Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
kube-proxy fails to restore iptable rules #82587
No matter how long I wait, kube-proxy always gets
Anything else we need to know?:
So what's going on here: I had thought that if we removed the RHEL 7 special case code, then the existing non-RHEL7 fallback code would do the right thing (grabbing the xtables lock manually before calling iptables-restore) but the fallback code actually ends up breaking us, because the RHEL7 iptables-restore will also try to grab the xtables lock, which our fallback code already took, and so iptables-restore will fail.
There is no workaround; 1.16.0 is completely broken on RHEL 7 at the moment. (Note that this has nothing at all to do with the iptables legacy vs nft thing.)
The possible fixes, if we want to fix this for 1.16.0:
OK, that's not true. Apparently no one ever shipped 1.4.22. Debian Jessie (aka oldoldstable) has iptables 1.4.21, and is apparently LTS until 2020. Fedora 21-24 also shipped 1.4.21, but Fedora 24 end-of-lifed in 2017. No currently-supported version of Ubuntu ships 1.4.21. (The oldest LTS is xenial/16.04, which has iptables 1.6.0.)
So if we do the minimal hack above, it would make kube-proxy somewhat flaky for people running kubernetes 1.16.0 on Debian Jessie. I don't know if that is a non-empty set of people.
Of course, if we do the small hack for 1.16.0 we can do a larger patch for master and then 1.16.1 (reverting just the objectionable part of #80368).