remove the conntrack binary dependency

kube-proxy needs to delete stale conntrack entries for UDP services to avoid blackholing traffic. Instead of using the conntrack binary it can use netlink calls directly, reducing the containers images size and the security surface. Signed-off-by: Daman Arora <aroradaman@gmail.com> Co-authored-by: Antonio Ojea <aojea@google.com>
2025-10-31 18:28:13 +00:00 · 2024-06-25 13:15:31 +00:00
parent ae3b5dbdc6
commit b0f823e6cc
7 changed files with 516 additions and 253 deletions
--- a/pkg/proxy/nftables/proxier.go
+++ b/pkg/proxy/nftables/proxier.go
@@ -53,7 +53,6 @@ import (
 	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/util/async"
 	utilkernel "k8s.io/kubernetes/pkg/util/kernel"
-	utilexec "k8s.io/utils/exec"
 	netutils "k8s.io/utils/net"
 	"k8s.io/utils/ptr"
 	"sigs.k8s.io/knftables"
@@ -256,7 +255,7 @@ func NewProxier(ctx context.Context,
 		nftables:            nft,
 		masqueradeAll:       masqueradeAll,
 		masqueradeMark:      masqueradeMark,
-		conntrack:           conntrack.NewExec(utilexec.New()),
+		conntrack:           conntrack.New(),
 		localDetector:       localDetector,
 		hostname:            hostname,
 		nodeIP:              nodeIP,