From 7fa4c28b1bc8229b54a4c9a85eac3f8ea3ec276c Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Thu, 30 Nov 2017 19:44:33 -0500
Subject: [PATCH] Ensure iptables forwarding is enabled

Docker 1.13 changed how it set up iptables in a way that broke
forwarding.

We previously got away with it because we set the ip_forward sysctl,
which meant that docker wouldn't change the rule.  But if we're using an
image that preinstalled docker, docker might have already reconfigured
iptables before we run, and we didn't set it back.

We now set it back.

https://github.com/kubernetes/kubernetes/issues/40182
---
 nodeup/pkg/model/firewall.go | 11 ++++-------
 nodeup/pkg/model/sysctls.go  | 11 ++++-------
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/nodeup/pkg/model/firewall.go b/nodeup/pkg/model/firewall.go
index b5421b596bba9..2041d9ea61e5f 100644
--- a/nodeup/pkg/model/firewall.go
+++ b/nodeup/pkg/model/firewall.go
@@ -17,12 +17,10 @@ limitations under the License.
 package model
 
 import (
-	"k8s.io/kops/nodeup/pkg/distros"
+	"github.com/golang/glog"
 	"k8s.io/kops/pkg/systemd"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
-
-	"github.com/golang/glog"
 )
 
 // FirewallBuilder configures the firewall (iptables)
@@ -34,10 +32,9 @@ var _ fi.ModelBuilder = &FirewallBuilder{}
 
 // Build is responsible for generating any node firewall rules
 func (b *FirewallBuilder) Build(c *fi.ModelBuilderContext) error {
-	if b.Distribution == distros.DistributionContainerOS {
-		c.AddTask(b.buildFirewallScript())
-		c.AddTask(b.buildSystemdService())
-	}
+	// We need forwarding enabled (https://github.com/kubernetes/kubernetes/issues/40182)
+	c.AddTask(b.buildFirewallScript())
+	c.AddTask(b.buildSystemdService())
 
 	return nil
 }
diff --git a/nodeup/pkg/model/sysctls.go b/nodeup/pkg/model/sysctls.go
index bbae575c90263..5e199dda7cc34 100644
--- a/nodeup/pkg/model/sysctls.go
+++ b/nodeup/pkg/model/sysctls.go
@@ -115,13 +115,10 @@ func (b *SysctlBuilder) Build(c *fi.ModelBuilderContext) error {
 			"")
 	}
 
-	if b.Cluster.Spec.CloudProvider == string(kops.CloudProviderGCE) {
-		sysctls = append(sysctls,
-			"# GCE settings",
-			"",
-			"net.ipv4.ip_forward=1",
-			"")
-	}
+	sysctls = append(sysctls,
+		"# Prevent docker from changing iptables: https://github.com/kubernetes/kubernetes/issues/40182",
+		"net.ipv4.ip_forward=1",
+		"")
 
 	t := &nodetasks.File{
 		Path:            "/etc/sysctl.d/99-k8s-general.conf",