247,6 +247,8 @@ The [CNI image](../scripts/dockerfiles/Dockerfile.release) built for the `aws-no In v1.12.1+, `iptables-legacy` and `iptables-nft` are present in the VPC CNI container image. Setting `ENABLE_NFTABLES` environment variable to `true` instructs VPC CNI to use `iptables-nft`. By default, `iptables-legacy` is used. + In v1.13.1+, `ENABLE_NFTABLES` is deprecated and the iptables mode is set automatically based on the mode kubelet is using. + ## cni-metrics-helper See the [cni-metrics-helper README](../cmd/cni-metrics-helper/README.md). diff --git a/scripts/dockerfiles/Dockerfile.release b/scripts/dockerfiles/Dockerfile.release index e9742978831..58a388274f6 100644 --- a/scripts/dockerfiles/Dockerfile.release +++ b/scripts/dockerfiles/Dockerfile.release @@ -23,4 +23,7 @@ COPY --from=builder /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-cni \ /go/src/github.com/aws/amazon-vpc-cni-k8s/egress-cni \ /go/src/github.com/aws/amazon-vpc-cni-k8s/aws-vpc-cni /app/ +# Set iptables mode automatically based on kubelet hint +RUN ["update-alternatives", "--set", "iptables", "/usr/sbin/iptables-wrapper"] + ENTRYPOINT ["/app/aws-vpc-cni"]