-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nftables be liberal with TCP #3588
Conversation
/assign @BenTheElder @danwinship |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aojea, BenTheElder The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold |
The TL;DR is that if we don't set this kernel sysctl there is a bug that will reset connections and there is a regression test that keeps failing
https://testgrid.k8s.io/sig-network-kind#sig-network-kind,%20nftables,%20master
In theory new kernels 6.1 torvalds/linux@6e250dcbff1d have this bug fixed, but CI runs with 5.15 and a lot of people use old kernels.
The flag is not set to true by default because we have decided that kube-proxy should not be managing the host kernel stack and more reasons explained in kubernetes/kubernetes#117924
KIND always try to bring sane defaults and a has a more tighter control of the environment, so we set always set tcpBeLiberal to true if kube-proxy uses nftables and is not rootless