From 86d51471b4ca3f38520c4ab1cac7fd63532c26a0 Mon Sep 17 00:00:00 2001
From: Kelsey Hightower <kelsey.hightower@gmail.com>
Date: Mon, 7 Apr 2025 17:46:00 -0700
Subject: [PATCH] bridge CNI networking works with iptables

---
 docs/09-bootstrapping-kubernetes-workers.md | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/docs/09-bootstrapping-kubernetes-workers.md b/docs/09-bootstrapping-kubernetes-workers.md
index 5cab730..2ea12f7 100644
--- a/docs/09-bootstrapping-kubernetes-workers.md
+++ b/docs/09-bootstrapping-kubernetes-workers.md
@@ -114,6 +114,25 @@ Create the `bridge` network configuration file:
 mv 10-bridge.conf 99-loopback.conf /etc/cni/net.d/
 ```
 
+To ensure network traffic crossing the CNI `bridge` network is processed by `iptables`, load and configure the `br-netfilter` kernel module:
+
+```bash
+{
+  modprobe br-netfilter
+  echo "br-netfilter" >> /etc/modules-load.d/modules.conf
+}
+```
+
+```bash
+{
+  echo "net.bridge.bridge-nf-call-iptables = 1" \
+    >> /etc/sysctl.d/kubernetes.conf
+  echo "net.bridge.bridge-nf-call-ip6tables = 1" \
+    >> /etc/sysctl.d/kubernetes.conf
+  sysctl -p /etc/sysctl.d/kubernetes.conf
+}
+```
+
 ### Configure containerd
 
 Install the `containerd` configuration files: