3

I am following this guide of installing kubernetes with kubeadm, and as part of the installation process, I need to set the following kernel parameters in sysctl.d/99-kuvernetes-cni.conf:

net.bridge.bridge-nf-call-iptables=1
net.bridge.bridge-nf-call-ip6tables=1

I know that these belong to the br_netfilter module, since I can only see them with sysctl -a after loading this module.

But what are they all about? Are they really necessary for running kubernetes?

YoavKlein
  • 312
  • 2
  • 10

2 Answers2

2

These parameters determine whether packets crossing a bridge are sent to iptables for processing. Most Kubernetes CNIs rely on iptables, so this is usually necessary for Kubernetes.

The in-kernel default is to enable these settings, but many distributions disable them (see the previous link for details).

Stephen Kitt
  • 411,918
  • 54
  • 1,065
  • 1,164
  • thanks for the answer. This article actually says that this is usually not a desirable configuration. Can you explain why it is needed in the context of kubernetes? – YoavKlein Oct 07 '22 at 07:29
  • Most CNIs rely on `iptables` rules for at least some of their packet processing, and because they handle the container network, they need to handle bridged packets. If bridged packets aren’t sent through `iptables`, they aren’t processed as expected by the CNI. – Stephen Kitt Oct 07 '22 at 10:25
  • By "bridged packets" you mean packets that go from one interface on the bridge to another interface on the bridge, or even from an interface on the bridge to outside of the system (or the other way around)? – YoavKlein Oct 07 '22 at 12:26
  • Yes, that’s right. – Stephen Kitt Oct 07 '22 at 14:14
  • That wasn't a yes/no question :) – YoavKlein Oct 08 '22 at 18:56
  • I understood it as a yes/no question. I mean yes as in everything you said, “packets that go from one interface on the bridge to another interface on the bridge, or even from an interface on the bridge to outside of the system (or the other way around)” (the latter is just a special case of the former — packets can only cross a bridge if they’re going from one interface on the bridge to another). Anything that crosses a bridge goes through `iptables` if these parameters are enabled. – Stephen Kitt Oct 08 '22 at 18:59
0

It seems with Nftables these parameters are not used anymore: https://netdevconf.info/1.1/proceedings/papers/Bridge-filter-with-nftables.pdf

Osqui
  • 179
  • 5