Skip to content

chore(helm)!: change iptables default mode to nft #14326

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
alpeb merged 2 commits into from
Aug 6, 2025
Merged

chore(helm)!: change iptables default mode to nft #14326

alpeb merged 2 commits into from
Aug 6, 2025

Conversation

@alpeb
Copy link
Member

@alpeb alpeb commented Aug 6, 2025

This change sets as a new default nft for the proxyInit.iptablesMode and iptablesMode values in the linkerd-control-plane and linkerd2-cni helm charts. This doesn't imply any change in user-facing behavior.

This was prompted by EKS with k8s 1.33 no longer supporting the iptables legacy mode.

Further testing in multiple platforms with different k8s versions revealed nft mode is now broadly supported.

Upgrading via Helm will apply the new default, unless legacy mode was explicitly set during the initial install.

@alpeb
chore(helm)!: change iptables default mode to nft
223662c 
This change sets as a new default `nft` for the `proxyInit.iptablesMode`
and `iptablesMode` values in the linkerd-control-plane and linkerd2-cni
helm charts. This doesn't imply any change in user-facing behavior.

This was prompted by EKS with k8s 1.33 no longer supporting the iptables
legacy mode.

Further testing in multiple platforms with different k8s versions
revealed nft mode is now broadly supported.

Upgrading via Helm will apply the new default, unless the initial
install explicitly set the legacy mode.
@alpeb alpeb requested a review from a team as a code owner August 6, 2025 13:26
@olix0r
Copy link
Member

olix0r commented Aug 6, 2025 

=== RUN   TestInjectAutoPod
Error: TestInjectAutoPod - malformed init container
    inject_test.go:498: malformed init container:
        [Args.slice[0]: --ipv6=false != --firewall-bin-path Args.slice[1]: --incoming-proxy-port != iptables-nft Args.slice[2]: 4143 != --firewall-save-bin-path Args.slice[3]: --outgoing-proxy-port != iptables-nft-save Args.slice[4]: 4140 != --ipv6=false Args.slice[5]: --proxy-uid != --incoming-proxy-port Args.slice[6]: 2102 != 4143 Args.slice[7]: --inbound-ports-to-ignore != --outgoing-proxy-port Args.slice[8]: 4190,4191,1234,5678 != 4140 Args.slice[9]: --outbound-ports-to-ignore != --proxy-uid]
--- FAIL: TestInjectAutoPod (1.02s)

@alpeb alpeb merged commit fe79b59 into main Aug 6, 2025
69 of 71 checks passed
@alpeb alpeb deleted the alpeb/iptables-mode-default-nft branch August 6, 2025 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olix0r olix0r olix0r approved these changes

@adleong adleong adleong approved these changes

Assignees

@alpeb alpeb

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alpeb @olix0r @adleong