kube-proxy relies on the iptables command to make changes to the VM networking.
Based on what config is set for iptables, it would either use legacy or nftables.
Since we are provisioning our VMs on ubuntu 22 and higher, it would choose nftables.
On startup, kube-proxy runs this command
iptables -S POSTROUTING -t nat
to make sure everything is correctly setup in ipv4.
We were adding our own NAT rules using the nft binary and it caused issues for
reverse translation during the healthcheck and we would get errors like this one:
iptables v1.8.7 (nf_tables): chain POSTROUTING in table nat is incompatible, use 'nft' tool.
To address that issue, we would use iptables-nft instead to fix the reverse translation
Since kube-proxy does not support direct nft integration and works only using iptables,
we had to change the way we apply our rules.
Also the stage we apply our NAT rules is now before kubeadm init/join, this way we are
sure we've done everything we wanted to do with the node and not cause any race-condition while
kube-proxy is also setting up its rules.
f84fe1d6fa