Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Required br_netfilter module, not mentioned. #2068

Open
PatrykML opened this issue Sep 25, 2024 · 6 comments
Open

Required br_netfilter module, not mentioned. #2068

PatrykML opened this issue Sep 25, 2024 · 6 comments
Assignees

Comments

@PatrykML
Copy link

There is no mention of requirement for br_netfilter module for flannel to work.
It perhaps wasn't needed in the past as kubeadm would check for it during kubeadm init and give:
error execution phase preflight: [preflight] Some fatal errors occurred:
[ERROR FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
If module wasn't on.
However this check was removed since kubeadm v1.30 as mentioned in this github issue:
kubernetes/kubernetes#127593

Expected Behavior

Perhaps flannel containers could exit with an error saying "required br_netfilter module is not enabled".
But at least this module should be mentioned in the docs.

Current Behavior

Services aren't reachable within the network.

Possible Solution

flannel containers could exit with an error saying "required br_netfilter module is not enabled" or docs entry

Steps to Reproduce (for bugs)

  1. modprobe -r br_netfilter
  2. kubeadm init --pod-cidr-range=10.244.0.0/16
  3. kubectl apply -f <flannel-24.2 or 25.4 i only tested on them>
  4. kubectl run -it dns-test --image=busybox --rm -- nslookup kubernetes.default.svc.cluster.local (or ping any service)

Context

I spent around 2 days trying to find an issue with the cluster.
I created a in issue in kubernetes github and I got an information that currently CNI probivers should take care of this over requiring kubeadm to enforce this module enable.
This is the issue:
kubernetes/kubernetes#127593

Your Environment

  • Flannel version: 24.2 25.4
  • Backend used (e.g. vxlan or udp): vxlan
  • Etcd version:
  • Kubernetes version (if used): 1.29 (has the check and wont init without module), 1.30.5 and 1.31.1 (will init without module the bug will appear)
  • Operating System and version: Debian 12
  • Link to your project (optional):
@PatrykML
Copy link
Author

Check by kubeadm for this module was removed here: kubernetes/kubernetes#123464

@rbrtbnfgl
Copy link
Contributor

Ok we could add the check before flannel starts.

@tanvp112
Copy link

tanvp112 commented Nov 1, 2024

Hi @rbrtbnfgl, does flannel also required br_netfilter when when using ipvs or nftables mode?

@rbrtbnfgl
Copy link
Contributor

I'll check it

@rbrtbnfgl
Copy link
Contributor

are you referring to ipvs on kube-proxy? Flannel is working always with the bridge and iptables even when ipvs is enabled.
For nftables the module will be deprecated when nft will substitute iptables but some os could require it even when using nft so I suggest to still using it.

@tanvp112
Copy link

@rbrtbnfgl, appreciate the input, many thanks to your hard work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants