Enable iptables -w in kubeadm selfhosted

[cmluciano]

Currently containerized kube-proxy cannot support iptables -w
unless the xtables.lock is mounted.

Related: #46103

Signed-off-by: Christopher M. Luciano cmluciano@us.ibm.com

Special notes for your reviewer:

• I need to figure out how to do some pre-setup to touch the file if it does not exist.
  Release note:

support iptables -w in kubeadm containerized kube-proxy

[cmluciano]

cc @bboreham @dcbw

[justinsb]

I approve, but it's only a soft approve as I don't know this code very well :-)

One option to skip the file-already-exists problem is to mount /run, which I believe we can assume is always there?

[cmluciano]

Thanks @justinsb . I did not go with this option initially since @bboreham mentioned that it would probably introduce other bugs #46103 (comment).

[luxas]

Have you tested that this fixes the issue?

Basically LGTM

[luxas]

I think it should be hostPath

[luxas]

I'm deferring to @bboreham on this one as he's the author of the linked issue

[bboreham]

This part is still open:

I need to figure out how to do some pre-setup to touch the file if it does not exist.

AFAIK this would be somewhere like /etc/systemd/system/kubelet.service.d/10-kubeadm.conf, which I think gets delivered by the package(s). And I have no idea where they live.

[cmluciano]

@luxas Any pointers on where I would do the touch for making sure that the file exists?

[cmluciano]

I can't filter through the log files

@k8s-bot pull-kubernetes-unit test this

[0xmichalis]

@k8s-bot pull-kubernetes-e2e-kops-aws test this

[luxas]

Must be an image that's compatible with all architectures

[cmluciano]

May be related #46820

[cmluciano]

@luxas Do we have some examples of a generic cross ARCH image?

[luxas]

@ixdy ^

I think we have a gcr.io image of it somewhere. The hard question is security updates for that one @timstclair

[timstclair]

The image needs to be templated to be cross arch. For this type of simple command, we usually just use busybox (though I'd like to switch to alpine). E.g.

kubernetes/cluster/images/etcd/Makefile

Line 37 in 25aed0a

ifeq ($(ARCH),amd64)

[luxas]

Is this a file or directory? I suppose file. Will k8s always mount it as a file as well?

[luxas]

Should this be for pod or init container?

[cmluciano]

Good point, it should probably just be put at the pod level

[luxas]

Meant for the init container, right?

[cmluciano]

yes, the run mount is only for the init container

[luxas]

I don't see any run volume

[cmluciano]

added

[cmluciano]

This seems relevant certificates.go:48] Failed to start certificate controller: open /etc/kubernetes/ca/ca.pem: no such file or directory . I'm wondering if this needs to be mounted into the kube-proxy container.

[luxas]

LGTM for everything but the busybox constant.

[cmluciano]

xref: #47212

[cmluciano]

@timstclair @luxas does this look better?

[luxas]

@ixdy We'd have to push an gcr.io/google_containers/busybox-${ARCH} image then (totally possible), don't know if that's feasible from a security standpoint (we'd have to keep it up to date)

cc @timstclair @thockin Please chime in with your thoughts here...

[cmluciano]

While it would be great to get this merged, I'm inclined to await #46597 to land and then I can remove the init container.

[luxas]

@cmluciano How critical is this? Can we afford not having this in v1.7?
Where is the related bug/issue?

[cmluciano]

If kube-proxy is containerized, I believe that it will not properly function. cc @bboreham for confirmation

[luxas]

If it doesn't work at all, it's a release blocker

[timstclair]

We should use the upstream busybox images. gcr.io/google-containers won't be kept up to date.

[luxas]

@cmluciano Actually you can use upstream images, but that will add more logic. In this case it seems like the only approach.
So add {{ .BusyboxImage }} or similar and set it conditionally:

GOARCH	Image
amd64	busybox
arm	armhf/busybox
arm64	aarch64/busybox
ppc64le	ppc64le/busybox
s390x	s390x/busybox

[cmluciano]

Let me test with #47212 quick and see if that will work as an interim

[cmluciano]

/retest

job is marked as flaky

[luxas]

#47212 would be the better solution yeah

[cmluciano]

Ok all tests are passing now @luxas. I am going to push up a TODO on this line to rebase on #46597 when it is merged and I opened kubernetes/kubeadm#298 to track it.

[cmluciano]

/retest

seems like a cleanup issue

[luxas]

cc @dchen1107 @yujuhong @MrHohn @freehan FYI
Implementation of #47212 for kubeadm.

This is a bug fix for v1.7

[luxas]

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cmluciano, luxas

Associated issue: 46103

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [luxas]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[luxas]

/retest

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 47084, 46016, 46372)