bottlerocket-os
Any consideration to use nftables in 1.39+?
Hi Bottlerocket community As k8s 1.33 now supports nftables, is there any considerations or special configuration to do to get that change? Thank you
Sorry for posting an issue about it but I did not get an response in this discussion
Thank you
Hey @AhmadMS1988, thanks for opening this issue - which we will treat as a feature request!
Currently, there isn't an approach that exists on Bottlerocket to enable nftables at this time.
There are two aspects to this:
- Whether
kube-proxyis using its "nftables" mode - Whether the host OS has the right tools to inspect (and to avoid corrupting) network filter state
The first can done today by changing the kube-proxy configuration. For example, with the EKS kube-proxy add-on, you can add this to "advanced configuration":
{
"mode": "nftables"
}
I don't know whether this mode is fully support, or not.
For the second, I've opened https://github.com/bottlerocket-os/bottlerocket-core-kit/pull/549 to package the correct tools for the host. Not sure if these will be added to *-k8s-1.33 or if they'll first appear in *-k8s-1.34 later this year, it'll depend on the official support story.
In the meantime, if you do end up using kube-proxy in "nftables" mode, you'll want to avoid also running iptables on the host. The host doesn't run iptables at all (with one exception) but host/bootstrap containers could run it.
@bcressey would it be possible to have a status update on this? Are we expecting the K8s 1.34 images to use nftables as the iptables backend?
Hey @stevehipwell , this feature is tentatively planned for the k8s-1.34 variant release, which can be tracked here: https://github.com/bottlerocket-os/bottlerocket/issues/4620
@koooosh it looks like this issue can be closed now since v1.47.0 has been released with nftables support for EKS 1.34+.