Set iptables mode automatically and deprecate ENABLE_NFTABLES #2402
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jdn5126
force-pushed
the
iptables_auto
branch
2 times, most recently
from
4d1057f
to
81944dd
Compare
jaydeokar
approved these changes
Jun 8, 2023
Yep, I verified that the script runs as part of container init and it will switch to |
jdn5126
added a commit
that referenced
this pull request
Jun 15, 2023
* refactor canary test to access images from AWS registries (#2398) * upgrade client-go and controller-runtime modules (#2396) * updates for v1.13.0 release (#2400) * chore: Added dependabot (#2403) * dependency updates (#2412) * deprecate ENABLE_NFTABLES and set iptables mode using iptables-wrapper script (#2402) * update networking test agent to go1.20 and latest sys module (#2413) * skip delete test cluster to debug (#2414) * Revert "skip delete test cluster to debug (#2414)" (#2415) This reverts commit 7c30943. * authenticate to test image registry (#2417) * update test agent image (#2419) * update test agent hash in go.mod (#2422) --------- Co-authored-by: Olivia Song <[email protected]> Co-authored-by: Ellis Tarn <[email protected]>
jdn5126
added a commit
that referenced
this pull request
Jul 11, 2023
* refactor canary test to access images from AWS registries (#2398) * upgrade client-go and controller-runtime modules (#2396) * updates for v1.13.0 release (#2400) * chore: Added dependabot (#2403) * dependency updates (#2412) * deprecate ENABLE_NFTABLES and set iptables mode using iptables-wrapper script (#2402) * update networking test agent to go1.20 and latest sys module (#2413) * skip delete test cluster to debug (#2414) * Revert "skip delete test cluster to debug (#2414)" (#2415) This reverts commit 7c30943. * authenticate to test image registry (#2417) * update test agent image (#2419) * update test agent hash in go.mod (#2422) * fix hard-coded nitro instances (#2428) * move authentication step from test canary script (#2429) * node initialization must come after primary ENI's security groups are synced to cache (#2427) * Add 1.27 to Rec Version Table (#2404) * revise rec version table * make DOCKER_ARGS a passable var from CLI builds (#2434) Signed-off-by: jonahjon <[email protected]> * Update Kops cluster to latest and add parameter for kops version (#2435) * Updates instance limits including c7gn (#2438) * Update Kops cluster to latest and add parameter for kops version (#2440) * update image tag to v1.13.2 (#2432) * update docs and CNI logging (#2433) * remove default canary test run from integration tests (#2443) * Silences nightly cron jobs for forks (#2444) * Silences weekly cron jobs for forks (#2459) * refactor performance tests (#2455) * add custom-networking test covering ENIConfig objects with no security (#2445) groups * k8s clients only need to access corev1; add pod selector (#2463) --------- Signed-off-by: jonahjon <[email protected]> Co-authored-by: Olivia Song <[email protected]> Co-authored-by: Ellis Tarn <[email protected]> Co-authored-by: Geoffrey Cline <[email protected]> Co-authored-by: Jonah Jones <[email protected]> Co-authored-by: Jay Deokar <[email protected]> Co-authored-by: Matt <[email protected]> Co-authored-by: Matt <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
enhancement
Which issue does this PR fix:
#2388
What does this PR do / Why do we need it:
This PR sets the iptables mode for
aws-nodepod automatically. Rather than usingENABLE_NFTABLESto decide when to runupdate-alternatives, we now rely on theiptables-wrapperscript to set the mode based on which mode kubelet is using (kubelet iptables hint).This PR also deprecates
ENABLE_NFTABLESenvironment variable as it is no longer needed.If an issue # is not available please add repro steps and logs from IPAMD/CNI showing the issue:
N/A
Testing done on this change:
Manually verified that
iptables-wrapperscript is run.Automation added to e2e:
N/A
Will this PR introduce any new dependencies?:
No
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No, Yes
Does this change require updates to the CNI daemonset config files to work?:
No
Does this PR introduce any user-facing change?:
Yes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.