diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index afd9e8eec5ad..11c33bc9af78 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1471,7 +1471,15 @@ function prepare-kube-proxy-manifest-variables { params+=" --feature-gates=${FEATURE_GATES}" fi if [[ "${KUBE_PROXY_MODE:-}" == "ipvs" ]];then - sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4 + # use 'nf_conntrack' instead of 'nf_conntrack_ipv4' for linux kernel >= 4.19 + # https://github.com/kubernetes/kubernetes/pull/70398 + local -r kernel_version=$(uname -r | cut -d\. -f1,2) + local conntrack_module="nf_conntrack" + if [[ $(printf "${kernel_version}\n4.18\n" | sort -V | tail -1) == "4.18" ]]; then + conntrack_module="nf_conntrack_ipv4" + fi + + sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module} if [[ $? -eq 0 ]]; then params+=" --proxy-mode=ipvs" diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 5c48c1fd1970..c6580e2152b1 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -1740,6 +1740,39 @@ func (proxier *Proxier) writeIptablesRules() { ) } + // Install the kubernetes-specific postrouting rules. We use a whole chain for + // this so that it is easier to flush and change, for example if the mark + // value should ever change. + // NB: THIS MUST MATCH the corresponding code in the kubelet + writeLine(proxier.natRules, []string{ + "-A", string(kubePostroutingChain), + "-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark), + "-j", "RETURN", + }...) + // Clear the mark to avoid re-masquerading if the packet re-traverses the network stack. + writeLine(proxier.natRules, []string{ + "-A", string(kubePostroutingChain), + // XOR proxier.masqueradeMark to unset it + "-j", "MARK", "--xor-mark", proxier.masqueradeMark, + }...) + masqRule := []string{ + "-A", string(kubePostroutingChain), + "-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`, + "-j", "MASQUERADE", + } + if proxier.iptables.HasRandomFully() { + masqRule = append(masqRule, "--random-fully") + } + writeLine(proxier.natRules, masqRule...) + + // Install the kubernetes-specific masquerade mark rule. We use a whole chain for + // this so that it is easier to flush and change, for example if the mark + // value should ever change. + writeLine(proxier.natRules, []string{ + "-A", string(KubeMarkMasqChain), + "-j", "MARK", "--or-mark", proxier.masqueradeMark, + }...) + // Write the end-of-table markers. writeLine(proxier.filterRules, "COMMIT") writeLine(proxier.natRules, "COMMIT") @@ -1798,41 +1831,6 @@ func (proxier *Proxier) createAndLinkeKubeChain() { } } - // Install the kubernetes-specific postrouting rules. We use a whole chain for - // this so that it is easier to flush and change, for example if the mark - // value should ever change. - // NB: THIS MUST MATCH the corresponding code in the kubelet - writeLine(proxier.natRules, []string{ - "-A", string(kubePostroutingChain), - "-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark), - "-j", "RETURN", - }...) - // Clear the mark to avoid re-masquerading if the packet re-traverses the network stack. - writeLine(proxier.natRules, []string{ - "-A", string(kubePostroutingChain), - // XOR proxier.masqueradeMark to unset it - "-j", "MARK", "--xor-mark", proxier.masqueradeMark, - }...) - masqRule := []string{ - "-A", string(kubePostroutingChain), - "-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`, - "-j", "MASQUERADE", - } - if proxier.iptables.HasRandomFully() { - masqRule = append(masqRule, "--random-fully") - klog.V(3).Info("Using `--random-fully` in the MASQUERADE rule for iptables") - } else { - klog.V(2).Info("Not using `--random-fully` in the MASQUERADE rule for iptables because the local version of iptables does not support it") - } - writeLine(proxier.natRules, masqRule...) - - // Install the kubernetes-specific masquerade mark rule. We use a whole chain for - // this so that it is easier to flush and change, for example if the mark - // value should ever change. - writeLine(proxier.natRules, []string{ - "-A", string(KubeMarkMasqChain), - "-j", "MARK", "--or-mark", proxier.masqueradeMark, - }...) } // getExistingChains get iptables-save output so we can check for existing chains and rules.