Merge pull request #4934 from jnummelin/feat/kube-proxy-nft

inttest/Makefile

@@ -113,6 +113,16 @@ check-network-conformance-calico: TIMEOUT=15m
 check-network-conformance-calico: export K0S_NETWORK_CONFORMANCE_CNI=calico
 check-network-conformance-calico: TEST_PACKAGE=network-conformance
 
+check-network-conformance-kuberouter-nft: TIMEOUT=15m
+check-network-conformance-kuberouter-nft: export K0S_NETWORK_CONFORMANCE_CNI=kuberouter
+check-network-conformance-kuberouter-nft: export K0S_NETWORK_CONFORMANCE_PROXY_MODE=nftables
+check-network-conformance-kuberouter-nft: TEST_PACKAGE=network-conformance
+check-network-conformance-calico-nft: TIMEOUT=15m
+check-network-conformance-calico-nft: export K0S_NETWORK_CONFORMANCE_CNI=calico
+check-network-conformance-calico-nft: export K0S_NETWORK_CONFORMANCE_PROXY_MODE=nftables
+check-network-conformance-calico-nft: TEST_PACKAGE=network-conformance
+
+
 check-metricsscraper-singlenode: export K0S_SINGLENODE=1
 check-metricsscraper-singlenode: TEST_PACKAGE=metricsscraper
 

inttest/Makefile.variables

@@ -52,7 +52,9 @@ smoketests := \
 	check-metricsscraper-singlenode \
 	check-multicontroller \
 	check-network-conformance-calico \
+	check-network-conformance-calico-nft \
 	check-network-conformance-kuberouter \
+	check-network-conformance-kuberouter-nft \
 	check-nllb \
 	check-noderole \
 	check-noderole-no-taints \

inttest/network-conformance/network_test.go

@@ -32,7 +32,10 @@ import (
 	"golang.org/x/sync/errgroup"
 )
 
-const defaultCNI = "kuberouter"
+const (
+	defaultCNI       = "kuberouter"
+	defaultProxyMode = "iptables"
+)
 
 type networkSuite struct {
 	common.BootlooseSuite
@@ -44,9 +47,15 @@ func (s *networkSuite) TestK0sGetsUp() {
 	if cni == "" {
 		cni = defaultCNI
 	}
+	// Which kube-proxy mode to test: iptables, ipvs, userspace, nft. Default: iptables
+	proxyMode := os.Getenv("K0S_NETWORK_CONFORMANCE_PROXY_MODE")
+	if proxyMode == "" {
+		proxyMode = defaultProxyMode
+	}
+
 	s.T().Logf("Run conformance tests for CNI: %s", cni)
 
-	s.PutFile(s.ControllerNode(0), "/tmp/k0s.yaml", fmt.Sprintf(k0sConfig, cni))
+	s.PutFile(s.ControllerNode(0), "/tmp/k0s.yaml", fmt.Sprintf(k0sConfig, cni, proxyMode))
 	s.Require().NoError(s.InitController(0, "--config=/tmp/k0s.yaml", "--disable-components=metrics-server"))
 	s.Require().NoError(s.RunWorkers())
 
@@ -153,4 +162,6 @@ const k0sConfig = `
 spec:
   network:
     provider: %s
+    kubeProxy:
+      mode: %s
 `

pkg/apis/k0s/v1beta1/kubeproxy.go

@@ -28,15 +28,19 @@ const (
 	ModeIptables  = "iptables"
 	ModeIPVS      = "ipvs"
 	ModeUSerspace = "userspace"
+	ModeNFT       = "nftables"
 )
 
 // KubeProxy defines the configuration for kube-proxy
 type KubeProxy struct {
-	Disabled           bool                           `json:"disabled,omitempty"`
+	Disabled bool `json:"disabled,omitempty"`
+	// Mode defines the kube-proxy mode. Supported values are "iptables", "ipvs", "userspace" and "nft"
+	// Defaults to "iptables"
 	Mode               string                         `json:"mode,omitempty"`
 	MetricsBindAddress string                         `json:"metricsBindAddress,omitempty"`
 	IPTables           KubeProxyIPTablesConfiguration `json:"iptables,omitempty"`
 	IPVS               KubeProxyIPVSConfiguration     `json:"ipvs,omitempty"`
+	NFTables           KubeProxyNFTablesConfiguration `json:"nftables,omitempty"`
 	NodePortAddresses  []string                       `json:"nodePortAddresses,omitempty"`
 }
 
@@ -63,10 +67,19 @@ type KubeProxyIPVSConfiguration struct {
 	UDPTimeout    metav1.Duration `json:"udpTimeout,omitempty"`
 }
 
+// KubeProxyNFTablesConfiguration contains nftables-related kube-proxy configuration
+// @see https://github.com/kubernetes/kube-proxy/blob/v0.31.0/config/v1alpha1/types.go#L82-L97
+type KubeProxyNFTablesConfiguration struct {
+	SyncPeriod    metav1.Duration `json:"syncPeriod,omitempty"`
+	MasqueradeBit *int32          `json:"masqueradeBit,omitempty"`
+	MasqueradeAll bool            `json:"masqueradeAll,omitempty"`
+	MinSyncPeriod metav1.Duration `json:"minSyncPeriod,omitempty"`
+}
+
 // DefaultKubeProxy creates the default config for kube-proxy
 func DefaultKubeProxy() *KubeProxy {
 	return &KubeProxy{
-		Mode:               "iptables",
+		Mode:               ModeIptables,
 		MetricsBindAddress: "0.0.0.0:10249",
 	}
 }
@@ -77,7 +90,7 @@ func (k *KubeProxy) Validate() []error {
 		return nil
 	}
 	var errors []error
-	if k.Mode != "iptables" && k.Mode != "ipvs" && k.Mode != "userspace" {
+	if k.Mode != ModeIptables && k.Mode != ModeIPVS && k.Mode != ModeUSerspace && k.Mode != ModeNFT {
 		errors = append(errors, fmt.Errorf("unsupported mode %s for kubeProxy config", k.Mode))
 	}
 	return errors

pkg/component/controller/kubeproxy.go

@@ -162,6 +162,12 @@ func (k *KubeProxy) getConfig(clusterConfig *v1beta1.ClusterConfig) (proxyConfig
 	}
 	cfg.IPVS = string(ipvs)
 
+	nftables, err := json.Marshal(clusterConfig.Spec.Network.KubeProxy.NFTables)
+	if err != nil {
+		return proxyConfig{}, err
+	}
+	cfg.NFTables = string(nftables)
+
 	return cfg, nil
 }
 
@@ -175,6 +181,7 @@ type proxyConfig struct {
 	MetricsBindAddress   string
 	IPTables             string
 	IPVS                 string
+	NFTables             string
 	FeatureGates         map[string]bool
 	NodePortAddresses    string
 }
@@ -287,6 +294,7 @@ data:
     hostnameOverride: ""
     iptables: {{ .IPTables }}
     ipvs: {{ .IPVS }}
+    nftables: {{ .NFTables }}
     kind: KubeProxyConfiguration
     metricsBindAddress: {{ .MetricsBindAddress }}
     nodePortAddresses: {{ .NodePortAddresses }}

static/_crds/k0s/k0s.k0sproject.io_clusterconfigs.yaml

@@ -697,7 +697,25 @@ spec:
                       metricsBindAddress:
                         type: string
                       mode:
+                        description: |-
+                          Mode defines the kube-proxy mode. Supported values are "iptables", "ipvs", "userspace" and "nft"
+                          Defaults to "iptables"
                         type: string
+                      nftables:
+                        description: |-
+                          KubeProxyNFTablesConfiguration contains nftables-related kube-proxy configuration
+                          @see https://github.com/kubernetes/kube-proxy/blob/v0.31.0/config/v1alpha1/types.go#L82-L97
+                        properties:
+                          masqueradeAll:
+                            type: boolean
+                          masqueradeBit:
+                            format: int32
+                            type: integer
+                          minSyncPeriod:
+                            type: string
+                          syncPeriod:
+                            type: string
+                        type: object
                       nodePortAddresses:
                         items:
                           type: string