fix: ensure nf_conntrack module loaded for kubelite.

[aznashwan]

Summary

This patch ensures that the nf_conntrack kernel module is loaded before kubelite is started as the ProxyServer needs to read some conntrack module-related params from procfs.

Closes #4462

Changes

By explicitly loading nf_conntrack before starting kubelite, it should ensure the procfs values that the ProxyServer reads are always present on startup.

Previously, although the it would always crashed if the module wasn't loaded, this wasn't that common of an occurrence in practice as there are quite a few ways nf_conntrack gets loaded transparently:

• Cilium automatically loads iptable_nat after a small startup delay, whose dependency tree includes nf_conntrack
• starting firewalld/ufw/most other firewall services
• setting iptables/nftables rules which imply session tracking

Testing

I've written a trivial eBPF probe to monitor whenever a process loads a kernel module, and validated that:

1. after freshly booting the system (22.04 and 24.04 VMs on Proxmox KVM FWIW), nothing had/was automatically loading the nf_conntrack module
2. after installing the updated microk8s snap, the run-kubelite-with-args script would load it itself
3. there were no errors/warnings related to values exposed by the conntack module in the kubelite logs
4. ensured a simple test Deployment worked as expected

Possible Regressions

Only the minute risk that the nf_conntrack module (which is very widely distributed and used) might not be installed on the host system.

Checklist

• Read the contributions page.
• Submitted the CLA form, if you are a first time contributor.
• The introduced changes are covered by unit and/or integration tests. ***

*** it's technically implicitly covered since the LXD profile used for integration tests includes nf_nat, which depends on nf_conntrack and thus cause it to be loaded, but there is no "negative test" where we intentionally deny its loading.

[berkayoz]

LGTM

[bschimke95]

LGTM