From 612cfdceb16711f00c944bcd019cfeeda13c2ef7 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Tue, 28 Nov 2023 18:31:02 +0100
Subject: [PATCH] Check conntrack module presence instead of kernel version
 (#10662)

* Try both conntrack modules instead of checking kernel version

Depending on kernel distributor, the kernel version might not be a
correct indicator of the conntrack module use.
Instead, we check both (and use the first found).

* Use modproble.persistent rather than manual persistence
---
 roles/kubernetes/node/defaults/main.yml |  7 ++++---
 roles/kubernetes/node/tasks/main.yml    | 24 ++++++------------------
 2 files changed, 10 insertions(+), 21 deletions(-)

diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index fb9fdf329..b6642a066 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -249,6 +249,7 @@ kube_proxy_ipvs_modules:
   - ip_vs_wlc
   - ip_vs_lc
 
-# Ensure IPVS required kernel module is picked based on Linux Kernel version
-# in reference to: https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md#run-kube-proxy-in-ipvs-mode
-conntrack_module: "{{ ansible_kernel is version_compare('4.19', '>=') | ternary('nf_conntrack', 'nf_conntrack_ipv4') }}"
+# Kubespray will use the first module of this list which it can successfully modprobe
+conntrack_modules:
+  - nf_conntrack
+  - nf_conntrack_ipv4
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 6af9c776f..bb3d4238c 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -112,35 +112,23 @@
   community.general.modprobe:
     name: "{{ item }}"
     state: present
+    persistent: present
   loop: "{{ kube_proxy_ipvs_modules }}"
   when: kube_proxy_mode == 'ipvs'
   tags:
     - kube-proxy
 
-- name: "Modprobe {{ conntrack_module }}"
+- name: Modprobe conntrack module
   community.general.modprobe:
-    name: "{{ conntrack_module }}"
+    name: "{{ item }}"
     state: present
+    persistent: present
   register: modprobe_conntrack_module
   ignore_errors: true  # noqa ignore-errors
+  loop: "{{ conntrack_modules }}"
   when:
     - kube_proxy_mode == 'ipvs'
-  tags:
-    - kube-proxy
-
-- name: "Add {{ conntrack_module }} kube-proxy ipvs module list"
-  set_fact:
-    kube_proxy_ipvs_modules: "{{ kube_proxy_ipvs_modules + [conntrack_module] }}"
-  when: modprobe_conntrack_module is success
-  tags:
-    - kube-proxy
-
-- name: Persist ip_vs modules
-  copy:
-    dest: /etc/modules-load.d/kube_proxy-ipvs.conf
-    mode: 0644
-    content: "{{ kube_proxy_ipvs_modules | join('\n') }}"
-  when: kube_proxy_mode == 'ipvs'
+    - "(modprobe_conntrack_module|default({'rc': 1})).rc != 0"  # loop until first success
   tags:
     - kube-proxy