Upgrade Alpine Once it Upgrades to iptables-1.8.11

[aauren]

What happened?

Since iptables was upgraded to 1.8.10 in Alpine 3.19 and later kube-router has been stuck on Alpine 3.18. This is because iptables userspace 1.8.10 broke the --check or -C option that allows kube-router to check if a rule exists before it tries to re-insert it (for more details see: #1676 (comment)).

Since then we've been watching the upstream project and waiting to see if this gets fixed. As of now I've tested a manual compilation of the newly released (Nov 11, 2024) iptables-1.8.11 and it looks like this issue of iptables checking is no longer present.

Once iptables is upgraded to 1.8.11 in Alpine upstream, we should immediately upgrade so that we can get a newer Golang runtime and potentially fix some other issues that have recently arisen due to lack of compatibility between host userspace iptables tooling and container userspace iptables tooling like:

• nftables with conntrack can break kube-router #1777
• Extra nft rules from netbird causes crash loop #1788

Alpine can be monitored here: https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/iptables/APKBUILD

How can we reproduce the behavior you experienced?

Steps to reproduce the behavior:

1. Start kube-router as a container (not a host daemon) using an Alpine version that contains iptables-1.8.10 (Alpine 3.19 - Alpine 3.21)
2. Let kube-router run for a while
3. Exec into a kube-router pod
4. Run the following command:

iptables-save | grep "allow traffic to primary/secondary"

5. If there is more than one instance of this rule in the output then it means that iptables is not working as expected

FYI @mrueg

[aauren]

I filed an issue upstream with Alpine to ask about the potential of an upgraded package for iptables: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16829