search

kubernetes-sigs / kind

Kubernetes IN Docker - local clusters for testing Kubernetes
https://kind.sigs.k8s.io/
Apache License 2.0
13.02k stars 1.51k forks source link

Nftables be liberal with TCP #3588

Closed aojea closed 2 months ago

aojea commented 2 months ago

The TL;DR is that if we don't set this kernel sysctl there is a bug that will reset connections and there is a regression test that keeps failing

https://testgrid.k8s.io/sig-network-kind#sig-network-kind,%20nftables,%20master

In theory new kernels 6.1 https://github.com/torvalds/linux/commit/6e250dcbff1d have this bug fixed, but CI runs with 5.15 and a lot of people use old kernels.

The flag is not set to true by default because we have decided that kube-proxy should not be managing the host kernel stack and more reasons explained in https://github.com/kubernetes/kubernetes/issues/117924

KIND always try to bring sane defaults and a has a more tighter control of the environment, so we set always set tcpBeLiberal to true if kube-proxy uses nftables and is not rootless

aojea commented 2 months ago

/assign @BenTheElder @danwinship

k8s-ci-robot commented 2 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aojea, BenTheElder

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/kind/blob/main/OWNERS)~~ [BenTheElder,aojea] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
BenTheElder commented 2 months ago

/hold