/cc @neolit123

/area kubeadm
@kubernetes/sig-network-pr-reviews
@kubernetes/sig-cluster-lifecycle-pr-reviews

@neolit123 thank you for the review!

We probably should fix also kube-proxy, there is similar check, because it's disables IPVS if required kernel modules not found

@neolit123 Do you want me to fix it in this PR or a separate PR would be ok too?

@neolit123 Do you want me to fix it in this PR or a separate PR would be ok too?

@bart0sh probably best to fix it in a separate PR once this PR get approved.

Thanks @neolit123

A quick question: are you using IPVS proxier?

cc @islinwb @stewart-yu @Lion-Wei

for review.

In the function, first part is checking installed modules.
And, why delete the builtin mode check?

And, why delete the builtin mode check?

Why is it needed, if all modules are existing and working well, just not in listed in modules.builtin?

Example, my case:
kubernetes/kubeadm#975 (comment)

@stewart-yu

In the function, first part is checking installed modules.

It's checking loaded modules as far as I understand the code.

And, why delete the builtin mode check?

It's not deleted. I just added check for installed modules.

I've tested this solution. When ip_vs* modules are not builtin and not loaded before the kubeadm run they're loaded automatically if they're installed. The same reported in the issue:
kubernetes/kubeadm#975 (comment)

@bart0sh: The following tests failed, say /retest to rerun them all:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

/test pull-kubernetes-verify

Kube-proxy will load those modules automatically, on demand.

No need to load those modules automatically. #59566 (comment)

Another words, if user have all necessary modules, he will not see this warning anymore, even if they are not loaded into the system.

If user have all necessary modules, he will not see this warning anymore, that's true. And we have this function now.

@stewart-yu

If user have all necessary modules, he will not see this warning anymore, that's true.

That's absolutely not true. I have all required modules installed:

$ find /lib/modules/$(uname -r) -name ip_vs.ko -o -name ip_vs_rr.ko -o -name ip_vs_wrr.ko -o -name ip_vs_sh.ko -o -name nf_conntrack_ipv4.ko
/lib/modules/4.4.140-62-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_wrr.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_rr.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_sh.ko

However, the check still makes incorrect and confusing warning message:

I1113 13:18:01.781297   14832 kernelcheck_linux.go:45] validating the kernel module IPVS required exists in machine or not
	[WARNING RequiredIPVSKernelModulesAvailable]: the IPVS proxier will not be used, because the following required kernel modules are not loaded: [ip_vs_rr ip_vs_wrr ip_vs_sh ip_vs] or no builtin kernel ipvs support: map[ip_vs:{} ip_vs_rr:{} ip_vs_wrr:{} ip_vs_sh:{} nf_conntrack_ipv4:{}]
you can solve this problem with following methods:
 1. Run 'modprobe -- ' to load missing kernel modules;
2. Provide the missing builtin kernel ipvs support

This is plain wrong: the IPVS proxier will not be used

As IPVS proxier is used just fine after kubeadm init is finished:

$ sudo /sbin/ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  10.96.0.1:443 lc
  -> 10.237.72.179:6443           Masq    1      0          0         
TCP  10.96.0.10:53 lc
UDP  10.96.0.10:53 lc

Therefore both recommendations:

1. Run 'modprobe -- ' to load missing kernel modules;
2. Provide the missing builtin kernel ipvs support

don't make sense and meaningless.

@neolit123, @kad, @timothysc please, help me to get this PR merged. It's stuck under review for 24 days already. It's a valid fix for kubernetes/kubeadm#975

@stewart-yu

If user have all necessary modules, he will not see this warning anymore, that's true.

That's absolutely not true. I have all required modules installed:

Agree, warning still there if modules not loaded but existing on the system.

Kube-proxy will load those modules automatically, on demand.

No need to load those modules automatically. #59566 (comment)

kube-proxy already doing that, we don't need to load them on the preflight check by kubeadm.
But we need normal check if modules acceptable to load on the machine. Current check is not cover this case, this PR fixes that.

@kvaps

That's absolutely not true. I have all required modules installed:

$ find /lib/modules/$(uname -r) -name ip_vs.ko -o -name ip_vs_rr.ko -o -name ip_vs_wrr.ko -o -name ip_vs_sh.ko -o -name nf_conntrack_ipv4.ko
/lib/modules/4.4.140-62-default/kernel/net/ipv4/netfilter/nf_conntrack_ipv4.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_wrr.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_rr.ko
/lib/modules/4.4.140-62-default/kernel/net/netfilter/ipvs/ip_vs_sh.ko

However, the check still makes incorrect and confusing warning message:

I1113 13:18:01.781297   14832 kernelcheck_linux.go:45] validating the kernel module IPVS required exists in machine or not
	[WARNING RequiredIPVSKernelModulesAvailable]: the IPVS proxier will not be used, because the following required kernel modules are not loaded: [ip_vs_rr ip_vs_wrr ip_vs_sh ip_vs] or no builtin kernel ipvs support: map[ip_vs:{} ip_vs_rr:{} ip_vs_wrr:{} ip_vs_sh:{} nf_conntrack_ipv4:{}]
you can solve this problem with following methods:
 1. Run 'modprobe -- ' to load missing kernel modules;
2. Provide the missing builtin kernel ipvs support

This is plain wrong: the IPVS proxier will not be used

That's wrong.
First, must be those file in you system. file list in command

find /lib/modules/$(uname -r) -name ip_vs.ko -o -name ip_vs_rr.ko -o -name ip_vs_wrr.ko -o -name ip_vs_sh.ko -o -name nf_conntrack_ipv4.ko

Secondary, loaded those file in system, like commad

modprobe -- <name>

Third, check loaded modules
https://github.com/kubernetes/kubernetes/blob/master/pkg/util/ipvs/kernelcheck_linux.go#L47-L64

Finally, If no kernel modules, check builtin modules
https://github.com/kubernetes/kubernetes/blob/master/pkg/util/ipvs/kernelcheck_linux.go#L67-L88

You missing the secondary step, that's true? So the third and finally step throw warning.

BTW, No need to load those modules automatically. https://github.com/kubernetes/kubernetes/pull/59566#issuecomment-390212614， you should load
Manually(step 2)
@bart0sh @kvaps If not mind, could you like ping me in Slack? we can discuss more detail

@stewart-yu
The problem is that modules can be installed on the machine but not listed on modules.builtin file. This PR removes warning in this case.

@stewart-yu

If not mind, could you like ping me in Slack? we can discuss more detail

sure. Which channel are you at? What's your nick? I couldn't find you there.

Secondary, loaded those file in system, like command

This is a main point of misunderstanding. You don't need to do any 'modprobe -- ' to be able to work with IPVS. Current implementation of RequiredIPVSKernelModulesAvailable check insist on that and this is confusing. That was the reason for this issue: kubernetes/kubeadm#975 and this PR.

@bart0sh @kvaps
Hi, actually I think this check is to check whether the required modules already loaded, not whether we can load those modules.
I know kube-proxy can execute modprobe ..., but when kube-proxy running inside container, then we need privilege to run this command, that is insecurity, and we are trying to revoke the privilege of kube-proxy container.
So we have this warning, to remind people manually load kernel module.

That's the information I got, Please consider, thanks.

@Lion-Wei It still looks confusing to me. Why to throw a warning that can be ignored in most of the cases and everything would work just fine?

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@bart0sh please close this PR as it seems the PR replaces it.
thanks.

@Lion-Wei

I know kube-proxy can execute modprobe ..., but when kube-proxy running inside container, then we need privilege to run this command, that is insecurity, and we are trying to revoke the privilege of kube-proxy container.

kube-proxy anyway executed in privileged mode as it need access to control host kernel IPVS and iptables rules.

@neolit123

please close this PR as it seems the PR replaces it.

Let's give @Lion-Wei and @stewart-yu another chance to accept it. I still think it's a correct fix and after @kad's comment I don't see any reason of not accepting it.

/assign @stewart-yu

@stewart-yu kindly ping for review&acceptance. Please consider last comment from @kad.

@bart0sh: PR needs rebase.

@bart0sh Can you please address the remaining comments and rebase this PR so we can continue reviewing?

@cmluciano

Can you please address the remaining comments and rebase this PR so we can continue reviewing?

Can you please review this pr instead?
I'm going to deprecate this if that one is approved.

@bart0sh Reviewed, please close this one out

@cmluciano

Reviewed, please close this one out

Will do after that one will be approved.

closed as #75036 has been merged