linkerd
feat(cni-plugin): add iptables binary fallback logic
The linkerd-cni plugin can be configured to use either iptables, iptables-legacy, or iptables-nft for a wide range of compatibility. However, when the configuration doesn't match the iptables executable on the host system, the linkerd-cni plugin will fail.
To make this more user friendly, we add a detection step which identifies which of the above executables are available on the system. If the configured executable is not available, we automatically fall back to one that is.
Additionally, cni plugin logs are only available through the kubelet, which can be difficult to access. To grant easier observability to the cni plugin, we additionally log to a file so that cni plugin logs are more easily accessible on the host node.
Sample log outputs:
time="2025-10-23T00:43:18Z" level=debug msg="iptables: using configured binaries" requestedBin=iptables-nft requestedSaveBin=iptables-nft-save
time="2025-10-23T00:45:39Z" level=warning msg="iptables: configured binaries not found; applying fallback to available binaries" fallbackBin=iptables fallbackSaveBin=iptables-save requestedBin=iptables-nft requestedSaveBin=iptables-nft-save
(tested by deleting iptables-nft off of the host node)
