Fix kubelet detection on MicroK8s with nftables backend (#58314)

sridhargaddam · web-flow · commit 1ad642208640 · 2025-11-24T08:31:08.000-08:00
* Fix kubelet detection on MicroK8s with nftables backend When Ambient mode is used with the nftables backend, this PR fixes kubelet UID detection so that it works in MicroK8s, where kubelet runs inside the unified “kubelite” daemon rather than as a standalone process. Fixes: istio/istio#58185 Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com> * Add release notes Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com> --------- Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>
diff --git a/cni/pkg/nftables/kubeletuid_linux.go b/cni/pkg/nftables/kubeletuid_linux.go
@@ -22,7 +22,9 @@ import (
 	"github.com/prometheus/procfs"
 )
 
-// getKubeletUIDFromPath finds the kubelet process UID by inspecting the proc filesystem path.
+// getKubeletUIDFromPath finds the kubelet or kubelite process UID by inspecting the proc filesystem path.
+// In standard Kubernetes distributions, it looks for the "kubelet" process.
+// On some platforms like MicroK8s, where multiple k8s components are consolidated, it looks for the "kubelite" process.
 func getKubeletUIDFromPath(procPath string) (string, error) {
 	fs, err := procfs.NewFS(procPath)
 	if err != nil {
@@ -34,44 +36,53 @@ func getKubeletUIDFromPath(procPath string) (string, error) {
 		return "", fmt.Errorf("failed to read processes from %s: %v", procPath, err)
 	}
 
-	// Find kubelet process
+	// List of process names to search for, in order of preference
+	processNames := []string{"kubelet", "kubelite"}
+
 	for _, proc := range procs {
 		comm, err := proc.Comm()
 		if err != nil {
 			// Process might have exited, skip
 			continue
 		}
 
-		if comm == "kubelet" {
-			// Lets check the command line to ensure it's really kubelet
-			cmdline, err := proc.CmdLine()
-			if err != nil {
-				continue
-			}
+		for _, targetName := range processNames {
+			if comm == targetName {
+				// Lets check the command line to ensure it's really the target process
+				cmdline, err := proc.CmdLine()
+				if err != nil {
+					continue
+				}
 
-			kubeletFound := false
-			for _, arg := range cmdline {
-				if strings.Contains(strings.ToLower(arg), "kubelet") {
-					kubeletFound = true
-					break
+				// Verify that this process is actually related to kubelet by checking
+				// if "kubelet" appears in any of the command line arguments.
+				// This works for both:
+				//   - Standard kubelet: /usr/bin/kubelet [args...]
+				//   - MicroK8s kubelite: /snap/microk8s/.../kubelite --kubelet-args-file=...
+				processFound := false
+				for _, arg := range cmdline {
+					if strings.Contains(strings.ToLower(arg), "kubelet") {
+						processFound = true
+						break
+					}
+				}
+				if !processFound {
+					continue
 				}
-			}
-			if !kubeletFound {
-				continue
-			}
 
-			// Get process status with UIDs
-			status, err := proc.NewStatus()
-			if err != nil {
-				continue
-			}
+				// Get process status with UIDs
+				status, err := proc.NewStatus()
+				if err != nil {
+					continue
+				}
 
-			realUID := status.UIDs[0]
-			realUIDStr := strconv.FormatUint(realUID, 10)
+				realUID := status.UIDs[0]
+				realUIDStr := strconv.FormatUint(realUID, 10)
 
-			return realUIDStr, nil
+				return realUIDStr, nil
+			}
 		}
 	}
 
-	return "", fmt.Errorf("kubelet process not found in %s", procPath)
+	return "", fmt.Errorf("kubelet or kubelite process not found in %s", procPath)
 }
diff --git a/cni/pkg/nftables/nftables.go b/cni/pkg/nftables/nftables.go
@@ -443,7 +443,7 @@ func (cfg *NftablesConfigurator) CreateHostRulesForHealthChecks() error {
 	//
 	// Challenge: In nftables, there is no direct equivalent to "--socket-exists", so we explored multiple alternatives
 	// - Option-1 (UID-based matching): Since kubelet runs as a specific process with a known UID, we can use
-	//   meta skuid to identify traffic originating from kubelet.
+	//   meta skuid to identify traffic originating from kubelet (or kubelite in MicroK8s).
 	//
 	// - Option-2: Match on kubelet’s source IP (node IP). This works in theory but is a bit unsafe as
 	//   other host processes can also send traffic from the node IP, and nodes can have multiple IPs making the
diff --git a/releasenotes/notes/58185.yaml b/releasenotes/notes/58185.yaml
@@ -0,0 +1,8 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue:
+  - 58185
+releaseNotes:
+- |
+  **Fixed** Istio CNI node agent startup failure in MicroK8s environments when using ambient mode with nftables backend.
