Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-940

Deprecation of iptables in OpenShift [Phase 2]

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 50% To Do, 6% In Progress, 44% Done
    • 0

      Feature Overview (aka. Goal Summary)

      Migrate every occurrence of iptables in OpenShift to use nftables, instead.

      Goals (aka. expected user outcomes)

      Implement a full migration from iptables to nftables within a series of "normal" upgrades of OpenShift with the goal of not causing any more network disruption than would normally be required for an OpenShift upgrade. (Different components may migrate from iptables to nftables in different releases; no coordination is needed between unrelated components.)

      Requirements (aka. Acceptance Criteria):

      • Discover what components are using iptables (directly or indirectly, e.g. via ipfailover) and reduce the “unknown unknowns”.
      • Port components away from iptables.

      Use Cases (Optional):

      Questions to Answer (Optional):

      • Do we need a better “warning: you are using iptables” warning for customers? (eg, per-container rather than per-node, which always fires because OCP itself is using iptables). This could help provide improved visibility of the issue to other components that aren't sure if they need to take action and migrate to nftables, as well.

      Out of Scope

      • Non-OVN primary CNI plug-in solutions

      Background

      Customer Considerations

      • What happens to clusters that don't migrate all iptables use to nftables?
        • In RHEL 9.x it will generate a single log message during node startup on every OpenShift node. There are Insights rules that will trigger on all OpenShift nodes.
        • In RHEL 10 iptables will just no longer work at all. Neither the command-line tools nor the kernel modules will be present.

      Documentation Considerations

      Interoperability Considerations

              ddharwar@redhat.com Deepthi Dharwar
              mcurry@redhat.com Marc Curry
              Ben Bennett, Dan Winship
              Ashley Hardin Ashley Hardin
              Ben Bennett Ben Bennett
              Dan Winship Dan Winship
              Marc Curry Marc Curry
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: