-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
image/runtime: Update iptables-wrapper script #19937
Conversation
35afe21
to
adc6ad8
Compare
/test |
/test-runtime |
The original iptables-wrapper script is coming from [1], however, this was spinned off to [2] in k8s upstream repo. This commit is to get the latest iptables-wrapper script. [1]: kubernetes/kubernetes#82966 [2]: https://github.com/kubernetes-sigs/iptables-wrappers/blob/master/iptables-wrapper-installer.sh Signed-off-by: Tam Mach <tam.mach@cilium.io>
adc6ad8
to
a521b3a
Compare
Signed-off-by: Tam Mach <tam.mach@cilium.io>
a521b3a
to
f52acd5
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes LGTM, I'm not sure how useful it is to review the actual iptables script. Do we feel that CI will give us a good enough signal to avoid regressions? Do we still feel this is risky?
What's the context for why the script was changed upstream? |
Sorry for late reply. As per my understanding, this script was not maintained and updated for quite sometime. The recent update in upstream is to keep up with latest k8s deployment:
https://github.com/kubernetes-sigs/iptables-wrappers/commits/master/iptables-wrapper-installer.sh |
I think CI is giving us some confidence for sure, but it's hard to have complete confidence on iptables 😢 . Can we have it as part of 1.12 release, and then will backport to older version if required ? This is based on my assumption that users who plan to use 1.12 will most likely to have recent OS/Kernel/k8s versions, so the risk is becoming less. |
Closed this one as we are considering other approach to make sure kubelet and cilium are using the same iptables mode. |
Description
The original iptables-wrapper script is coming from 1, however,
this was spinned off to 2 in k8s upstream repo. This commit is
to get the latest iptables-wrapper script.
Signed-off-by: Tam Mach tam.mach@cilium.io
Testing
This is spin-off from #19852 so that we can decide to backports these changes (e.g. ubuntu upgrade vs iptables-wrapper update) independently.