support kube-proxy nftables (#12060)

Signed-off-by: Kay Yan <kay.yan@daocloud.io>
2026-02-28 09:39:12 +03:00 · 2025-03-26 16:32:33 +08:00
parent e7c70d6169
commit 0f9f9fb569
8 changed files with 29 additions and 5 deletions
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -132,6 +132,15 @@
  tags:
    - kube-proxy

+- name: Modprobe Kernel Module for nftables
+  community.general.modprobe:
+    name: "nf_tables"
+    state: present
+    persistent: present
+  when: kube_proxy_mode == 'nftables'
+  tags:
+    - kube-proxy
+
 - name: Install kubelet
  import_tasks: kubelet.yml
  tags:
--- a/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0040-verify-settings.yml
@@ -202,13 +202,20 @@
    - dashboard_enabled
    - not ignore_assert_errors

- name: Stop if kernel version is too low
+- name: Stop if kernel version is too low for cilium
  assert:
    that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
  when:
    - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
    - not ignore_assert_errors

+- name: Stop if kernel version is too low for nftables
+  assert:
+    that: ansible_kernel.split('-')[0] is version('5.13', '>=')
+  when:
+    - kube_proxy_mode == 'nftables'
+    - not ignore_assert_errors
+
 - name: Stop if bad hostname
  assert:
    that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
@@ -314,7 +321,7 @@
    that:
      - kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni', 'none']
      - dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
-      - kube_proxy_mode in ['iptables', 'ipvs']
+      - kube_proxy_mode in ['iptables', 'ipvs', 'nftables']
      - cert_management in ['script', 'none']
      - resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
      - etcd_deployment_type in ['host', 'docker', 'kubeadm']
--- a/roles/kubernetes/preinstall/vars/main.yml
+++ b/roles/kubernetes/preinstall/vars/main.yml
@@ -52,6 +52,9 @@ pkgs:
  mergerfs:
    - "{{ ansible_distribution == 'Debian' }}"
    - "{{ ansible_distribution_major_version == '12' }}"
+  nftables:
+    - "{{ kube_proxy_mode == 'nftables' }}"
+    - "{{ 'k8s_cluster' in group_names }}"
  nss:
    - "{{ ansible_os_family == 'RedHat' }}"
  openssl: []