Install iptables in cloud-api-adaptor daemonset #2016
Conversation
| ARG TARGETARCH | ||
|
|
||
| WORKDIR /iptables | ||
| RUN --mount=type=bind,target=/versions.yaml,source=cloud-api-adaptor/versions.yaml,readonly \ |
There was a problem hiding this comment.
This format is new to me. Do you have any reference on using --mount with RUN?
Is it docker specific or can work with podman also ?
There was a problem hiding this comment.
We can specify cache mounts and bind mounts to a RUN instruction in a Dockerfile.
https://docs.docker.com/build/guide/mounts/
Podman supports the feature as well.
Install the iptables command in the cloud-api-adaptor container image. It will be used to configure netfilter in a worker node for peer pod networking. Running the iptables command within a container requires a wrapper for it. https://github.com/kubernetes-sigs/iptables-wrappers Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
This patch updates the manifest of the cloud-api-adaptor daemonset to run the iptables command it. The cloud-api-adaptor daemonset runs in host network mode, and iptables can manage netfilter of the network namespace of the worker node. The iptables command needs to access a lock file and kernel modules in the host, and this patch adds volume mounts for them. Signed-off-by: Yohei Ueda <yohei@jp.ibm.com>
| @@ -25,6 +25,7 @@ tools: | |||
| protoc: 3.15.0 | |||
| packer: v1.9.4 | |||
| kcli: 99.0.202407031308 | |||
| iptables-wrapper: v0.0.0-20240819165702-06cad2ec6cb5 | |||
There was a problem hiding this comment.
Just to double check by understanding - iptable-wrapper is a tool as it isn't itself installed into the container image, but is just used to install iptables?
There was a problem hiding this comment.
Both are added to the container image to manipulate iptables rules
Also - https://github.com/kubernetes-sigs/iptables-wrappers
There was a problem hiding this comment.
So does that mean it shouldn't go into the tools section, but should be in an external, or dependencies section in version.yaml? Or am I over-thinking this?
There was a problem hiding this comment.
Since iptables-wrapper is a tool to manage iptables program, logically it makes sense to be in the tools section. Similar to golang, rust etc..
There was a problem hiding this comment.
But I have no preference. If any other section makes more sense that's fine with me as well
There was a problem hiding this comment.
I have no preference either.
Another possible option is to put it in the git section, and build iptables-wrapper from a cloned git repo. Currently, the builder image does not include the git command, so we need to install it for this option.
What do you think?
There was a problem hiding this comment.
Let not overthink it for now and block this work, but I think we go ahead with it in tools and can always update that later if we come up with a different section for this sort of thing. Thanks!
There was a problem hiding this comment.
@stevenhorsman Thank you. I agree.
I keep it in tools for now, and will update that it if necessary.
BTW, the current code to build the command using go install looks somewhat complicated due to cross compilation.
There is a discussion ongoing golang/go#44469, and we will update the code when a simpler option is available.
|
I think that given we have two approvals and are satisfied with the versions.yaml updates then we can merge this. Thanks @yoheiueda! |
This PR is a prerequisite to fix #2015
To run the iptables command within the cloud-api-adaptor container, we need a wrapper command for iptables, and volumes for accessing a lock file and kernel modules in the host side.
https://github.com/kubernetes-sigs/iptables-wrappers
Network-related projects such as kube-proxy and flannel use this wrapper to manipulate netfilter on worker nodes.
Another PR that actually fixes the issue using iptables will follow after this PR gets merged.