Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3308

antoninbas · 2022-02-11T18:54:30Z

Cherry pick of #3276 on release-1.5.

#3276: Use iptables-wrapper in Antrea container

For details on the cherry pick process, see the cherry pick requests page.

Instead of iptables directly. Antrea uses a Ubuntu 20.04 base container image, for which the default iptables mode is "legacy". This may not match the iptables mode for the Node OS, which in turn can create issues: * Other K8s components (kubelet, kube-proxy) will create rules using the default iptables mode for the Node. Assumptions about evaluation order between these rules and the Antrea rules may break. * The required kernel module for the "legacy" mode (ip_tables) may not be available on the Node. The iptables-wrapper is meant to address these issues: https://github.com/kubernetes-sigs/iptables-wrappers. We install it in the Antrea container image. The first time Antrea invokes iptables, the wrapper will determine the underlying iptables mode (for the Node OS) and adjust the iptables symlinks in the container. Fixes antrea-io#3243 Fixes antrea-io#3274 Signed-off-by: Antonin Bas <abas@vmware.com>

codecov-commenter · 2022-02-11T19:00:28Z

Codecov Report

Merging #3308 (3738a4c) into release-1.5 (d473d67) will decrease coverage by 6.75%.
The diff coverage is n/a.

@@               Coverage Diff               @@
##           release-1.5    #3308      +/-   ##
===============================================
- Coverage        59.49%   52.73%   -6.76%     
===============================================
  Files              331      462     +131     
  Lines            28463    54617   +26154     
===============================================
+ Hits             16934    28803   +11869     
- Misses            9651    23333   +13682     
- Partials          1878     2481     +603

Flag	Coverage Δ
e2e-tests	`52.27% <ø> (?)`
integration-tests	`34.02% <ø> (?)`
kind-e2e-tests	`47.71% <ø> (+0.30%)`	⬆️
unit-tests	`41.36% <ø> (+0.02%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/cniserver/pod_configuration_linux.go	`26.31% <0.00%> (-40.36%)`	⬇️
pkg/controller/ipam/antrea_ipam_controller.go	`48.71% <0.00%> (-31.57%)`	⬇️
pkg/controller/networkpolicy/endpoint_querier.go	`61.46% <0.00%> (-29.97%)`	⬇️
pkg/controller/egress/controller.go	`61.11% <0.00%> (-27.34%)`	⬇️
.../registry/networkpolicy/clustergroupmember/rest.go	`64.28% <0.00%> (-23.95%)`	⬇️
pkg/agent/cniserver/ipam/antrea_ipam.go	`55.55% <0.00%> (-23.62%)`	⬇️
pkg/agent/cniserver/ipam/antrea_ipam_controller.go	`56.30% <0.00%> (-23.46%)`	⬇️
pkg/agent/util/ethtool/ethtool_linux.go	`46.66% <0.00%> (-23.34%)`	⬇️
pkg/controller/ipam/validate.go	`57.14% <0.00%> (-22.86%)`	⬇️
pkg/apiserver/handlers/endpoint/handler.go	`47.82% <0.00%> (-22.77%)`	⬇️
... and 424 more

tnqn · 2022-02-14T05:18:21Z

/test-all

antoninbas added the kind/cherry-pick Categorizes issue or PR as related to the cherry-pick of a bug fix from the main branch to a release label Feb 11, 2022

antoninbas requested a review from tnqn February 11, 2022 18:55

tnqn approved these changes Feb 14, 2022

View reviewed changes

antoninbas merged commit 0d95cf9 into antrea-io:release-1.5 Feb 14, 2022

antoninbas deleted the automated-cherry-pick-of-#3276-upstream-release-1.5 branch February 14, 2022 17:55

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3308

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3308

antoninbas commented Feb 11, 2022

codecov-commenter commented Feb 11, 2022 •

edited

tnqn commented Feb 14, 2022

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3308

Automated cherry pick of #3276: Use iptables-wrapper in Antrea container #3308

Conversation

antoninbas commented Feb 11, 2022

codecov-commenter commented Feb 11, 2022 • edited

Codecov Report

tnqn commented Feb 14, 2022

codecov-commenter commented Feb 11, 2022 •

edited