Fixing kube-proxy nftables Sync Failures with nft 1.1.3
What's the problem?
Resolve kube-proxy crashes and synchronization errors on systems using nftables 1.1.3 by upgrading knftables and optimizing the proxier's discovery logic.
Why does this happen?
The regression occurs because older knftables versions perform non-isolated, high-overhead list calls that crash when encountering incompatible object structures in nft 1.1.3. The tool's inability to scope queries resulted in excessive memory usage and parsing failures during state synchronization.
Code Example
// Updated proxier logic in pkg/proxy/nftables/proxier.go
// Replace legacy multi-pass calls with efficient ListAll()
func (proxier *Proxier) sync() {
// Previous: proxier.nftables.List("chains") ... proxier.nftables.List("sets")
// Optimized approach using ListAll with --terse:
data, err := proxier.nftables.ListAll(ctx)
if err != nil {
klog.ErrorS(err, "Failed to list nftables objects")
return
}
// Single pass mapping of chains and sets
proxier.updateLocalState(data)
}How to fix it
To resolve this, update your Kubernetes environment to use knftables v0.0.21 or higher. This update migrates the proxier to use the ListAll() method, which executes a single, scoped query targeting only the managed table. This change utilizes the --terse flag to prevent memory bloat and isolates discovery to avoid interference from third-party nftables processes.