daemon: Warn on disabling iptables #16611
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I'm looking forward to a time when we no longer need to configure
iptables. However, for the moment there's a couple of minor features we
use to handle policy and forwarding correctly which rely on iptables.
Furthermore, even if all of this is implemented in eBPF, the user's
environment may still have iptables configured and this can then
interfere with the Cilium traffic handling, depending on how Cilium is
configured.
For now, it likely makes sense to warn users that disabling this flag
could lead to unexpected policy and forwarding behaviour. Once we've
resolved the linked issue, maybe we can think about reverting this to an
info message to account for the compatibility case mentioned above.
Related: #12879