Skip to content

feat(cni-plugin): add iptables binary fallback logic #587

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(cni-plugin): add iptables binary fallback logic #587

wants to merge 7 commits into from
+206 −7

Conversation

@adleong
Copy link
Member

@adleong adleong commented Oct 23, 2025

The linkerd-cni plugin can be configured to use either iptables, iptables-legacy, or iptables-nft for a wide range of compatibility. However, when the configuration doesn't match the iptables executable on the host system, the linkerd-cni plugin will fail.

To make this more user friendly, we add a detection step which identifies which of the above executables are available on the system. If the configured executable is not available, we automatically fall back to one that is.

Additionally, cni plugin logs are only available through the kubelet, which can be difficult to access. To grant easier observability to the cni plugin, we additionally log to a file so that cni plugin logs are more easily accessible on the host node.

Sample log outputs:

time="2025-10-23T00:43:18Z" level=debug msg="iptables: using configured binaries" requestedBin=iptables-nft requestedSaveBin=iptables-nft-save

time="2025-10-23T00:45:39Z" level=warning msg="iptables: configured binaries not found; applying fallback to available binaries" fallbackBin=iptables fallbackSaveBin=iptables-save requestedBin=iptables-nft requestedSaveBin=iptables-nft-save

(tested by deleting iptables-nft off of the host node)

@adleong adleong requested a review from a team as a code owner October 23, 2025 00:58
@adleong
Add log rotation
eba2d97 
Signed-off-by: Alex Leong <[email protected]>
@adleong
update detection logic
13138e5 
Signed-off-by: Alex Leong <[email protected]>
@adleong
lints
a85e19d 
Signed-off-by: Alex Leong <[email protected]>
@adleong
Revert "lints"
451c21f 
This reverts commit a85e19d.
@adleong
Revert "update detection logic"
7205a44 
This reverts commit 13138e5.
@adleong
add test
5c06f70 
Signed-off-by: Alex Leong <[email protected]>
@alpeb alpeb mentioned this pull request Oct 28, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adleong