Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3311
Commits on Feb 11, 2022
-
Use iptables-wrapper in Antrea container
Instead of iptables directly. Antrea uses a Ubuntu 20.04 base container image, for which the default iptables mode is "legacy". This may not match the iptables mode for the Node OS, which in turn can create issues: * Other K8s components (kubelet, kube-proxy) will create rules using the default iptables mode for the Node. Assumptions about evaluation order between these rules and the Antrea rules may break. * The required kernel module for the "legacy" mode (ip_tables) may not be available on the Node. The iptables-wrapper is meant to address these issues: https://github.com/kubernetes-sigs/iptables-wrappers. We install it in the Antrea container image. The first time Antrea invokes iptables, the wrapper will determine the underlying iptables mode (for the Node OS) and adjust the iptables symlinks in the container. Fixes antrea-io#3243 Fixes antrea-io#3274 Signed-off-by: Antonin Bas <abas@vmware.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.