Fix the auto iptables detection if ip_tables.ko preloaded on RHEL/CentOS 8

[yankay]

Description

The auto iptables detection logic is updated by the Kubernetes KEP 3178 , the 'iptables-wrapper' can decide which iptables backend to use based on which one kubelet used.

So that the issue can be fixed by the new 'iptables-wrapper' logic. The PR is to update it with the new logic:

from:
https://github.com/kubernetes-sigs/iptables-wrappers/blob/v1/iptables-wrapper-installer.sh#L130
to:
https://github.com/kubernetes-sigs/iptables-wrappers/blob/master/iptables-wrapper-installer.sh#L107

Some additional information:

• a blog article about the issue: https://mihail-milev.medium.com/no-pod-to-pod-communication-on-centos-8-kubernetes-with-calico-56d694d2a6f4
• The docs of RHEL in kubespray : https://github.com/kubernetes-sigs/kubespray/blob/master/docs/rhel.md is NFT mode

Related issues/PRs

fixes #2322
fixes #3709

Todos

• Tests
• Documentation
• Release note

Release Note

Fix the auto iptables detection if ip_tables.ko preloaded on RHEL/CentOS 8

Reminder for the reviewer

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.

[CLAassistant]

All committers have signed the CLA.

[cyclinder]

Hi @caseydavenport @song-jiang , can you please take a look ? Thanks, I think it's make a sense. 😄

[yankay]

HI @mazdakn, would you please review the PR :-)

[mazdakn]

@yankay sure, I'll review it in the next few days.

[yankay]

@yankay sure, I'll review it in the next few days.

Thank you very much

[fasaxc]

Using the hints seems sensible but I don't think we should change the defaulting behaviour if no hints are detected. I notice that a bunch of the error tests have been flipped to default to nft now, for example but I'd expect that if iptbales-nft fails (presumably because we're on a kernel with no nftables support!) then we should default to legacy mode.

[yankay]

Thank you very much @fasaxc ,
The PR has changed the default from the NTF to the legacy mode at https://github.com/projectcalico/calico/pull/7111/files#diff-95c897a9aab2c42c0e5ccfa753ed1caa528d8736e94699740f9d1f3d00b408e9R330

Would you please review it again :-)

[fasaxc]

/sem-approve

[fasaxc]

LGTM. Noticed there was a change to a couple of existing tests due to the removal of the

if legacyLines >= 10

thanks that's OK now that nft is widely adopted

[yankay]

LGTM. Noticed there was a change to a couple of existing tests due to the removal of the

if legacyLines >= 10

thanks that's OK now that nft is widely adopted

Thank you very much for the review :-)

[cyclinder]

Hi @fasaxc , ci/semaphoreci/pr is falling, Does this affect the PR merge? What else is needed to merge into this PR?

Thanks.

[mgleung]

/sem-approve

[yankay]

Thanks@mazdakn @fasaxc @mgleung @cyclinder for the PR review :-)