Cleanup left-over iptables rules from kubeproxy and cilium (#788)

canonical · Nov 15, 2024 · a8e140b · a8e140b
1 parent e1dd58e
commit a8e140b
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/k8s/lib.sh b/k8s/lib.sh
@@ -46,6 +46,8 @@ k8s::common::is_strict() {
 # Cleanup configuration left by the network feature
 k8s::remove::network() {
   k8s::common::setup_env
+
+  "${SNAP}/bin/kube-proxy" --cleanup || true
 
   k8s::cmd::k8s x-cleanup network || true
 }

diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
@@ -164,6 +164,7 @@ parts:
       - ethtool
       - hostname
       - iproute2
+      - ipset
       - kmod
       - libatm1
       - libnss-resolve

diff --git a/src/k8s/pkg/k8sd/features/cilium/cleanup.go b/src/k8s/pkg/k8sd/features/cilium/cleanup.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"strings"
 
 	"github.com/canonical/k8s/pkg/snap"
 )
@@ -18,5 +19,25 @@ func CleanupNetwork(ctx context.Context, snap snap.Snap) error {
 		}
 	}
 
+	for _, cmd := range []string{"iptables", "ip6tables", "iptables-legacy", "ip6tables-legacy"} {
+		out, err := exec.Command(fmt.Sprintf("%s-save", cmd)).Output()
+		if err != nil {
+			return fmt.Errorf("failed to read iptables rules: %w", err)
+		}
+
+		lines := strings.Split(string(out), "\n")
+		for i, line := range lines {
+			if strings.Contains(strings.ToLower(line), "cilium") {
+				lines[i] = ""
+			}
+		}
+
+		restore := exec.Command(fmt.Sprintf("%s-restore", cmd))
+		restore.Stdin = strings.NewReader(strings.Join(lines, "\n"))
+		if err := restore.Run(); err != nil {
+			return fmt.Errorf("failed to restore iptables rules: %w", err)
+		}
+	}
+
 	return nil
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -164,6 +164,7 @@ parts: @@
           - ethtool
           - hostname
           - iproute2
+          - ipset
           - kmod
           - libatm1
           - libnss-resolve
@@ Expand Down @@