Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

custom iptables version monitor plugin #844

Merged
merged 1 commit into from
Jan 3, 2024
+50 −0
Merged

custom iptables version monitor plugin #844

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
20 changes: 20 additions & 0 deletions config/iptables-mode-monitor.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"plugin": "custom",
"pluginConfig": {
"invoke_interval": "86400s",
"timeout": "5s",
"max_output_length": 80,
"concurrency": 1
},
"source": "iptables-mode-monitor",
"metricsReporting": true,
"conditions": [],
"rules": [
{
"type": "temporary",
"reason": "IPTablesVersionsMismatch",
"path": "./config/plugin/iptables_mode.sh",
"timeout": "5s"
}
]
}
30 changes: 30 additions & 0 deletions config/plugin/iptables_mode.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#!/bin/bash

# As of iptables 1.8, the iptables command line clients come in two different versions/modes: "legacy",
# which uses the kernel iptables API just like iptables 1.6 and earlier did, and "nft", which translates
# the iptables command-line API into the kernel nftables API.
# Because they connect to two different subsystems in the kernel, you cannot mix rules from different versions.
# Ref: https://github.com/kubernetes-sigs/iptables-wrappers

readonly OK=0
readonly NONOK=1
readonly UNKNOWN=2

# based on: https://github.com/kubernetes-sigs/iptables-wrappers/blob/97b01f43a8e8db07840fc4b95e833a37c0d36b12/iptables-wrapper-installer.sh
readonly num_legacy_lines=$( (iptables-legacy-save || true; ip6tables-legacy-save || true) 2>/dev/null | grep -c '^-' || true)
readonly num_nft_lines=$( (timeout 5 sh -c "iptables-nft-save; ip6tables-nft-save" || true) 2>/dev/null | grep -c '^-' || true)


if [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -gt 0 ]; then
echo "Found rules from both versions, iptables-legacy: ${num_legacy_lines} iptables-nft: ${num_nft_lines}"
echo $NONOK
elif [ "$num_legacy_lines" -gt 0 ] && [ "$num_nft_lines" -eq 0 ]; then
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering if the following conditions are necessary. From my understanding, there is no rule found doesn't mean the node is using one backend..

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a Kubernetes cluster, kubelet always install an iptables rule to solve this specific problem https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3178-iptables-cleanup#iptables-wrapper

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These mechanism of detecting the backends by counting rules has demonstrated to be the most effective and widely used

echo "Using iptables-legacy: ${num_legacy_lines} rules"
echo $OK
elif [ "$num_legacy_lines" -eq 0 ] && [ "$num_nft_lines" -gt 0 ]; then
echo "Using iptables-nft: ${num_nft_lines} rules"
echo $OK
else
echo "No iptables rules found"
echo $UNKNOWN
fi