This message was deleted.
# k3s
a
This message was deleted.
🙏 1
c
yes. it will use iptables (nftables) or iptables-legacy depending on how the system is configured. the nft backend is preferred.
q
Currently my system is using the iptables-legacy, but I'd like to use nftables. If I uninstall iptables-legacy and restart k3s, should I expect things should just work? Or is there a step during the installation that makes that determination?
c
I would probably recommend restarting the whole node after switching. You could poke around and try to make sure you get all the existing rules flushed but a reboot is probably cleaner.
stop k3s, uninstall iptables-legacy, restart
👍 1
q
Sure that makes sense. So a reboot to flush out all the rules, etc. But once the binary starts, then it will detect that only
nft
is available and make use of that, correct?
c
q
Is this bundled with the binary?
c
yes
that’s only used if you don’t have the
iptables
command somewhere that k3s can find it though; by default it’ll prefer iptables out of your $PATH
If it can’t find any iptables binary, it’ll run that script and set up symlinks to the correct bundled iptables-nft/iptables-legacy binary
q
So does that mean that iptables is still used? Not sure I understand the dependency on the
iptables
command.
c
kubernetes doesn’t talk directly to the kernel to manage iptables rules. the kubelet, kube-proxy, kube-router, and so on all generate rulesets and then load them into the kernel by running the
iptables
binary.
q
So in this case, if legacy is uninstalled, then
which iptables
will point to
iptables-nft
to use nftables as the frontend to loading rulesets correct? I expect to be going to this over the next week.
c
the iptables command is still used. that doesn’t mean that legacy iptables kernel module is used. the iptables command functions identically regardless of whether it uses the legacy ipt modules, or the new nft modules.
q
Right, so this is using the shim. Makes sense.
c
you can tell k3s to use its bundled iptables binaries instead of your host binaries with the --prefer-bundled-bin flag. Some distros have old broken iptables, but people can’t just uninstall them for reasons.
q
I have a hack project that starts later this week to read nftables counters and expose them as prometheus metrics. So my real goal is to use nftables under the hood.
For some reason when I set up the cluster I also installed networkmanager to configure the network, which requires iptables, so I'll need to figure out how to remove that also. I never learned how to configure the network from systemd, so I suppose now is the time.
204 Views