iptables_filter module not loaded by default in k8s v1.28.8
Article ID: 408387
Updated On:
Products
Issue/Introduction
After upgrading to TKr v1.28.8---vmware.1-fips.1-tkg.2, the iptables_filter module is not loaded by default.
Instead this requires a manual change by loading iptables_filter module via 'sudo modprobe iptable_filter 1'.
This will help the appllication requiring this module to work but if it's node are restarted this manual change is not persistent and the issue will return.
TKr v1.28.7 and prior had the iptables_filter module.
Environment
TKr v1.28.8 +
Note - For the vSphere Kubernetes EOS announcements please go here and using Search Product Name search for 'vSphere Kubernetes release' for further details on EOS/versions.
Cause
As of TKr v1.28.8 + nftables are now being used and iptables_filter is not longer used.
Resolution
The solution here is to enable the Istio CNI plugin.
For this you will need to add the latest VKS Standard package this can be done with the 'vcf package repository add' command similar to how is being done here (only this example is using the 'tanzu package repository add' command. Also note that the latest VKS Standara package URL can be found here.
Following this, this guide can be used to install the Istio CNI plugin.
Please note that v1.28.8 is not longer a support TKr as of May 28th 2025 and v1.29.x is also no longer support as of Jul 28th 2025.
Feedback
