-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add an option to wait for kube-proxy #20517
Conversation
6a15931
to
4f029e8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I'd like to see if the --check flag can be used instead of grepping, but this works too.
- | | ||
while true | ||
do | ||
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is finding one or the other enough? I'm assuming the rules are atomically set at the same time?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes my understanding, KUBE-IPTABLES-HINT was what the old versions used the newer versions use KUBE-PROXY-CANARY so if we ever find both things are strange already.
- | | ||
while true | ||
do | ||
if iptables-nft-save -t mangle | grep -E '^:(KUBE-IPTABLES-HINT|KUBE-PROXY-CANARY)'; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of doing a save and grep could you use the --check
flag to check for the chain and a particular rule?
-C, --check chain rule-specification
Check whether a rule matching the specification does exist in the selected chain. This command uses the same logic as -D to find a matching
entry, but does not alter the existing iptables configuration and uses its exit code to indicate success or failure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure... I've never used --check maybe @joestringer knows the answer.
4f029e8
to
f7efa7d
Compare
2b5ac9e
to
981ec7e
Compare
This commit is to add the flag in helm, which will enable init container waiting for kube-proxy if required. The main reason is to avoid any potential race condition between kube-proxy and cilium agent. More context can be found in below related PR. Relates: #20123 Signed-off-by: Michi Mutsuzaki <michi@isovalent.com>
981ec7e
to
1e730ce
Compare
/test Job 'Cilium-PR-K8s-1.24-kernel-net-next' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Self approved :shameless:
/test-1.24-net-next Job 'Cilium-PR-K8s-1.24-kernel-net-next' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
/mlh new-flake Cilium-PR-K8s-1.24-kernel-net-next |
Description
This commit is to add the flag in helm, which will enable init
container waiting for kube-proxy if required. The main reason is
to avoid any potential race condition between kube-proxy and
cilium agent. More context can be found in below related PR.
Relates: #20123
Signed-off-by: Michi Mutsuzaki michi@isovalent.com
Testing
(tam) The changes are done original by Michi, I just add below minor things:
Testing was done locally by setting this flag enabled (and kube proxy
replacement is not set).