mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-07-17 11:28:58 +00:00
The ci-kubernetes-local-e2e job has been flaky (~40-45% success rate)
with intermittent DNS/service connectivity failures. The root cause is
that bridge CNI requires br_netfilter and bridge-nf-call-iptables
kernel settings, which don't work reliably in docker-in-docker.
This switches to ptp (point-to-point) CNI, which creates direct veth
pairs between pods and host namespace. No bridge means no br_netfilter
dependency. This is the same approach KIND uses and it works reliably.
Changes:
- Replace bridge CNI with ptp CNI plugin
- Configure kernel network parameters for DIND (route_localnet,
arp_ignore, ip_forward) required for ptp and iptables-based kube-proxy
- Remove CoreDNS pod delete/restart workaround from 1168b11875 that was
masking the underlying networking issues (no longer needed)
- Add CoreDNS log capture during cleanup for debugging DNS issues
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
Kubernetes hack GuideLines
This document describes how you can use the scripts from hack directory
and gives a brief introduction and explanation of these scripts.
Overview
The hack directory contains many scripts that ensure continuous development of kubernetes,
enhance the robustness of the code, improve development efficiency, etc.
The explanations and descriptions of these scripts are helpful for contributors.
For details, refer to the following guidelines.
Key scripts
verify-all.sh: This script is a vestigial redirection, Please do not add "real" logic. It is equivalent tomake verify.update-all.sh: This script is a vestigial redirection, Please do not add "real" logic. Thetruetarget of this makerule ishack/make-rules/update.sh.It is equivalent tomake update.
Attention
Note that all scripts must be run from the Kubernetes root directory.
We should run hack/verify-all.sh before submitting a PR and if anything fails run hack/update-all.sh.