mirror of
https://github.com/siderolabs/talos.git
synced 2025-12-04 09:01:14 +01:00
ff2c427b04
In Talos, kubelet (and kube-proxy) images use `iptables-wrapper` script
to detect which version of `iptables` (legacy or NFT) to use.
The script assumes that `kubelet` runs on the host, and uses whatever
version of `iptables` which is being used by the host. In Talos,
`kubelet` runs in a container which has same `iptables-wrapper` script,
and it defaults to `legacy` mode in our case.
We can't check the `kubelet` image, as it would affect all Talos
version, so instead pre-create the chains/tables in `nftables` so that
kubelet will pick up `nft` version of `iptables`, and `kube-proxy` will
do the same.
Without this fix, the problem arises from the mix of `nft` used by Talos
for the firewall and Kubernetes world relying on `legacy` (`xtables`).
Fixes https://github.com/siderolabs/kubelet/issues/77
See e139a11535/iptables-wrapper-installer.sh (L102-L130)
Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>