Stage iptables binaries in a sepparate component

Signed-off-by: Juan-Luis de Sousa-Valadas Castaño <[email protected]>

cmd/worker/worker.go

@@ -28,6 +28,7 @@ import (
 	k0slog "github.com/k0sproject/k0s/internal/pkg/log"
 	"github.com/k0sproject/k0s/internal/pkg/sysinfo"
 	"github.com/k0sproject/k0s/pkg/build"
+	"github.com/k0sproject/k0s/pkg/component/iptables"
 	"github.com/k0sproject/k0s/pkg/component/manager"
 	"github.com/k0sproject/k0s/pkg/component/prober"
 	"github.com/k0sproject/k0s/pkg/component/status"
@@ -147,7 +148,11 @@ func (c *Command) Start(ctx context.Context) error {
 		c.WorkerProfile = "default-windows"
 	}
 
-	componentManager.Add(ctx, &worker.Kubelet{
+	iptablesComponent := &iptables.IPTables{
+		IPTablesMode: c.WorkerOptions.IPTablesMode,
+	}
+
+	kubeletComponent := &worker.Kubelet{
 		CRISocket:           c.CriSocket,
 		EnableCloudProvider: c.CloudProvider,
 		K0sVars:             c.K0sVars,
@@ -158,9 +163,11 @@ func (c *Command) Start(ctx context.Context) error {
 		Labels:              c.Labels,
 		Taints:              c.Taints,
 		ExtraArgs:           c.KubeletExtraArgs,
-		IPTablesMode:        c.WorkerOptions.IPTablesMode,
 		DualStackEnabled:    workerConfig.DualStackEnabled,
-	})
+	}
+
+	componentManager.Add(ctx, iptablesComponent)
+	componentManager.Add(ctx, kubeletComponent)
 
 	certManager := worker.NewCertificateManager(kubeletKubeconfigPath)
 
@@ -196,6 +203,9 @@ func (c *Command) Start(ctx context.Context) error {
 	}
 
 	worker.KernelSetup()
+
+	kubeletComponent.IPTablesMode = iptablesComponent.IPTablesMode
+
 	err = componentManager.Start(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to start worker components: %w", err)

internal/pkg/iptablesutils/iptables.go → pkg/component/iptables/iptables.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022 k0s authors
+Copyright 2024 k0s authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,10 +14,11 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package iptablesutils
+package iptables
 
 import (
 	"bufio"
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -27,6 +28,7 @@ import (
 	"strings"
 
 	"github.com/k0sproject/k0s/pkg/assets"
+	"github.com/k0sproject/k0s/pkg/config"
 	"github.com/k0sproject/k0s/pkg/constant"
 	"github.com/sirupsen/logrus"
 )
@@ -36,6 +38,28 @@ const (
 	ModeLegacy = "legacy"
 )
 
+type IPTables struct {
+	K0sVars      *config.CfgVars
+	IPTablesMode string
+}
+
+func (i *IPTables) Init(_ context.Context) error {
+	err, iptablesMode := ExtractIPTablesBinaries(i.K0sVars.BinDir, i.IPTablesMode)
+	if err != nil {
+		return err
+	}
+	i.IPTablesMode = iptablesMode
+	return nil
+}
+
+func (s *IPTables) Start(_ context.Context) error {
+	return nil
+}
+
+func (s *IPTables) Stop() error {
+	return nil
+}
+
 // ExtractIPTablesBinaries extracts the iptables binaries from the k0s binary and makes the symlinks
 // to the backend detected by DetectHostIPTablesMode.
 // ExtractIPTablesBinaries only works on linux, if called in another OS it will return an error.

internal/pkg/iptablesutils/iptables_test.go → pkg/component/iptables/iptables_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2022 k0s authors
+Copyright 2024 k0s authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package iptablesutils_test
+package iptables_test
 
 import (
 	"fmt"
@@ -26,7 +26,7 @@ import (
 	"testing"
 
 	"github.com/k0sproject/k0s/internal/pkg/file"
-	"github.com/k0sproject/k0s/internal/pkg/iptablesutils"
+	"github.com/k0sproject/k0s/pkg/component/iptables"
 
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -64,7 +64,7 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 	t.Run("iptables_not_found", func(t *testing.T) {
 		binDir := t.TempDir()
 
-		_, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		_, err := iptables.DetectHostIPTablesMode(binDir)
 
 		var execErr *exec.Error
 		require.ErrorAs(t, err, &execErr)
@@ -79,9 +79,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 			strings.Repeat("echo KUBE-IPTABLES-HINT\n", 1),
 		)
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeNFT, mode)
+		assert.Equal(t, iptables.ModeNFT, mode)
 	})
 
 	t.Run("xtables_legacy", func(t *testing.T) {
@@ -91,9 +91,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 			strings.Repeat("echo KUBE-IPTABLES-HINT\n", 1),
 		)
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeLegacy, mode)
+		assert.Equal(t, iptables.ModeLegacy, mode)
 	})
 
 	t.Run("xtables_nft_over_legacy", func(t *testing.T) {
@@ -108,9 +108,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 			strings.Repeat("echo KUBE-IPTABLES-HINT\n", 3),
 		)
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeNFT, mode)
+		assert.Equal(t, iptables.ModeNFT, mode)
 	})
 
 	t.Run("xtables_legacy_over_nft_more_entries", func(t *testing.T) {
@@ -124,9 +124,9 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 			strings.Repeat("echo FOOBAR\n", 2),
 		)
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeLegacy, mode)
+		assert.Equal(t, iptables.ModeLegacy, mode)
 	})
 
 	t.Run("fallback_to_iptables_if_xtables_nft_over_legacy_more_entries", func(t *testing.T) {
@@ -140,7 +140,7 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 			strings.Repeat("echo FOOBAR\n", 1),
 		)
 
-		_, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		_, err := iptables.DetectHostIPTablesMode(binDir)
 		var execErr *exec.Error
 		require.ErrorAs(t, err, &execErr)
 		assert.Equal(t, "iptables", execErr.Name)
@@ -152,27 +152,27 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 		writeXtables(t, binDir, "nft", "exit 1", "exit 1")
 		writeXtables(t, binDir, "legacy", "exit 1", "echo KUBE-IPTABLES-HINT")
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeLegacy, mode)
+		assert.Equal(t, iptables.ModeLegacy, mode)
 	})
 
 	t.Run("xtables_legacy_fails", func(t *testing.T) {
 		binDir := t.TempDir()
 		writeXtables(t, binDir, "nft", "exit 1", "echo KUBE-IPTABLES-HINT")
 		writeXtables(t, binDir, "legacy", "exit 1", "exit 1")
 
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeNFT, mode)
+		assert.Equal(t, iptables.ModeNFT, mode)
 	})
 
 	t.Run("xtables_fails", func(t *testing.T) {
 		binDir := t.TempDir()
 		writeXtables(t, binDir, "nft", "exit 99", "exit 88")
 		writeXtables(t, binDir, "legacy", "exit 77", "exit 66")
 
-		_, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		_, err := iptables.DetectHostIPTablesMode(binDir)
 		var composite interface{ Unwrap() []error }
 		require.ErrorAs(t, err, &composite, "No wrapped errors")
 		errs := composite.Unwrap()
@@ -190,23 +190,23 @@ func TestDetectHostIPTablesMode(t *testing.T) {
 	writeXtables(t, binDir, "legacy", "", "")
 
 	t.Run("iptables_legacy", func(t *testing.T) {
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeLegacy, mode)
+		assert.Equal(t, iptables.ModeLegacy, mode)
 	})
 
 	writeScript(t, pathDir, "iptables", "echo foo-nf_tables-bar")
 
 	t.Run("iptables_nft", func(t *testing.T) {
-		mode, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		mode, err := iptables.DetectHostIPTablesMode(binDir)
 		require.NoError(t, err)
-		assert.Equal(t, iptablesutils.ModeNFT, mode)
+		assert.Equal(t, iptables.ModeNFT, mode)
 	})
 
 	writeScript(t, pathDir, "iptables", "exit 1")
 
 	t.Run("iptables_broken", func(t *testing.T) {
-		_, err := iptablesutils.DetectHostIPTablesMode(binDir)
+		_, err := iptables.DetectHostIPTablesMode(binDir)
 		var exitErr *exec.ExitError
 		require.ErrorAs(t, err, &exitErr)
 		assert.Equal(t, 1, exitErr.ExitCode())

pkg/component/worker/kubelet.go

@@ -30,7 +30,6 @@ import (
 	"github.com/k0sproject/k0s/internal/pkg/dir"
 	"github.com/k0sproject/k0s/internal/pkg/file"
 	"github.com/k0sproject/k0s/internal/pkg/flags"
-	"github.com/k0sproject/k0s/internal/pkg/iptablesutils"
 	"github.com/k0sproject/k0s/internal/pkg/stringmap"
 	"github.com/k0sproject/k0s/pkg/assets"
 	"github.com/k0sproject/k0s/pkg/component/manager"
@@ -81,11 +80,6 @@ func (k *Kubelet) Init(_ context.Context) error {
 		if err := assets.Stage(k.K0sVars.BinDir, "kubelet", constant.BinDirMode); err != nil {
 			return err
 		}
-		err, iptablesMode := iptablesutils.ExtractIPTablesBinaries(k.K0sVars.BinDir, k.IPTablesMode)
-		if err != nil {
-			return err
-		}
-		k.IPTablesMode = iptablesMode
 	}
 
 	k.dataDir = filepath.Join(k.K0sVars.DataDir, "kubelet")

pkg/constant/constant.go

@@ -110,6 +110,7 @@ const (
 	CoreDNSComponentname               = "coredns"
 	CsrApproverComponentName           = "csr-approver"
 	HelmComponentName                  = "helm"
+	IptablesBinariesComponentName      = "iptables-binaries"
 	KonnectivityServerComponentName    = "konnectivity-server"
 	KubeControllerManagerComponentName = "kube-controller-manager"
 	KubeProxyComponentName             = "kube-proxy"