image/runtime: Update iptables-wrapper script #19937

sayboras · 2022-05-24T11:13:52Z

Description

The original iptables-wrapper script is coming from 1, however,
this was spinned off to 2 in k8s upstream repo. This commit is
to get the latest iptables-wrapper script.

Signed-off-by: Tam Mach tam.mach@cilium.io

Testing

This is spin-off from #19852 so that we can decide to backports these changes (e.g. ubuntu upgrade vs iptables-wrapper update) independently.

sayboras · 2022-05-24T13:26:50Z

/test

sayboras · 2022-05-25T02:32:41Z

/test-runtime

The original iptables-wrapper script is coming from [1], however, this was spinned off to [2] in k8s upstream repo. This commit is to get the latest iptables-wrapper script. [1]: kubernetes/kubernetes#82966 [2]: https://github.com/kubernetes-sigs/iptables-wrappers/blob/master/iptables-wrapper-installer.sh Signed-off-by: Tam Mach <tam.mach@cilium.io>

Signed-off-by: Tam Mach <tam.mach@cilium.io>

sayboras · 2022-05-31T14:20:55Z

/test

christarazi

Changes LGTM, I'm not sure how useful it is to review the actual iptables script. Do we feel that CI will give us a good enough signal to avoid regressions? Do we still feel this is risky?

tommyp1ckles · 2022-06-02T00:02:03Z

What's the context for why the script was changed upstream?

sayboras · 2022-06-08T00:31:57Z

What's the context for why the script was changed upstream?

Sorry for late reply. As per my understanding, this script was not maintained and updated for quite sometime. The recent update in upstream is to keep up with latest k8s deployment:

most of k8s deployment is with linux distribution with recent iptables version (e.g. 1.8.7)
NFT mode is preferred compared to legacy mode.

https://github.com/kubernetes-sigs/iptables-wrappers/commits/master/iptables-wrapper-installer.sh

sayboras · 2022-06-08T00:36:58Z

Changes LGTM, I'm not sure how useful it is to review the actual iptables script. Do we feel that CI will give us a good enough signal to avoid regressions? Do we still feel this is risky?

I think CI is giving us some confidence for sure, but it's hard to have complete confidence on iptables 😢 . Can we have it as part of 1.12 release, and then will backport to older version if required ? This is based on my assumption that users who plan to use 1.12 will most likely to have recent OS/Kernel/k8s versions, so the risk is becoming less.

sayboras · 2022-06-09T01:45:52Z

Closed this one as we are considering other approach to make sure kubelet and cilium are using the same iptables mode.

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 24, 2022

sayboras temporarily deployed to release-base-images May 24, 2022 11:13 Inactive

sayboras added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label May 24, 2022

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 24, 2022

sayboras temporarily deployed to release-base-images May 24, 2022 11:21 Inactive

sayboras force-pushed the tam/update-iptables-wrapper branch from 35afe21 to adc6ad8 Compare May 24, 2022 11:48

sayboras temporarily deployed to release-base-images May 24, 2022 11:48 Inactive

sayboras marked this pull request as ready for review May 24, 2022 11:50

sayboras requested review from a team as code owners May 24, 2022 11:50

sayboras requested review from christarazi and tommyp1ckles May 24, 2022 11:50

sayboras mentioned this pull request May 27, 2022

image: Bump runtime base image to ubuntu LTS 22.04 #19852

Closed

sayboras force-pushed the tam/update-iptables-wrapper branch from adc6ad8 to a521b3a Compare May 31, 2022 09:03

sayboras temporarily deployed to release-base-images May 31, 2022 09:04 Inactive

update cilium-{runtime,builder}

f52acd5

Signed-off-by: Tam Mach <tam.mach@cilium.io>

sayboras force-pushed the tam/update-iptables-wrapper branch from a521b3a to f52acd5 Compare May 31, 2022 09:14

sayboras temporarily deployed to release-base-images May 31, 2022 09:14 Inactive

christarazi reviewed May 31, 2022

View reviewed changes

sayboras closed this Jun 9, 2022

sayboras deleted the tam/update-iptables-wrapper branch November 1, 2022 10:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

image/runtime: Update iptables-wrapper script #19937

image/runtime: Update iptables-wrapper script #19937

sayboras commented May 24, 2022 •

edited

sayboras commented May 24, 2022

sayboras commented May 25, 2022

sayboras commented May 31, 2022

christarazi left a comment

tommyp1ckles commented Jun 2, 2022

sayboras commented Jun 8, 2022

sayboras commented Jun 8, 2022 •

edited

sayboras commented Jun 9, 2022

image/runtime: Update iptables-wrapper script #19937

image/runtime: Update iptables-wrapper script #19937

Conversation

sayboras commented May 24, 2022 • edited

Description

Testing

sayboras commented May 24, 2022

sayboras commented May 25, 2022

sayboras commented May 31, 2022

christarazi left a comment

Choose a reason for hiding this comment

tommyp1ckles commented Jun 2, 2022

sayboras commented Jun 8, 2022

sayboras commented Jun 8, 2022 • edited

sayboras commented Jun 9, 2022

sayboras commented May 24, 2022 •

edited

sayboras commented Jun 8, 2022 •

edited