Yubico Adam

I see this issue attached in Github. Looks like netscaler-k8s-node-controller is incompatible with nf_tables and is not getting updated anytime soon. https://github.com/netscaler/netscaler-k8s-node-controller/issues/16

I am trying to set up a basic single tier architecture to access an apache container through a VPX (not CPX). I can install both the citrix-k8s-node-controller and the citrix-k8s-ingress-controller with mostly no issues. I see all the objects being created on both the nodes and VPX. Ultimately the nodes in the service group keep flipping up and down as the TCP monitor check fails. I do see that that the kube-cnc-router pods on every node fail to run the iptables command at the end, while everything before that seems fine. [user@k8s-master temp]$ kubectl logs kube-cnc-router-k8s-node01 CNI Name is calico ip link delete cncvxlanc21f9 Host Interface enX1 CNI Interface tunl0 ip link add cncvxlanc21f9 type vxlan id 179 dev enX1 dstport 8472 ip link set up dev cncvxlanc21f9 ip addr add 172.18.3.1/24 dev cncvxlanc21f9 InterfaceMac 6e:4a:f2:ae:3a:c8 VTEP Address 172.18.3.1 Host IP Address 10.112.0.71 CNI IP Address 10.115.115.0 CNI IP Prefix /26 CNI Addr 10.115.115.0/26 bridge fdb add 00:00:00:00:00:00 dev cncvxlanc21f9 dst 172.18.3.254 iptables v1.6.1: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. iptables -I INPUT 1 -p udp --dport 8472 -j ACCEPT The iptables version info from the nodes. [user@k8s-node01 ~]$ iptables --version iptables v1.8.10 (nf_tables) Is this a legacy iptables vs nf_tables issue? The nodes are CentOS 9 Stream using kubernetes and cri-o versions 1.29.2. Calico is installed. Pings from the NS VPX to a worker node also fail. root@ns# ping -S 172.18.3.254 172.18.3.1 PING 172.18.3.1 (172.18.3.1) from 172.18.3.254: 56 data bytes ^C --- 172.18.3.1 ping statistics --- 10 packets transmitted, 0 packets received, 100.0% packet loss All the commands to test on the NS seem to return the correct info. Same for checking the worker nodes, except for finding the iptables rule.