Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3311

Merged
merged 1 commit into from
Feb 14, 2022
Merged

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3311

merged 1 commit into from
Feb 14, 2022

Conversation

antoninbas
Copy link
Contributor

Cherry pick of #3276 on release-1.2.

#3276: Use iptables-wrapper in Antrea container

For details on the cherry pick process, see the cherry pick requests page.

@antoninbas
Use iptables-wrapper in Antrea container
4008941 
Instead of iptables directly.
Antrea uses a Ubuntu 20.04 base container image, for which the default iptables
mode is "legacy". This may not match the iptables mode for the Node OS, which in
turn can create issues:
 * Other K8s components (kubelet, kube-proxy) will create rules using the
   default iptables mode for the Node. Assumptions about evaluation order
   between these rules and the Antrea rules may break.
 * The required kernel module for the "legacy" mode (ip_tables) may not be
   available on the Node.

The iptables-wrapper is meant to address these issues:
https://github.com/kubernetes-sigs/iptables-wrappers. We install it in the
Antrea container image. The first time Antrea invokes iptables, the wrapper will
determine the underlying iptables mode (for the Node OS) and adjust the iptables
symlinks in the container.

Fixes antrea-io#3243
Fixes antrea-io#3274

Signed-off-by: Antonin Bas <abas@vmware.com>
@antoninbas antoninbas added the kind/cherry-pick Categorizes issue or PR as related to the cherry-pick of a bug fix from the main branch to a release label Feb 11, 2022
@antoninbas antoninbas requested a review from tnqn February 11, 2022 18:55
@codecov-commenter
Copy link

Codecov Report

Merging #3311 (4008941) into release-1.2 (e053ea6) will decrease coverage by 4.50%.
The diff coverage is n/a.

Impacted file tree graph

@@               Coverage Diff               @@
##           release-1.2    #3311      +/-   ##
===============================================
- Coverage        60.58%   56.07%   -4.51%     
===============================================
  Files              285      285              
  Lines            22397    22397              
===============================================
- Hits             13569    12559    -1010     
- Misses            7379     8492    +1113     
+ Partials          1449     1346     -103
Flag Coverage Δ
kind-e2e-tests 38.75% <ø> (-8.33%) ⬇️
unit-tests 42.77% <ø> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/apis/controlplane/v1beta2/helper.go 25.00% <0.00%> (-75.00%) ⬇️
pkg/agent/controller/networkpolicy/packetin.go 4.36% <0.00%> (-68.45%) ⬇️
...formers/externalversions/security/v1alpha1/tier.go 0.00% <0.00%> (-64.29%) ⬇️
...ers/externalversions/core/v1alpha2/clustergroup.go 0.00% <0.00%> (-64.29%) ⬇️
...s/externalversions/core/v1alpha2/externalentity.go 0.00% <0.00%> (-64.29%) ⬇️
...xternalversions/security/v1alpha1/networkpolicy.go 0.00% <0.00%> (-64.29%) ⬇️
...versions/security/v1alpha1/clusternetworkpolicy.go 0.00% <0.00%> (-64.29%) ⬇️
pkg/controller/networkpolicy/mutate.go 0.00% <0.00%> (-62.07%) ⬇️
pkg/apiserver/handlers/webhook/mutation_crd.go 0.00% <0.00%> (-52.64%) ⬇️
pkg/apiserver/handlers/webhook/validation_crd.go 0.00% <0.00%> (-48.79%) ⬇️
... and 58 more

@tnqn
Copy link
Member

tnqn commented Feb 14, 2022

/test-all

@antoninbas
Copy link
Contributor Author

Unrelated failures in e2e tests:

--- FAIL: TestFlowAggregator (222.78s)
    --- FAIL: TestFlowAggregator/IPv4 (84.47s)
        --- FAIL: TestFlowAggregator/IPv4/IntraNodeFlows (12.60s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnIngressANP (2.54s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnEgressANP (2.48s)
        --- PASS: TestFlowAggregator/IPv4/IntraNodeDenyConnNP (4.46s)
        --- FAIL: TestFlowAggregator/IPv4/InterNodeFlows (12.86s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnIngressANP (2.48s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnEgressANP (2.50s)
        --- PASS: TestFlowAggregator/IPv4/InterNodeDenyConnNP (4.56s)
        --- PASS: TestFlowAggregator/IPv4/ToExternalFlows (9.72s)
        --- FAIL: TestFlowAggregator/IPv4/LocalServiceAccess (12.62s)
        --- PASS: TestFlowAggregator/IPv4/RemoteServiceAccess (14.57s)

@antoninbas antoninbas merged commit 09822bf into antrea-io:release-1.2 Feb 14, 2022
@antoninbas antoninbas deleted the automated-cherry-pick-of-#3276-upstream-release-1.2 branch February 14, 2022 18:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
kind/cherry-pick Categorizes issue or PR as related to the cherry-pick of a bug fix from the main branch to a release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@antoninbas @codecov-commenter @tnqn