Merge pull request #8076 from hakman/iptables-backend

Add support for NFT with Calico and Canal
kubernetes · Dec 10, 2019 · c36470f · c36470f
2 parents e2060cd + dd69274
commit c36470f
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 2 deletions.
diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -2376,6 +2376,10 @@ spec:
                     ipipMode:
                       description: IPIPMode is mode for CALICO_IPV4POOL_IPIP
                       type: string
+                    iptablesBackend:
+                      description: 'IptablesBackend controls which variant of iptables
+                        binary Felix uses Default: Legacy (other options: NFT)'
+                      type: string
                     logSeverityScreen:
                       description: 'LogSeverityScreen lets us set the desired log
                         level. (Default: info)'
@@ -2441,6 +2445,10 @@ spec:
                         NOT add the default ACCEPT traffic rules to the iptables FORWARD
                         chain
                       type: boolean
+                    iptablesBackend:
+                      description: 'IptablesBackend controls which variant of iptables
+                        binary Felix uses Default: Legacy (other options: NFT)'
+                      type: string
                     logSeveritySys:
                       description: 'LogSeveritySys the severity to set for logs which
                         are sent to syslog Default: INFO (other options: DEBUG, WARNING,

diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -94,6 +94,9 @@ type CalicoNetworkingSpec struct {
 	PrometheusProcessMetricsEnabled bool `json:"prometheusProcessMetricsEnabled,omitempty"`
 	// MajorVersion is the version of Calico to use
 	MajorVersion string `json:"majorVersion,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// IPIPMode is mode for CALICO_IPV4POOL_IPIP
 	IPIPMode string `json:"ipipMode,omitempty"`
 	// TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha
@@ -119,6 +122,9 @@ type CanalNetworkingSpec struct {
 	// DisableFlannelForwardRules configures Flannel to NOT add the
 	// default ACCEPT traffic rules to the iptables FORWARD chain
 	DisableFlannelForwardRules bool `json:"disableFlannelForwardRules,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// LogSeveritySys the severity to set for logs which are sent to syslog
 	// Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE)
 	LogSeveritySys string `json:"logSeveritySys,omitempty"`

diff --git a/pkg/apis/kops/v1alpha1/networking.go b/pkg/apis/kops/v1alpha1/networking.go
@@ -94,6 +94,9 @@ type CalicoNetworkingSpec struct {
 	PrometheusProcessMetricsEnabled bool `json:"prometheusProcessMetricsEnabled,omitempty"`
 	// MajorVersion is the version of Calico to use
 	MajorVersion string `json:"majorVersion,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// IPIPMode is mode for CALICO_IPV4POOL_IPIP
 	IPIPMode string `json:"ipipMode,omitempty"`
 	// TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha
@@ -119,6 +122,9 @@ type CanalNetworkingSpec struct {
 	// DisableFlannelForwardRules configures Flannel to NOT add the
 	// default ACCEPT traffic rules to the iptables FORWARD chain
 	DisableFlannelForwardRules bool `json:"disableFlannelForwardRules,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// LogSeveritySys the severity to set for logs which are sent to syslog
 	// Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE)
 	LogSeveritySys string `json:"logSeveritySys,omitempty"`

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
@@ -94,6 +94,9 @@ type CalicoNetworkingSpec struct {
 	PrometheusProcessMetricsEnabled bool `json:"prometheusProcessMetricsEnabled,omitempty"`
 	// MajorVersion is the version of Calico to use
 	MajorVersion string `json:"majorVersion,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// IPIPMode is mode for CALICO_IPV4POOL_IPIP
 	IPIPMode string `json:"ipipMode,omitempty"`
 	// TyphaPrometheusMetricsEnabled enables Prometheus metrics collection from Typha
@@ -119,6 +122,9 @@ type CanalNetworkingSpec struct {
 	// DisableFlannelForwardRules configures Flannel to NOT add the
 	// default ACCEPT traffic rules to the iptables FORWARD chain
 	DisableFlannelForwardRules bool `json:"disableFlannelForwardRules,omitempty"`
+	// IptablesBackend controls which variant of iptables binary Felix uses
+	// Default: Legacy (other options: NFT)
+	IptablesBackend string `json:"iptablesBackend,omitempty"`
 	// LogSeveritySys the severity to set for logs which are sent to syslog
 	// Default: INFO (other options: DEBUG, WARNING, ERROR, CRITICAL, NONE)
 	LogSeveritySys string `json:"logSeveritySys,omitempty"`

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
diff --git a/...models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template b/...models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template
@@ -721,6 +721,9 @@ spec:
                 configMapKeyRef:
                   name: canal-config
                   key: veth_mtu
+            # Set Felix iptables binary variant, Legacy or NFT
+            - name: FELIX_IPTABLESBACKEND
+              value: "{{- or .Networking.Canal.IptablesBackend "Legacy" }}"
             # Disable IPv6 on Kubernetes.
             - name: FELIX_IPV6SUPPORT
               value: "false"

diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template
@@ -819,6 +819,9 @@ spec:
               value: "true"
 
             # kops additions
+            # Set Felix iptables binary variant, Legacy or NFT
+            - name: FELIX_IPTABLESBACKEND
+              value: "{{- or .Networking.Calico.IptablesBackend "Legacy" }}"
             # Set to enable the experimental Prometheus metrics server
             - name: FELIX_PROMETHEUSMETRICSENABLED
               value: "{{- or .Networking.Calico.PrometheusMetricsEnabled "false" }}"

diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
@@ -828,7 +828,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 			"k8s-1.6":     "2.6.9-kops.1",
 			"k8s-1.7":     "2.6.12-kops.1",
 			"k8s-1.7-v3":  "3.8.0-kops.2",
-			"k8s-1.12":    "3.9.3-kops.1",
+			"k8s-1.12":    "3.9.3-kops.2",
 		}
 
 		{
@@ -912,7 +912,7 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons {
 			"k8s-1.8":     "2.6.7-kops.3",
 			"k8s-1.9":     "3.2.3-kops.1",
 			"k8s-1.12":    "3.7.4",
-			"k8s-1.15":    "3.10.1",
+			"k8s-1.15":    "3.10.1-kops.2",
 		}
 		{
 			id := "pre-k8s-1.6"