Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-proxy fails when in proxy-mode=nftables mode #951

Closed
vaskozl opened this issue May 4, 2024 · 3 comments · Fixed by #953
Closed

kube-proxy fails when in proxy-mode=nftables mode #951

vaskozl opened this issue May 4, 2024 · 3 comments · Fixed by #953
Assignees
@smira

Comments

@vaskozl
Copy link

vaskozl commented May 4, 2024

The nftables kube-proxy backend is planned to one day be the default backend for kube-proxy. Support was added in 1.29

Uppon adding --feature-gates=NFTablesProxyMode=true --proxy-mode=nftables to iptables it to add any rules:

│     /dev/stdin:892:87-100: Error: Could not process rule: No such file or directory
│     add rule ip kube-proxy external-3BXM2ZZ4-haproxy/external-kubernetes-ingress/tcp/http fib saddr type local jump mark-for-masquerade comment "masquerade local traffic" 
│                                                                                           ^^^^^^^^^^^^^^ 
│     /dev/stdin:893:87-100: Error: Could not process rule: No such file or directory

I believe this is due to these unset kernel variables:

CONFIG_NFT_FIB_IPV4=m
CONFIG_NFT_FIB_IPV6=m

N.B. nftables masquerade was recently added to `flannel.

You can read more about why and what in the KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/3866-nftables-proxy/README.md
@frezbo
Copy link
Member

frezbo commented May 6, 2024

I think we can make this the default for 1.8

@smira smira mentioned this issue May 7, 2024
Merged
@smira
Copy link
Member

smira commented May 7, 2024

Verified to work with the updated kernel.

I0507 11:39:31.916310       1 server_linux.go:304] "Using nftables Proxier"

e2e status passed:7 skipped:7194

smira added a commit to smira/pkgs that referenced this issue May 16, 2024
@smira
feat: enable NFT FIB lookups
5e3978f 
Required for `nftables` support in `kube-proxy`.

Fixes siderolabs#951

Signed-off-by: Andrey Smirnov <[email protected]>
(cherry picked from commit 6775002)
@vaskozl
Copy link
Author

vaskozl commented May 19, 2024

I can confirm that the nftables backend now works fine with 1.7.2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@smira smira

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: enable NFT FIB lookups smira/pkgs
3 participants
@smira @vaskozl @frezbo