search

kakao / network-node-manager

network-node-manager is a kubernetes controller that controls the network configuration of a node to resolve network issues of kubernetes.
Apache License 2.0
108 stars 20 forks source link

nftables support #16

Closed mazocode closed 2 years ago

mazocode commented 3 years ago

This adds a wrapper script for iptables / nftables detection to support Rocky, CentOS and any other nftables based distribution. Tested with CentOS 8 and Rocky 8.

ssup2 commented 3 years ago

@mazocode Thanks for the nice PR :). After fix PR, Could you provide the fixed network-node-manager image to verify rules?

mazocode commented 3 years ago

Found an issue with the last cleanup rule being broken because iptables adds a warning like this # Warning: iptables-legacy tables present, use iptables-legacy-save to see them to the output. The result looks like this: 2021-08-31T13:03:05.722Z INFO controllers.Service.initalize there is no service info in k8s. cleanup output chain IPv4 rule {"rule": "-A NMANAGER_EX_CLUS_OUTPUT -d a.b.c.d/32 -m comment --comment \"41b0a981-d40c-53dd-84b4-7cb2a265647a/rdg-public-tcp# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"} I've fixed this by removing anything after #.

mazocode commented 3 years ago

@mazocode Thanks for the nice PR :). After fix PR, Could you provide the fixed network-node-manager image to verify rules?

Image for testing is available here: registry.idnt.io/public/network-node-manager:idnt-1.2.3-ci

mazocode commented 3 years ago

Found an issue with the last cleanup rule being broken because iptables adds a warning ....

Still broken with this fix:

2021-08-31T15:56:09.422Z        INFO    controllers.Service.initalize   service info is diff. cleanup output chain IPv4 rule    {"rule": "-A NMANAGER_EX_CLUS_OUTPUT -d a.b.c.d/32 -m comment --comment \"41b0a981-d40c-53dd-84b4-7cb2a265647a/rdg-public-tcp"}
2021-08-31T15:56:09.424Z        ERROR   controllers.Service.initalize   iptables: Bad rule (does a matching rule exist in that chain?).
        {"error": "exit status 1"}
mazocode commented 3 years ago

Still broken with this fix:

Not sure what is going on with CombinedOutput() but somehow the Warning (sent to stderr) ends up somewhere within the output. Don't know if this is to be expected (not an go expert ;). However, I've changed the code to work around CombinedOutput and the result looks good.

ssup2 commented 2 years ago

@mazocode Can i test with registry.idnt.io/public/network-node-manager:idnt-1.2.3-ci image??

mazocode commented 2 years ago

@mazocode Can i test with registry.idnt.io/public/network-node-manager:idnt-1.2.3-ci image?? Sure, feel free to try the image :) I've tested with k8 v1.20.10 and v1.20.7 on Rocky 8.4

ssup2 commented 2 years ago

@mazocode Thanks for the nice commit. After merging this, I will fix some codes. Thanks:)