Does kube-proxy support nft starting rhel9?

[jeffgtxjava]

Based on the comment here iptables-nft is being deprecated in RHEL9 with the only exception of enabling them via module load if needed as a last resort but with not minor fixes available.

What is the recommendation for people running kube-proxy on RHEL9 ?

[danwinship]

https://github.com/kubernetes/enhancements/pull/3824 is the plan for eventually moving to nftables.

iptables-nft is being deprecated in RHEL9 with the only exception of enabling them via module load if needed as a last resort

That makes it sound much more dire than it actually is. Note that OpenShift still depends on iptables and will for several more releases, so Red Hat is clearly not saying "everyone needs to stop using iptables now". The intent of the deprecation and warning is to make sure people are aware that they need to stop using iptables eventually, and start making plans for that. (eg, the nftables kube-proxy plan linked above)

[jeffgtxjava]

Thanks for the link @danwinship. There seems to be more to it than just the warning especially the second line.

Below is from their warning message in /var/log/messages

It continues to be supported in this RHEL release, but it is likely to be removed in the next major release Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.

[danwinship]

It continues to be supported in this RHEL release, but it is likely to be removed in the next major release

"the next major release" meaning RHEL 10. The last several RHEL major releases were all at least 3 years apart, so assuming that holds, RHEL 10 should arrive in mid 2025 at the earliest. Kube-proxy nftables mode should be GA well before then. (An alpha implementation is ready to merge soon after the tree opens for 1.29.)

Driver updates and fixes will be limited to critical issues. Please contact Red Hat Support for additional information.

Right, but the iptables code isn't undergoing a lot of change, so most of the pre-existing bugs should have already been fixed. (However, this does mean that there will probably not be any more performance improvements.)

(Also, because the iptables and nftables code is intertwined in the kernel, and RHEL is likely to backport nftables fixes from upstream kernels, that means that if someone else fixes iptables kernel bugs upstream, those fixes will likely wind up in later RHEL 9.x releases anyway.)

---

But anyway, yes, everyone who cares about RHEL support should be making plans to get away from iptables. But no one needs to be panicking just yet.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[danwinship]

/close nftables kube-proxy is alpha in 1.29 and we don't use this repo for issue tracking anyway

[k8s-ci-robot]

@danwinship: Closing this issue.

In response to [this](https://github.com/kubernetes/kube-proxy/issues/23#issuecomment-1910770722): >/close >nftables kube-proxy is alpha in 1.29 >and we don't use this repo for issue tracking anyway Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.