Closed
Description
Centos 7 official packages include linux kernel 3.10 bundled with bridge-netfilter.
This can be verified by checking the existence of the following files:
ls -l /proc/sys/net/bridge
total 0
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-arptables
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-ip6tables
-rw-r--r-- 1 root root 0 Mar 23 15:40 bridge-nf-call-iptables
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-filter-pppoe-tagged
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-filter-vlan-tagged
-rw-r--r-- 1 root root 0 Mar 23 16:22 bridge-nf-pass-vlan-input-dev
However, kubelet prints a warning highlighting the absence of br-netfilter:
1:58.462930 18042 proxier.go:205] missing br-netfilter module or unset br-nf-call-iptables; proxy may not work as intended
This warning seems to be incorrect.
The check that triggers the warning is in Newproxier, located in proxier.go:
if _, err := os.Stat("/sys/module/br_netfilter"); os.IsNotExist(err) {
warnBrNetfilter = true
}
Fundamentally, in the case of Centos 7, the absence of /sys/module/br_netfilter is not a proof of the absence of the br-netfilter module.