v2.0.0-rc6

Summary

Adds a new controller for kube-router which allows it to do IP address allocation for load-balancer type services. Previously, one had to use something like MetalLB for this functionality, now kube-router is able to handle this itself. See load-balancer allocation docs for more information.

Contributions

Huge thanks to @whooo for contributing the load-balancer allocation code

Changelog

55efa33 - fix(NRC): prevent adding routes with mixed families <Aaron U'Ren>
7700915 - feat(bgp_policies.go): don't override-nexthop for internal peers <Aaron U'Ren>
c94ff7c - add loadbalancer address allocator <Erik Larsson>

v2.0.0-rc5

Summary

Updates dependencies and incorporates a bug fix from the mainline branch where advertisement annotations were not being evaluated correctly.

Changelog

• 099664a build(deps): bump github.com/aws/aws-sdk-go from 1.44.309 to 1.44.313 <dependabot[bot]>
• 9372d62 build(deps): bump github.com/osrg/gobgp/v3 from 3.16.0 to 3.17.0 <dependabot[bot]>
• c50bdfc build(deps): bump github.com/onsi/gomega from 1.27.7 to 1.27.10 <dependabot[bot]>
• 98479d8 build(deps): bump github.com/aws/aws-sdk-go from 1.44.308 to 1.44.309 <dependabot[bot]>
• 64784c4 build(deps): bump google.golang.org/grpc from 1.56.2 to 1.57.0 <dependabot[bot]>
• b900acb github: Add github-actions dependabot config <Manuel Rüger>
• fb37a64 build(deps): bump golang.org/x/net from 0.10.0 to 0.12.0 <dependabot[bot]>
• a42466a build(deps): bump google.golang.org/grpc from 1.56.1 to 1.56.2 <dependabot[bot]>
• 371a3a8 build(deps): bump github.com/osrg/gobgp/v3 from 3.14.0 to 3.16.0 <dependabot[bot]>
• 09940db build(deps): bump github.com/aws/aws-sdk-go from 1.44.273 to 1.44.308 <dependabot[bot]>
• 5d39fe0 build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
• 68e0fe5 build(deps): bump k8s.io/cri-api from 0.27.2 to 0.27.4 <dependabot[bot]>
• 1701f9c build(deps): bump github.com/stretchr/testify from 1.8.2 to 1.8.4 <dependabot[bot]>
• d5fcc78 build(deps): bump github.com/docker/docker <dependabot[bot]>
• 7a3a495 build(deps): bump google.golang.org/protobuf from 1.30.0 to 1.31.0 <dependabot[bot]>
• dd3b75a build(deps): bump github.com/docker/docker <dependabot[bot]>
• 5d71897 fix(NRC): withdraw advertised VIPs based on annotation <Aaron U'Ren>

v1.6.0

Summary

It has been a long time since we've done a minor release from the main stable development branch (May of 2022 if you can believe it). This release is less about features and more about bringing a bunch of dependency updates into a stable release.

Contributions

Special thanks to @juchem, @KSauter, & @tamihiro for their contributions on this release!

Changelog

Excludes bugfixes that were already present on the 1.5.X release line

• 5d71897 - fix(NRC): withdraw advertised VIPs based on annotation <Aaron U'Ren>
• 7db274e - feat(ci): specify GitHub actions cache <Aaron U'Ren>
• 10417cc - fact(Makefile): make spacing consistent <Aaron U'Ren>
• f3dc9b3 - feat(ci): use caching for build, test, lint <Aaron U'Ren>
• 168a2b4 - fix(ci): checkout before go setup <Aaron U'Ren>
• 39ff9f6 - build(deps): bump google.golang.org/grpc from 1.55.0 to 1.56.1 <dependabot[bot]>
• c22c6af - fix(ci.yml): remove deprecated goreleaser flag <Aaron U'Ren>
• 0b267b0 - feat(ci.yml): update github action versions <Aaron U'Ren>
• ca18201 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.266 to 1.44.273 <dependabot[bot]>
• 4013c00 - build(deps): bump github.com/containernetworking/plugins <dependabot[bot]>
• 4a5014d - build(deps): bump k8s.io/cri-api from 0.27.1 to 0.27.2 <dependabot[bot]>
• a026c8d - build(deps): bump google.golang.org/grpc from 1.54.0 to 1.55.0 <dependabot[bot]>
• 7559745 - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
• 44327b8 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.246 to 1.44.266 <dependabot[bot]>
• 438b1ed - build(deps): bump github.com/onsi/gomega from 1.27.6 to 1.27.7 <dependabot[bot]>
• bb82f55 - build(deps): bump k8s.io/klog/v2 from 2.80.1 to 2.100.1 <dependabot[bot]>
• cc70e7c - build(deps): bump github.com/docker/distribution <dependabot[bot]>
• 60e304f - build(deps): bump github.com/osrg/gobgp/v3 from 3.13.0 to 3.14.0 <dependabot[bot]>
• ef4a806 - go.mod: Bump dependencies <Manuel Rüger>
• 2b4087e - build(deps): bump github.com/docker/docker <dependabot[bot]>
• e1825ed - build(deps): bump golang.org/x/net from 0.5.0 to 0.7.0 <dependabot[bot]>
• ef77a2d - Fix lint <Manuel Rüger>
• 809f2fb - Update dependencies <Manuel Rüger>
• 4c751b0 - Register BGP sent metric <Kevin Sauter>
• 4c7ca8a - Add sent metric to vip bgp announcement. To distinguish between the different sent counters, the new "type" label can be used. <Kevin Sauter>
• 1d1ff05 - fix(NSC): add check for podCidr before use <Aaron U'Ren>
• 240cac2 - doc(ipv6): add additional information <Aaron U'Ren>
• 27f1d92 - doc(ipv6.md): incorporate review feedback <Aaron U'Ren>
• e446467 - feat(dual_stack_bug_report): add new issue template <Aaron U'Ren>
• e1b1a31 - doc(ipv6.md): update for increased dual-stack support <Aaron U'Ren>
• e2f0f18 - build(deps): bump github.com/vishvananda/netns from 0.0.2 to 0.0.3 <dependabot[bot]>
• 787e3b3 - build(deps): bump github.com/containernetworking/plugins <dependabot[bot]>
• 17a3df9 - build(deps): bump github.com/onsi/gomega from 1.24.1 to 1.25.0 <dependabot[bot]>
• 435f640 - build(deps): bump github.com/moby/ipvs from 1.0.2 to 1.1.0 <dependabot[bot]>
• 3007ada - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 5df539d - build(deps): bump golang.org/x/net from 0.4.0 to 0.5.0 <dependabot[bot]>
• c367cc2 - build(deps): bump github.com/osrg/gobgp/v3 from 3.9.0 to 3.10.0 <dependabot[bot]>
• 31dd271 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.157 to 1.44.171 <dependabot[bot]>
• bfdbfbc - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 47a1045 - build(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 <dependabot[bot]>
• 3e2af39 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.150 to 1.44.157 <dependabot[bot]>
• c37d96f - build(deps): bump google.golang.org/grpc from 1.50.1 to 1.51.0 <dependabot[bot]>
• 557794a - build(deps): bump github.com/osrg/gobgp/v3 from 3.7.0 to 3.9.0 <dependabot[bot]>
• faa52b8 - build(deps): bump golang.org/x/net from 0.2.0 to 0.4.0 <dependabot[bot]>
• 8d24611 - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
• c110f98 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.146 to 1.44.150 <dependabot[bot]>
• a06a6a8 - build(deps): bump github.com/onsi/gomega from 1.23.0 to 1.24.1 <dependabot[bot]>
• 31154f6 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.138 to 1.44.146 <dependabot[bot]>
• 7137ca3 - README.md: remove kube-router.io link <Aaron U'Ren>
• 9c23ede - build(deps): bump github.com/aws/aws-sdk-go from 1.44.124 to 1.44.138 <dependabot[bot]>
• c41ec7a - build(deps): bump github.com/onsi/gomega from 1.22.1 to 1.23.0 <dependabot[bot]>
• 8873765 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• a7a462b - build(deps): bump github.com/aws/aws-sdk-go from 1.44.116 to 1.44.124 <dependabot[bot]>
• f102bc5 - .github: Fix name of the RC step <Manuel Rüger>
• e5336c8 - .github: Allow tagging RCs without updating :latest <Manuel Rüger>
• a5e6ed0 - .github: Update github actions <Manuel Rüger>
• 0813b76 - feat(Makefile): make local builds behave like CI <Aaron U'Ren>
• efd1001 - fix invalid MTU in CNI config file <Tamihiro Lee>
• 24f8734 - doc(user-guide.md): add info for netfilter tooling <Aaron U'Ren>
• 5e2e225 - build(deps): bump github.com/onsi/gomega from 1.20.2 to 1.22.1 <dependabot[bot]>
• b45c2cc - build(deps): bump github.com/osrg/gobgp/v3 from 3.5.0 to 3.7.0 <dependabot[bot]>
• ba5561e - Update go dependencies <Manuel Rüger>
• 2d82195 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.89 to 1.44.109 <dependabot[bot]>
• cbea4bb - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 31b029a - build(deps): bump k8s.io/klog/v2 from 2.70.1 to 2.80.1 <dependabot[bot]>
• 35c7aa3 - build(deps): bump github.com/onsi/gomega from 1.20.0 to 1.20.2 <dependabot[bot]>
• 71a61f3 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.70 to 1.44.89 <dependabot[bot]>
• df329c2 - build(deps): bump google.golang.org/grpc from 1.48.0 to 1.49.0 <dependabot[bot]>
• 39116b7 - logging ipset/iptables commands <Marcelo Juchem>
• 9eccc04 - build(deps): bump k8s.io/cri-api from 0.24.3 to 0.24.4 <dependabot[bot]>
• 951f801 - build(deps): bump k8s.io/client-go from 0.24.3 to 0.24.4 <dependabot[bot]>
• 7b55e9c - build(deps): bump github.com/osrg/gobgp/v3 from 3.2.0 to 3.5.0 <dependabot[bot]>
• 818fba2 - build(deps): bump github.com/prometheus/client_golang <dependabot[bot]>
• 32f6b1e - build(deps): bump github.com/aws/aws-sdk-go from 1.44.66 to 1.44.70 <dependabot[bot]>
• 48fe83d - build(deps): bump github.com/containernetworking/cni from 1.1.1 to 1.1.2 <dependabot[bot]>
• e1134d4 - build(deps): bump github.com/onsi/gomega from 1.19.0 to 1.20.0 <dependabot[bot]>
• 118270f - build(deps): bump google.golang.org/protobuf from 1.28.0 to 1.28.1 <dependabot[bot]>
• 6aa7edf - build(deps): bump github.com/aws/aws-sdk-go from 1.44.56 to 1.44.66 <dependabot[bot]>
• 836b49e - build(deps): bump k8s.io/cri-api from 0.24.2 to 0.24.3 <dependabot[bot]>
• a5dc081 - build(deps): bump k8s.io/client-go from 0.24.2 to 0.24.3 <dependabot[bot]>
• a111738 - build(deps): bump google.golang.org/grpc from 1.47.0 to 1.48.0 <dependabot[bot]>
• aa57b83 - build(deps): bump k8s.io/klog/v2 from 2.70.0 to 2.70.1 <dependabot[bot]>
• c9c3e8d - build(deps): bump github.com/aws/aws-sdk-go from 1.44.46 to 1.44.56 <dependabot[bot]>
• 0c366c1 - build(deps): bump github.com/stretchr/testify from 1.7.4 to 1.8.0 <dependabot[bot]>
• 2ab1462 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.38 to 1.44.46 <dependabot[bot]>
• f452e77 - build(deps): bump k8s.io/klog/v2 from 2.60.1 to 2.70.0 <dependabot[bot]>
• c93178d - build(deps): bump github.com/stretchr/testify from 1.7.1 to 1.7.4 <dependabot[bot]>
• 5d74933 - build(deps): bump k8s.io/client-go from 0.24.1 to 0.24.2 <dependabot[bot]>
• 378c8e6 - build(deps): bump k8s.io/cri-api from 0.24.1 to 0.24.2 <dependabot[bot]>
• e0b3728 - build(deps): bump github.com/docker/docker <dependabot[bot]>
• 5ac6f32 - build(deps): bump google.golang.org/protobuf from 1.27.1 to 1.28.0 <dependabot[bot]>
• 1f3ece8 - build(deps): bump github.com/aws/aws-sdk-go from 1.44.27 to 1.44.38 <dependabot[bot]>
• 88266bc - fix(gobgp): update binary in container image to v3.2.0 <Aaron U'Ren>
• 2c5bb4c - feat(gobgp): update to v3.2.0 <Aaron U'Ren>
• e370cb0 - gobgp: update to 3.X <Aaron U'Ren>
• 94158b9 - build(deps): bump google.golang.org/grpc from 1.46.2 to 1.47.0 <dependabot[bot]>
• 15e166c - build(deps): bump github.com/aws/aws-sdk-go from 1.44.24 to 1.44.27 <dependabot[bot]>
• a75a1fd - build(deps): bump github.com/containernetworking/cni from 1.1.0 to 1.1.1 <dependabot[bot]>
• 0b4d1e0 - build(deps): bump github.com/moby/ipvs from 1.0.1 to 1.0.2 <dependabot[bot]>
• be84ceb - .github/workflows/codeql-analysis.yml: Update to v2 <Manuel Rüger>

v2.0.0-rc4

Summary

This release updates dependencies (including a switch to using Go 1.20 and Alpine 3.18), addresses some problems with IPv6 ipsets when port names are used, and adds FoU tunneling for environments that cannot support IPIP tunnels directly (cough Azure cough).

For more information on enabling FoU tunneling and any caveats on doing so, please see: https://github.com/cloudnativelabs/kube-router/blob/prep-v2.0/docs/tunnels.md

Contributions

Special thanks to @whooo, @BoleynSu, & @k-raval for their contributions to this release!

Changelog

• cbdcf31 - Use alpine linux 3.18 for docker image <Erik Larsson>
• 22b4718 - doc(tunnels.md): add info about changing live clusters <Aaron U'Ren>
• 1863d54 - doc(tunnel): add information about tunnels <Aaron U'Ren>
• b14d930 - fix(FoU): make more robust <Aaron U'Ren>
• 97a6a8f - fix(FoU): add docs, sanity checking, and logic reduction <Aaron U'Ren>
• 55dc26b - Adding FoU encapsulation over IPIP tunnel : added checks for restart and multi-node cases <Kartik Raval>
• af708b4 - Support for FoU encapsulation for IPIP tunnel <Kartik Raval>
• e3d6bcc - fix(NPC): update IPBlocks to be ipFamily specific <Aaron U'Ren>
• 0bcd9a4 - netpol: Fix ipset only containing one IP when port name is used. <Boleyn Su>

v1.5.4

While this is technically a bug fix release as it is fixing a bug with a long deprecated API, it does have the potential to break clients that are running with DSR configurations on unmaintained versions of cri-o or containerd.

The runtime/v1 release is only compatible with >=cri-o v1.21.0 and >=containerd v1.6.0. If you don't use DSR, or use the docker-shim, this change won't affect you.

On the converse side of things, this release is needed if you are using >=cri-o v1.26.0 or >=containerd v1.7.0 otherwise DSR will break because the runtime/v1alpha2 support was removed in those versions.

If you are between those two releases for your given container runtime, then both v1.5.3 and v1.5.4 will work for you.

Changelog

• f350859 - fix(dsr): CRI runtime/v1alpha2 -> runtime/v1 <Aaron U'Ren>

v2.0.0-rc3

Summary

Addresses more of the bugs that were introduced with the initial IPv6 work. Specifically this addresses issues found with the routing functionality where BGP policies weren't updated under some circumstances and also some cases where VIPs weren't being withdrawn.

Noteably the service controller (--run-service-proxy) functionality is still missing (#1432).

Please test and let us know if you find any issues so that we can fix them up before cutting a 2.0.0 proper release.

Contributions

Special thanks to @rwagoner for testing and reporting bugs.

Changelog

• a861f84 - fix(bgp_policy): allow for statement add / remove <Aaron U'Ren>
• 4558820 - fix(ecmp_vip): update VIPs based on svc change <Aaron U'Ren>
• 4365f61 - fix(bgp_policies.go): return -> continue on family set evaluation <Aaron U'Ren>

v2.0.0-rc2

Summary

Addresses some of the bugs that were introduced with the initial IPv6 work.

Noteably the service controller (--run-service-proxy) functionality is still missing (#1432).

Please test and let us know if you find any issues so that we can fix them up before cutting a 2.0.0 proper release.

Contributions

Special thanks to @whooo for contributing fixes and @rwagoner for testing and reporting bugs.

Changelog

• 7bd940e - use JoinHostPort for GRPC listen address <Erik Larsson>
• 39bd27f - add generation of router id based on hash of primary IP <Erik Larsson>
• 9a9c61a - fix(ecmp_vip.go): ClusterIP -> ClusterIPs <Aaron U'Ren>
• 6f3405e - feat(bgp_policies_test.go): use different IP ranges <Aaron U'Ren>
• ea68a39 - fix(bgp_policies.go): don't get BGP peers twice <Aaron U'Ren>

v2.0.0-rc1

Summary

This is a pre-release or release candidate for the upcoming v2.0.0 release of kube-router. The most prominent feature of this release is the addition of dual-stack support for some parts of kube-router. With this release candidate, the following functions have been upgraded to be dual-stack compatible:

• CNI Supports Dual-Stack
• Router / BGP Supports Dual-Stack
• Network Policies Supports Dual-Stack

The major outlier here being the Proxy (--run-service-proxy) portion of kube-router has not had dual-stack support integrated yet. Also, this represents a major refactor on the kube-router code base, so it would be good to get this tested in at least a few different environments before forming a full release.

You'll also notice that this has been tagged as a major release version. This is due to the fact that there are breaking changes in this version of kube-router that are not backwards compatible with previous versions of kube-router. Specifically, tunnel names have changed, so if you run kube-router with an overlay network (ipip tunnels), you'll want to deploy this update carefully. At this point, the project recommends doing a rolling-reboot of nodes after the application of this release candidate to ensure that unused tunnels are properly cleaned up and don't have a negative impact on traffic flows.

More details about this release will be shared in the IPv6 / Dual-Stack documentation page shortly: https://github.com/cloudnativelabs/kube-router/blob/master/docs/ipv6.md

Contributions

The kube-router project would like to give a big thanks to @vadorovsky and @thomasferrandiz who graciously contributed all of the dual-stack functionality for the Network Policy Controller!

Changelog

• a9b8adf - fix(NPC): add warning for unsupported family <Aaron U'Ren>
• 74a0803 - fix(NPC): don't add chains for missing family <Aaron U'Ren>
• abcefb4 - doc(bgp.md): clean up grammar and syntax <Aaron U'Ren>
• f4668fd - fix(NPC/pod): check drop policy on ipv4 & ipv6 <Aaron U'Ren>
• 6bd6d94 - fix(bgp_policies): add empty DS set checking <Aaron U'Ren>
• ae15ebb - fact(bgp_policies): rename clusterIPPrefixSet -> serviceVIPIPPrefixSet <Aaron U'Ren>
• ed29baa - fact(bgp_policies): abstract get DS for GoBGP <Aaron U'Ren>
• 6a1bab2 - fix(ecmp_vip): handle ipv4 & ipv6 protocols <Aaron U'Ren>
• 437da14 - test(bgp_policies_test): add local address <Aaron U'Ren>
• 3129bf2 - fix(node): do nil checking on FindBestIP util funcs <Aaron U'Ren>
• 8183b18 - fix(NRC): ensure local addr IP is bindable early <Aaron U'Ren>
• bd0d00f - fix(bgp_peers): adv. AfiSafi based on capabability <Aaron U'Ren>
• b714bba - fix(bgp_peers): do peer only if IP protos match <Aaron U'Ren>
• 230aa58 - fix(NRC): error when nec. host IP not found <Aaron U'Ren>
• dd7c47e - fix(NRC): add IPv6 logic to bgp-local-addresses <Aaron U'Ren>
• 70b3f30 - feat(ci): run CI on version prep branches and MRs <Aaron U'Ren>
• e4e1088 - fix(options): make clusterIP specification similar to other options <Aaron U'Ren>
• 93d6169 - fix(NPC): actually separate chain indices for ipv4 / ipv6 <Aaron U'Ren>
• ef72d90 - fact(NPC): pluralize newIPTablesHandler <Aaron U'Ren>
• 5fb874f - feat(NRC): make NRC dual stack <Aaron U'Ren>
• 35b3f37 - fact(NRC): convert BGP set names to const <Aaron U'Ren>
• d27f2fe - feat(pod_cidr): handle multiple pod CIDRs <Aaron U'Ren>
• 51d7db8 - fix(kube-router.go): metric message -> not error <Aaron U'Ren>
• eb4e6f9 - fix(NPC): separate chain indices for ipv4 / ipv6 <Aaron U'Ren>
• d128b17 - fix(node.go): make node address errors more helpful <Aaron U'Ren>
• 06c39d6 - fix golangci issues <Thomas Ferrandiz>
• bdc0600 - fix test compilation error <Thomas Ferrandiz>
• 9e8ee3a - go mod <Thomas Ferrandiz>
• 59a4fa1 - use createGenericHashIPSet <Thomas Ferrandiz>
• b1181f1 - rename utilsnet import to netutils <Thomas Ferrandiz>
• cba00b2 - syncPodFirewallChains: loop on all NodeIp to find the pods running on a given Node - Load PodIp in podInfo struct and use it instead of pod.ips[0].IP <Thomas Ferrandiz>
• 3958095 - refactor whitelisting of cluster IP Range <Thomas Ferrandiz>
• 1433bee - Validate that ClusterIP service range type matches the configuration and update documentation <Thomas Ferrandiz>
• 9aa7bcd - godoc update <Thomas Ferrandiz>
• 344b3cd - remove redundant default value <Thomas Ferrandiz>
• 318a29c - rename Adresses <Thomas Ferrandiz>
• a7e5803 - Turn IPTablesSaveRestore into an interface <Thomas Ferrandiz>
• 033444b - init iptablesCmdHandlers and ipSetHandlers inside NewNetworkPolicyController <Thomas Ferrandiz>
• a38c97c - disable ipv6 by default <Thomas Ferrandiz>
• 1bc0435 - netpol: Add dual-stack support <Michal Rostecki>

v1.5.3

Special thanks to Richard Kojedzinszky @rkojedzinszky for contributing to this release!

Changelog

• e6fd1b2 - Support for kube-router.io/peer.localips annotation (#1392) (5 days ago) <@rkojedzinszky>

The above fixes an issues that were generated during the 1.5.X release line where we defaulted the peering address on the kube-router side to the Kubernetes node's primary IP. This secured and simplified the peering interface for most users, but caused issues for some users that wanted to have more control over the peering address from their Kubernetes nodes. User's in this situation can now use the kube-router.io/peer.localips annotation to define the local IP address that they would like to use for each peer.

v1.5.2

Special thanks to @makhov and @jnummelin for contributing to this release!

Changelog

• fe3e8b0 - Bump to go 1.19 / alpine 3.16 <@mrueg>
• 8574163 - iptables mode selection fixed. iptables-wrapper script updated to the latest upstream version <@makhov>

The primary reason for this bug fix was to update Alpine to 3.16 so that we got a more recent version of the iptables user-space binaries in the kube-router container (iptables-1.8.8). This helps address the issues found by @jnummelin in #1370 where iptables mark attributes can be lost when the host's user-space version of iptables is greater than the kube-router container's version.

As per the newly updated docs: https://github.com/cloudnativelabs/kube-router/blob/master/docs/user-guide.md#requirements it is recommended that users who:

• use kube-router as a container deployment AND...
• operate iptables from the host's user-space tooling AND...
• utilize the network policy feature-set of kube-router (--run-firewall)

Keep the host's user-space tooling (e.g. iptables, ipset, ipvsadm, etc.) in sync with the version contained in kube-router's container as much as possible to avoid potential problems with firewall rule data loss.

This will hold true, until there is some resolve to the upstream issue (https://bugzilla.netfilter.org/show_bug.cgi?id=1632) which would help us identify when there might be potential for conflict or loss in the future before writing rules.