Adding iptables fix for issue with kube-proxy requiring a chain creat…

…ed by kubelet.

This is intended to be a stop-gap until we can do the necessary work to run kubelet on the masters.

reactive/kubernetes_master.py

@@ -704,6 +704,7 @@ def start_master():
     add_systemd_restart_always()
     add_systemd_file_limit()
     add_systemd_file_watcher()
+    add_systemd_iptables_patch()
     check_call(['systemctl', 'daemon-reload'])
 
     # Add CLI options to all components
@@ -2524,3 +2525,21 @@ def restart_addons_for_ca():
     except Exception:
         hookenv.log(traceback.format_exc())
         hookenv.log('Waiting to retry restarting addons')
+
+
+def add_systemd_iptables_patch():
+    source = 'templates/kube-proxy-iptables-fix.sh'
+    dest = '/usr/local/bin/kube-proxy-iptables-fix.sh'
+    copyfile(source, dest)
+    os.chmod(dest, 0o775)
+
+    template = 'templates/service-iptables-fix.service'
+    dest_dir = '/etc/systemd/system'
+    os.makedirs(dest_dir, exist_ok=True)
+    service_name = 'kube-proxy-iptables-fix.service'
+    copyfile(template, '{}/{}'.format(dest_dir, service_name))
+
+    check_call(['systemctl', 'daemon-reload'])
+
+    # enable and run the service
+    service_resume(service_name)

templates/kube-proxy-iptables-fix.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# add the chain, note that adding twice is ok as it will just error.
+/sbin/iptables -t nat -N KUBE-MARK-DROP
+
+# need to check the creation of the rule to ensure we only create it once.
+if ! /sbin/iptables -t nat -C KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 &> /dev/null; then
+  /sbin/iptables -t nat -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
+fi

templates/service-iptables-fix.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Apply iptables rule for KUBE-MARK-DROP
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/kube-proxy-iptables-fix.sh
+RemainAfterExit=true
+
+[Install]
+WantedBy=multi-user.target