fix: ensure nf_conntrack module loaded for kube-proxy. #743
Commits on Oct 18, 2024
-
fix: ensure nf_conntrack module loaded for kube-proxy.
This patch ensures that the `nf_conntrack` kernel module is loaded before the `kube-proxy` service is started so it can read some necessary conntrack module-related params from procfs. Previously, although the `kube-proxy` service always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways `nf_conntrack` gets loaded transparently: * Cilium [automatically loads `iptable_nat`](https://github.com/cilium/cilium/blob/63cd391f93b4e2c865268241d384504348672042/pkg/datapath/iptables/iptables.go#L367-L368) after a small startup delay, whose dependency tree includes `nf_conntrack` * starting firewalld/ufw/most other firewall services * setting iptables/nftables rules which imply session tracking By explicitly loading `nf_conntrack` from the `kube-proxy` service wrapper directly, it should ensure the procfs values kube-proxy reads are always present on startup. Signed-off-by: Nashwan Azhari <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.