kubernetes: rewrite TestUnderTemporaryNetworkFailure to use nftables

Some e2e tests use TestUnderTemporaryNetworkFailure in test/e2e/framework/network to test how a component behaves when the network goes down. (Additionally, one test in test/e2e/apimachinery does the same thing “by hand” but ought to be rewritten to use TestUnderTemporaryNetworkFailure, or at least to use the BlockNetwork / UnblockNetwork functions that it uses.)

This test currently uses iptables rules to simulate the network failure, but in the future, nftables will be more widely-supported/widely-available than iptables, so it should be rewritten to try using nft first, and only fall back to iptables if nft isn’t installed.

/sig network

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 1
  • Comments: 15 (10 by maintainers)

Most upvoted comments

Is there any idea/guideline/poc on how to implement the interaction with nftables?

So for purposes of this issue, I think the test function should just call nft directly, without using any sort of library/package/abstraction. (The existing TestUnderTemporaryNetworkFailure implementation just calls iptables directly.) It only needs to add a few rules. It’s not worth doing anything more complicated.

For the kube-proxy backend, I’m planning to use https://github.com/danwinship/nftables, but that discussion belongs on the KEP PR, not here.

+1
danwinship on Jul 10, 2023
Read more comments on GitHub
← kubernetes: rethink sorting order of scheduling failure reasons
kubernetes: RFE: ability to define special exit code to terminate existing job →