From official docs says:
FELIX_IPTABLESBACKEND This parameter controls which variant of iptables binary Felix uses. Set this to Auto for auto detection of the backend. If a specific backend is needed then use NFT for hosts using a netfilter backend or Legacy for others. [Default: Auto] Legacy, NFT, Auto
On Redhat 8.x, Set this to Auto for auto detection of the backend ,but not work. The Auto detected Legacy instead of NFT
Update calico-node DaemonSet containers command to:
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: calico-node
template:
metadata:
creationTimestamp: null
labels:
k8s-app: calico-node
spec:
containers:
- args:
- |-
sed -i '/bird6/ s/^/# /' /etc/rc.local
if grep -qE '^nf_tables' /proc/modules ; then sed -i '1i export FELIX_IPTABLESBACKEND=NFT' /etc/rc.local; else sed -i '1i export FELIX_IPTABLESBACKEND=Auto' /etc/rc.local; fi
start_runit
command:
- /bin/sh
- -c
env:
...
...Verify:
$ kubectl logs -n kube-system calico-node-bj4nd -c calico-node | grep iptablesbackend
2023-07-30 03:01:52.069 [INFO][15] tunnel-ip-allocator/env_var_loader.go 40: Found felix environment variable: "iptablesbackend"="NFT"that’s all.
refer: https://github.com/projectcalico/calico/issues/7393
