cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies (#12577)

cmd/containerboot,cmd/k8s-operator: enable IPv6 for fqdn egress proxies Don't skip installing egress forwarding rules for IPv6 (as long as the host supports IPv6), and set headless services `ipFamilyPolicy` to `PreferDualStack` to optionally enable both IP families when possible. Note that even with `PreferDualStack` set, testing a dual-stack GKE cluster with the default DNS setup of kube-dns did not correctly set both A and AAAA records for the headless service, and instead only did so when switching the cluster DNS to Cloud DNS. For both IPv4 and IPv6 to work simultaneously in a dual-stack cluster, we require headless services to return both A and AAAA records. If the host doesn't support IPv6 but the FQDN specified only has IPv6 addresses available, containerboot will exit with error code 1 and an error message because there is no viable egress route. Fixes #12215 Signed-off-by: Tom Proctor <tomhjp@users.noreply.github.com>
2025-08-12 05:37:32 +00:00 · 2024-07-05 12:21:48 +01:00
parent 309afa53cf
commit 01a7726cf7
5 changed files with 91 additions and 13 deletions
--- a/util/linuxfw/fake.go
+++ b/util/linuxfw/fake.go
@@ -8,6 +8,8 @@ package linuxfw
 import (
 	"errors"
 	"fmt"
+	"os"
+	"strconv"
 	"strings"
 )

@@ -128,8 +130,13 @@ func (n *fakeIPTables) DeleteChain(table, chain string) error {

 func NewFakeIPTablesRunner() *iptablesRunner {
 	ipt4 := newFakeIPTables()
-	ipt6 := newFakeIPTables()
+	v6Available := false
+	var ipt6 iptablesInterface
+	if use6, err := strconv.ParseBool(os.Getenv("TS_TEST_FAKE_NETFILTER_6")); use6 || err != nil {
+		ipt6 = newFakeIPTables()
+		v6Available = true
+	}

-	iptr := &iptablesRunner{ipt4, ipt6, true, true, true}
+	iptr := &iptablesRunner{ipt4, ipt6, v6Available, v6Available, v6Available}
 	return iptr
 }