fixup! feat: Support nftables kube-proxy mode

Author: jimmidyson

api/v1alpha1/clusterconfig_types.go

@@ -340,14 +340,19 @@ const (
 	// KubeProxyModeIPTables indicates that kube-proxy should be installed in iptables
 	// mode.
 	KubeProxyModeIPTables KubeProxyMode = "iptables"
+	// KubeProxyModeNFTables indicates that kube-proxy should be installed in iptables
+	// mode.
+	KubeProxyModeNFTables KubeProxyMode = "nftables"
 )
 
 type KubeProxy struct {
-	// Mode specifies the mode for kube-proxy.
-	// Disabled means that kube-proxy is not installed.
-	// iptables means that kube-proxy is installed in iptables mode.
+	// Mode specifies the mode for kube-proxy:
+	//
+	// - Disabled means that kube-proxy is not installed.
+	// - iptables means that kube-proxy is installed in iptables mode.
+	// - nftables means that kube-proxy is installed in nftables mode.
 	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Enum=Disabled;iptables
+	// +kubebuilder:validation:Enum=Disabled;iptables;nftables
 	// +kubebuilder:default=iptables
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Value cannot be changed after cluster creation"
 	Mode KubeProxyMode `json:"mode,omitempty"`

api/v1alpha1/crds/caren.nutanix.com_awsclusterconfigs.yaml

@@ -566,12 +566,15 @@ spec:
                     mode:
                       default: iptables
                       description: |-
-                        Mode specifies the mode for kube-proxy.
-                        Disabled means that kube-proxy is not installed.
-                        iptables means that kube-proxy is installed in iptables mode.
+                        Mode specifies the mode for kube-proxy:
+
+                        - Disabled means that kube-proxy is not installed.
+                        - iptables means that kube-proxy is installed in iptables mode.
+                        - nftables means that kube-proxy is installed in nftables mode.
                       enum:
                         - Disabled
                         - iptables
+                        - nftables
                       type: string
                       x-kubernetes-validations:
                         - message: Value cannot be changed after cluster creation

api/v1alpha1/crds/caren.nutanix.com_dockerclusterconfigs.yaml

@@ -503,12 +503,15 @@ spec:
                     mode:
                       default: iptables
                       description: |-
-                        Mode specifies the mode for kube-proxy.
-                        Disabled means that kube-proxy is not installed.
-                        iptables means that kube-proxy is installed in iptables mode.
+                        Mode specifies the mode for kube-proxy:
+
+                        - Disabled means that kube-proxy is not installed.
+                        - iptables means that kube-proxy is installed in iptables mode.
+                        - nftables means that kube-proxy is installed in nftables mode.
                       enum:
                         - Disabled
                         - iptables
+                        - nftables
                       type: string
                       x-kubernetes-validations:
                         - message: Value cannot be changed after cluster creation

api/v1alpha1/crds/caren.nutanix.com_genericclusterconfigs.yaml

@@ -181,12 +181,15 @@ spec:
                   mode:
                     default: iptables
                     description: |-
-                      Mode specifies the mode for kube-proxy.
-                      Disabled means that kube-proxy is not installed.
-                      iptables means that kube-proxy is installed in iptables mode.
+                      Mode specifies the mode for kube-proxy:
+
+                      - Disabled means that kube-proxy is not installed.
+                      - iptables means that kube-proxy is installed in iptables mode.
+                      - nftables means that kube-proxy is installed in nftables mode.
                     enum:
                     - Disabled
                     - iptables
+                    - nftables
                     type: string
                     x-kubernetes-validations:
                     - message: Value cannot be changed after cluster creation

api/v1alpha1/crds/caren.nutanix.com_nutanixclusterconfigs.yaml

@@ -682,12 +682,15 @@ spec:
                     mode:
                       default: iptables
                       description: |-
-                        Mode specifies the mode for kube-proxy.
-                        Disabled means that kube-proxy is not installed.
-                        iptables means that kube-proxy is installed in iptables mode.
+                        Mode specifies the mode for kube-proxy:
+
+                        - Disabled means that kube-proxy is not installed.
+                        - iptables means that kube-proxy is installed in iptables mode.
+                        - nftables means that kube-proxy is installed in nftables mode.
                       enum:
                         - Disabled
                         - iptables
+                        - nftables
                       type: string
                       x-kubernetes-validations:
                         - message: Value cannot be changed after cluster creation

docs/content/customization/generic/kube-proxy-mode.md

@@ -2,11 +2,55 @@
 title = "kube-proxy mode"
 +++
 
-This customization allows configuration of the `kube-proxy` proxy mode. Currently, only `iptables` or `Disabled` modes
-are supported. `Disabled` is useful when deploying a CNI implementation that can replace `kube-proxy` to avoid
-potential conflicts. By default, `kube-proxy` is enabled in `iptables` mode.
+This customization allows configuration of the `kube-proxy` proxy mode. Currently, only `iptables`, `nftables` or
+`Disabled` modes are supported. `Disabled` is useful when deploying a CNI implementation that can replace `kube-proxy`
+to avoid potential conflicts. By default, `kube-proxy` is enabled in `iptables` mode.
 
-## Example
+## Examples
+
+### Enabling nftables kube-proxy mode
+
+Enabling `nftables` is done via the following configuration:
+
+```yaml
+apiVersion: cluster.x-k8s.io/v1beta1
+kind: Cluster
+metadata:
+  name: <NAME>
+spec:
+  topology:
+    variables:
+      - name: clusterConfig
+        value:
+          kubeProxy:
+            mode: nftables
+```
+
+Applying this configuration will result in the following configuration being applied to create a
+`KubeProxyConfiguration` and append it to the kubeadm configuration that is used when `kubeadm init`
+is executed:
+
+- `KubeadmControlPlaneTemplate`:
+
+  - ```yaml
+    spec:
+      template:
+        spec:
+          kubeadmConfigSpec:
+            files:
+              - path: "/etc/kubernetes/kubeproxy-config.yaml"
+                owner: "root:root"
+                permissions: "0644"
+                content: |-
+                  ---
+                  apiVersion: kubeproxy.config.k8s.io/v1alpha1
+                  kind: KubeProxyConfiguration
+                  mode: nftables
+          preKubeadmCommands:
+            - /bin/sh -ec 'cat /etc/kubernetes/kubeproxy-config.yaml >> /run/kubeadm/kubeadm.yaml'
+    ```
+
+### Skipping kube-proxy installation
 
 To disable the deployment of `kube-proxy`, specify the following configuration:
 

pkg/handlers/generic/mutation/kubeproxymode/inject.go

@@ -25,6 +25,13 @@ import (
 const (
 	// VariableName is the external patch variable name.
 	VariableName = "kubeProxy"
+
+	kubeProxyConfigYAMLTemplate = `
+---
+apiVersion: kubeproxy.config.k8s.io/v1alpha1
+kind: KubeProxyConfiguration
+mode: %s
+`
 )
 
 type kubeProxyMode struct {
@@ -101,20 +108,33 @@ func (h *kubeProxyMode) Mutate(
 				"patchedObjectKind", obj.GetObjectKind().GroupVersionKind().String(),
 				"patchedObjectName", client.ObjectKeyFromObject(obj),
 			).Info("adding kube proxy mode to control plane kubeadm config spec")
-			if obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration == nil {
-				obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration = &bootstrapv1.InitConfiguration{}
-			}
 
 			switch kubeProxyMode {
 			case v1alpha1.KubeProxyModeDisabled:
 				log.Info("kube proxy mode is set to disabled, skipping kube-proxy addon")
-				obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration.SkipPhases = append(
-					obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration.SkipPhases,
+				if obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration == nil {
+					obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration = &bootstrapv1.InitConfiguration{}
+				}
+				initConfiguration := obj.Spec.Template.Spec.KubeadmConfigSpec.InitConfiguration
+				initConfiguration.SkipPhases = append(
+					initConfiguration.SkipPhases,
 					"addon/kube-proxy",
 				)
-			case v1alpha1.KubeProxyModeIPTables:
-				log.Info(
-					"kube proxy mode is set to iptables, no patches required as this is the default mode configured by kubeadm",
+			case v1alpha1.KubeProxyModeIPTables, v1alpha1.KubeProxyModeNFTables:
+				kubeProxyConfig := bootstrapv1.File{
+					Path:        "/etc/kubernetes/kubeproxy-config.yaml",
+					Owner:       "root:root",
+					Permissions: "0644",
+					Content:     fmt.Sprintf(kubeProxyConfigYAMLTemplate, kubeProxyMode),
+				}
+				obj.Spec.Template.Spec.KubeadmConfigSpec.Files = append(
+					obj.Spec.Template.Spec.KubeadmConfigSpec.Files,
+					kubeProxyConfig,
+				)
+				mergeKubeProxyConfigCmd := "/bin/sh -ec 'cat /etc/kubernetes/kubeproxy-config.yaml >> /run/kubeadm/kubeadm.yaml'"
+				obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands = append(
+					obj.Spec.Template.Spec.KubeadmConfigSpec.PreKubeadmCommands,
+					mergeKubeProxyConfigCmd,
 				)
 			default:
 				return fmt.Errorf("unknown kube proxy mode %q", kubeProxyMode)