mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2025-12-13 21:34:40 +03:00
support kube-proxy nftables (#12060)
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
This commit is contained in:
Kay Yan
@@ -25,7 +25,7 @@ Some variables of note include:
|
|||||||
* *calico_vxlan_mode* - Configures Calico vxlan encapsulation - valid values are 'Never', 'Always' and 'CrossSubnet' (default 'Always')
|
* *calico_vxlan_mode* - Configures Calico vxlan encapsulation - valid values are 'Never', 'Always' and 'CrossSubnet' (default 'Always')
|
||||||
* *calico_network_backend* - Configures Calico network backend - valid values are 'none', 'bird' and 'vxlan' (default 'vxlan')
|
* *calico_network_backend* - Configures Calico network backend - valid values are 'none', 'bird' and 'vxlan' (default 'vxlan')
|
||||||
* *kube_network_plugin* - Sets k8s network plugin (default Calico)
|
* *kube_network_plugin* - Sets k8s network plugin (default Calico)
|
||||||
* *kube_proxy_mode* - Changes k8s proxy mode to iptables mode
|
* *kube_proxy_mode* - Changes k8s proxy mode to iptables, ipvs, nftables mode
|
||||||
* *kube_version* - Specify a given Kubernetes version
|
* *kube_version* - Specify a given Kubernetes version
|
||||||
* *searchdomains* - Array of DNS domains to search when looking up hostnames
|
* *searchdomains* - Array of DNS domains to search when looking up hostnames
|
||||||
* *remove_default_searchdomains* - Boolean that removes the default searchdomain
|
* *remove_default_searchdomains* - Boolean that removes the default searchdomain
|
||||||
|
|||||||
@@ -118,7 +118,8 @@ kube_apiserver_ip: "{{ kube_service_subnets.split(',') | first | ansible.utils.i
|
|||||||
kube_apiserver_port: 6443 # (https)
|
kube_apiserver_port: 6443 # (https)
|
||||||
|
|
||||||
# Kube-proxy proxyMode configuration.
|
# Kube-proxy proxyMode configuration.
|
||||||
# Can be ipvs, iptables
|
# Can be ipvs, iptables, nftables
|
||||||
|
# TODO: it needs to be changed to nftables when the upstream use nftables as default
|
||||||
kube_proxy_mode: ipvs
|
kube_proxy_mode: ipvs
|
||||||
|
|
||||||
# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
|
# configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
|
||||||
|
|||||||
@@ -132,6 +132,15 @@
|
|||||||
tags:
|
tags:
|
||||||
- kube-proxy
|
- kube-proxy
|
||||||
|
|
||||||
|
- name: Modprobe Kernel Module for nftables
|
||||||
|
community.general.modprobe:
|
||||||
|
name: "nf_tables"
|
||||||
|
state: present
|
||||||
|
persistent: present
|
||||||
|
when: kube_proxy_mode == 'nftables'
|
||||||
|
tags:
|
||||||
|
- kube-proxy
|
||||||
|
|
||||||
- name: Install kubelet
|
- name: Install kubelet
|
||||||
import_tasks: kubelet.yml
|
import_tasks: kubelet.yml
|
||||||
tags:
|
tags:
|
||||||
|
|||||||
@@ -202,13 +202,20 @@
|
|||||||
- dashboard_enabled
|
- dashboard_enabled
|
||||||
- not ignore_assert_errors
|
- not ignore_assert_errors
|
||||||
|
|
||||||
- name: Stop if kernel version is too low
|
- name: Stop if kernel version is too low for cilium
|
||||||
assert:
|
assert:
|
||||||
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
|
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
|
||||||
when:
|
when:
|
||||||
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
|
- kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
|
||||||
- not ignore_assert_errors
|
- not ignore_assert_errors
|
||||||
|
|
||||||
|
- name: Stop if kernel version is too low for nftables
|
||||||
|
assert:
|
||||||
|
that: ansible_kernel.split('-')[0] is version('5.13', '>=')
|
||||||
|
when:
|
||||||
|
- kube_proxy_mode == 'nftables'
|
||||||
|
- not ignore_assert_errors
|
||||||
|
|
||||||
- name: Stop if bad hostname
|
- name: Stop if bad hostname
|
||||||
assert:
|
assert:
|
||||||
that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
|
that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
|
||||||
@@ -314,7 +321,7 @@
|
|||||||
that:
|
that:
|
||||||
- kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni', 'none']
|
- kube_network_plugin in ['calico', 'flannel', 'weave', 'cloud', 'cilium', 'cni', 'kube-ovn', 'kube-router', 'macvlan', 'custom_cni', 'none']
|
||||||
- dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
|
- dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
|
||||||
- kube_proxy_mode in ['iptables', 'ipvs']
|
- kube_proxy_mode in ['iptables', 'ipvs', 'nftables']
|
||||||
- cert_management in ['script', 'none']
|
- cert_management in ['script', 'none']
|
||||||
- resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
|
- resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
|
||||||
- etcd_deployment_type in ['host', 'docker', 'kubeadm']
|
- etcd_deployment_type in ['host', 'docker', 'kubeadm']
|
||||||
|
|||||||
@@ -52,6 +52,9 @@ pkgs:
|
|||||||
mergerfs:
|
mergerfs:
|
||||||
- "{{ ansible_distribution == 'Debian' }}"
|
- "{{ ansible_distribution == 'Debian' }}"
|
||||||
- "{{ ansible_distribution_major_version == '12' }}"
|
- "{{ ansible_distribution_major_version == '12' }}"
|
||||||
|
nftables:
|
||||||
|
- "{{ kube_proxy_mode == 'nftables' }}"
|
||||||
|
- "{{ 'k8s_cluster' in group_names }}"
|
||||||
nss:
|
nss:
|
||||||
- "{{ ansible_os_family == 'RedHat' }}"
|
- "{{ ansible_os_family == 'RedHat' }}"
|
||||||
openssl: []
|
openssl: []
|
||||||
|
|||||||
@@ -10,6 +10,8 @@ dashboard_enabled: true
|
|||||||
loadbalancer_apiserver_type: haproxy
|
loadbalancer_apiserver_type: haproxy
|
||||||
local_path_provisioner_enabled: true
|
local_path_provisioner_enabled: true
|
||||||
|
|
||||||
|
kube_proxy_mode: nftables
|
||||||
|
|
||||||
# NTP mangement
|
# NTP mangement
|
||||||
ntp_enabled: true
|
ntp_enabled: true
|
||||||
ntp_timezone: Etc/UTC
|
ntp_timezone: Etc/UTC
|
||||||
|
|||||||
@@ -1,3 +1,5 @@
|
|||||||
---
|
---
|
||||||
# Instance settings
|
# Instance settings
|
||||||
cloud_image: opensuse-leap-15-6
|
cloud_image: opensuse-leap-15-6
|
||||||
|
|
||||||
|
kube_proxy_mode: nftables
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ vm_memory: 1800
|
|||||||
auto_renew_certificates: true
|
auto_renew_certificates: true
|
||||||
|
|
||||||
# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
|
# Currently ipvs not available on KVM: https://packages.ubuntu.com/search?suite=noble&arch=amd64&mode=exactfilename&searchon=contents&keywords=ip_vs_sh.ko
|
||||||
kube_proxy_mode: iptables
|
kube_proxy_mode: nftables
|
||||||
enable_nodelocaldns: false
|
enable_nodelocaldns: false
|
||||||
|
|
||||||
containerd_registries:
|
containerd_registries:
|
||||||
|
|||||||
Reference in New Issue
Block a user