Use iptables-wrapper in Antrea container

[antoninbas]

Instead of iptables directly.
Antrea uses a Ubuntu 20.04 base container image, for which the default iptables
mode is "legacy". This may not match the iptables mode for the Node OS, which in
turn can create issues:

• Other K8s components (kubelet, kube-proxy) will create rules using the
  default iptables mode for the Node. Assumptions about evaluation order
  between these rules and the Antrea rules may break.
• The required kernel module for the "legacy" mode (ip_tables) may not be
  available on the Node.

The iptables-wrapper is meant to address these issues:
https://github.com/kubernetes-sigs/iptables-wrappers. We install it in the
Antrea container image. The first time Antrea invokes iptables, the wrapper will
determine the underlying iptables mode (for the Node OS) and adjust the iptables
symlinks in the container.

Fixes #3243
Fixes #3274

Signed-off-by: Antonin Bas abas@vmware.com

[antoninbas]

This was tested on Ubuntu 20.04 (default is "legacy") and Ubuntu 21.04 (default is "nft").

[codecov-commenter]

Codecov Report

Merging #3276 (c9ca8d6) into main (5ccd3d1) will increase coverage by 1.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #3276      +/-   ##
==========================================
+ Coverage   59.04%   60.08%   +1.04%     
==========================================
  Files         331      331              
  Lines       28420    28420              
==========================================
+ Hits        16781    17077     +296     
+ Misses       9798     9478     -320     
- Partials     1841     1865      +24     

Flag	Coverage Δ
kind-e2e-tests	47.88% <ø> (+1.19%)	⬆️
unit-tests	41.85% <ø> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/nodeportlocal/k8s/annotations.go	83.87% <0.00%> (-16.13%)	⬇️
...agent/flowexporter/connections/deny_connections.go	86.15% <0.00%> (-3.08%)	⬇️
pkg/controller/networkpolicy/status_controller.go	65.89% <0.00%> (-0.58%)	⬇️
pkg/agent/agent.go	51.43% <0.00%> (ø)
pkg/agent/controller/networkpolicy/reconciler.go	77.19% <0.00%> (+0.20%)	⬆️
pkg/agent/openflow/client.go	54.24% <0.00%> (+0.62%)	⬆️
...ntroller/networkpolicy/networkpolicy_controller.go	71.34% <0.00%> (+0.91%)	⬆️
pkg/ipam/poolallocator/allocator.go	51.15% <0.00%> (+1.15%)	⬆️
...kg/agent/flowexporter/connections/conntrack_ovs.go	77.57% <0.00%> (+1.21%)	⬆️
pkg/ovs/openflow/ofctrl_action.go	69.58% <0.00%> (+1.66%)	⬆️
... and 9 more

[tnqn]

I saw the installer has the following:

# Cleanup
rm -f "$0"

[antoninbas]

thanks, I removed the rm command

[tnqn]

Do you mean --chmod=755?

[antoninbas]

I think I meant 700, just need the owner to be able to execute the script. Let me fix it.

[antoninbas]

/test-all

[antoninbas]

/test-e2e
/test-integration

[tnqn]

/test-e2e

[tnqn]

/test-e2e unrelated failure: #3307. Maybe we could skip it if it still fails.

[antoninbas]

Another unrelated failure:

--- FAIL: TestBandwidth/testPodTrafficShaping/limited_by_egress_bandwidth (90.02s)

I'll merge now