support kube-proxy nftables mode

2025-11-30 23:16:04 +07:00 · 2024-04-11 14:47:54 +00:00
parent 7cb9e6be25
commit 296749aa2d
5 changed files with 11 additions and 7 deletions
--- a/pkg/apis/config/v1alpha4/types.go
+++ b/pkg/apis/config/v1alpha4/types.go
@@ -186,7 +186,7 @@ type Networking struct {
 	// If DisableDefaultCNI is true, kind will not install the default CNI setup.
 	// Instead the user should install their own CNI after creating the cluster.
 	DisableDefaultCNI bool `yaml:"disableDefaultCNI,omitempty" json:"disableDefaultCNI,omitempty"`
-	// KubeProxyMode defines if kube-proxy should operate in iptables or ipvs mode
+	// KubeProxyMode defines if kube-proxy should operate in iptables, ipvs or nftables mode
 	// Defaults to 'iptables' mode
 	KubeProxyMode ProxyMode `yaml:"kubeProxyMode,omitempty" json:"kubeProxyMode,omitempty"`
 	// DNSSearch defines the DNS search domain to use for nodes. If not set, this will be inherited from the host.
@@ -213,6 +213,8 @@ const (
 	IPTablesProxyMode ProxyMode = "iptables"
 	// IPVSProxyMode sets ProxyMode to ipvs
 	IPVSProxyMode ProxyMode = "ipvs"
+	// NFTablesProxyMode sets ProxyMode to nftables
+	NFTablesProxyMode ProxyMode = "nftables"
 )

 // PatchJSON6902 represents an inline kustomize json 6902 patch
--- a/pkg/cluster/internal/kubeadm/config.go
+++ b/pkg/cluster/internal/kubeadm/config.go
@@ -57,7 +57,7 @@ type ConfigData struct {
 	// The Token for TLS bootstrap
 	Token string

-	// KubeProxyMode defines the kube-proxy mode between iptables or ipvs
+	// KubeProxyMode defines the kube-proxy mode between iptables, ipvs or nftables
 	KubeProxyMode string
 	// The subnet used for pods
 	PodSubnet string
--- a/pkg/internal/apis/config/types.go
+++ b/pkg/internal/apis/config/types.go
@@ -148,7 +148,7 @@ type Networking struct {
 	// If DisableDefaultCNI is true, kind will not install the default CNI setup.
 	// Instead the user should install their own CNI after creating the cluster.
 	DisableDefaultCNI bool
-	// KubeProxyMode defines if kube-proxy should operate in iptables or ipvs mode
+	// KubeProxyMode defines if kube-proxy should operate in iptables, ipvs or nftables mode
 	KubeProxyMode ProxyMode
 	// DNSSearch defines the DNS search domain to use for nodes. If not set, this will be inherited from the host.
 	DNSSearch *[]string
@@ -174,6 +174,8 @@ const (
 	IPTablesProxyMode ProxyMode = "iptables"
 	// IPVSProxyMode sets ProxyMode to ipvs
 	IPVSProxyMode ProxyMode = "ipvs"
+	// NFTablesProxyMode sets ProxyMode to nftables
+	NFTablesProxyMode ProxyMode = "nftables"
 	// NoneProxyMode disables kube-proxy
 	NoneProxyMode ProxyMode = "none"
 )
--- a/pkg/internal/apis/config/validate.go
+++ b/pkg/internal/apis/config/validate.go
@@ -69,7 +69,7 @@ func (c *Cluster) Validate() error {

 	// KubeProxyMode should be iptables or ipvs
 	if c.Networking.KubeProxyMode != IPTablesProxyMode && c.Networking.KubeProxyMode != IPVSProxyMode &&
-		c.Networking.KubeProxyMode != NoneProxyMode {
+		c.Networking.KubeProxyMode != NoneProxyMode && c.Networking.KubeProxyMode != NFTablesProxyMode {
 		errs = append(errs, errors.Errorf("invalid kubeProxyMode: %s", c.Networking.KubeProxyMode))
 	}

--- a/site/content/docs/user/configuration.md
+++ b/site/content/docs/user/configuration.md
@@ -217,14 +217,14 @@ networking:

 #### kube-proxy mode

-You can configure the kube-proxy mode that will be used, between iptables and ipvs. By
-default iptables is used
+You can configure the kube-proxy mode that will be used, between iptables, ipvs and nftables.
+By default iptables is used

 {{< codeFromInline lang="yaml" >}}
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 networking:
-  kubeProxyMode: "ipvs"
+  kubeProxyMode: "nftables"
 {{< /codeFromInline >}}

 To disable kube-proxy, set the mode to `"none"`.