br-nf-call-iptables
kube-proxy日志
I1125 13:54:33.015919 13645 proxier.go:322] missing br-netfilter module or unset sysctl br-nf-call-iptables; proxy may not work as intended
当前设置
# sysctl -a |grep "net.bridge.bridge-nf-call-iptables" net.bridge.bridge-nf-call-iptables = 0
文档
Network Plugin Requirements
Besides providing the NetworkPlugin interface to configure and clean up pod networking, the plugin may also need specific support for kube-proxy. The iptables proxy obviously depends on iptables, and the plugin may need to ensure that container traffic is made available to iptables. For example, if the plugin connects containers to a Linux bridge, the plugin must set the net/bridge/bridge-nf-call-iptables sysctl to 1 to ensure that the iptables proxy functions correctly. If the plugin does not use a Linux bridge (but instead something like Open vSwitch or some other mechanism) it should ensure container traffic is appropriately routed for the proxy.
By default if no kubelet network plugin is specified, the noop plugin is used, which sets net/bridge/bridge-nf-call-iptables=1 to ensure simple configurations (like Docker with a bridge) work correctly with the iptables proxy.
配置管理
通过puppet管理以下配置
net.ipv4.ip_forward=1 net.bridge.bridge-nf-call-iptables=1 net.bridge.bridge-nf-call-ip6tables=1
ref:ip forward
other
可能和 容器重建失败 有关?
Update 2018/11/27: 今天遇到一个puppet同步失败的机器,没有设置br-nf-call-iptables, calico-node 出现Error syncing pod报错,出现容器网络不通报警(无法连接coredns),出现dnsmasq报警(dnsmasq要监听tunl0,calico挂掉后tunl0也没了)。
修复puppet同步问题之后,以上报警全部解决。
