-
Notifications
You must be signed in to change notification settings - Fork 499
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iptables: fix check for rule existence in ip6tables v1.8.9 #2976
iptables: fix check for rule existence in ip6tables v1.8.9 #2976
Conversation
iptables v1.8.9 breaks the rule existence check in `ip6tables`. Fix this downstream until the issue has been patched in the upstream project. Signed-off-by: Markus Boehme <markubo@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM if IPv6 testing goes well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
I successfully tested the change on an IPv6 EKS cluster and updated the PR description with the steps I took. |
Hello, I don’t know if this is the right place to ask this question, but do you know when new AMI will be released and available on EKS node groups and if the current AMI will be retracted in the interim? |
@yann-soubeyrand: There is no plan to retract the AMIs for Bottlerocket v1.13.x or their SSM parameters at this point as this may break other users. The fix unfortunately missed the window for the just released v1.13.2. It will for sure be included in the next official release, be that another v1.13.x point release or v1.14.0. There is no fixed date for such a release yet, but we are looking into providing a v1.13.3. Please expect more information on that early next week. For the time being, you may avoid the issue by creating a custom launch template referencing an AMI for Bottlerocket v1.12.0. The documentation for AWS EKS Managed Node Groups contains more information on this. You can determine suitable AMI IDs by querying SSM parameters, e.g. |
@yann-soubeyrand A new point release of Bottlerocket (1.13.3) is in the works, including this fix. |
Thanks @markusboehme! |
Issue number:
Closes #2975
Description of changes:
iptables v1.8.9 breaks the rule existence check in
ip6tables
. Fix this downstream until the issue has been patched in the upstream project.I proposed this patch upstream: https://marc.info/?l=netfilter-devel&m=168055689214144
Testing done:
aws-k8s-1.24
on x86_64 builds and can launch podsiptables -t nat -L
on the host)Pod spec:
On the host (admin container -->
sudo sheltie
):Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.