Files
kubernetes/hack
Davanum Srinivas cfcb10ef8a hack: switch local-up-cluster to ptp CNI for reliable DIND networking
The ci-kubernetes-local-e2e job has been flaky (~40-45% success rate)
with intermittent DNS/service connectivity failures. The root cause is
that bridge CNI requires br_netfilter and bridge-nf-call-iptables
kernel settings, which don't work reliably in docker-in-docker.

This switches to ptp (point-to-point) CNI, which creates direct veth
pairs between pods and host namespace. No bridge means no br_netfilter
dependency. This is the same approach KIND uses and it works reliably.

Changes:
- Replace bridge CNI with ptp CNI plugin
- Configure kernel network parameters for DIND (route_localnet,
  arp_ignore, ip_forward) required for ptp and iptables-based kube-proxy
- Remove CoreDNS pod delete/restart workaround from 1168b11875 that was
  masking the underlying networking issues (no longer needed)
- Add CoreDNS log capture during cleanup for debugging DNS issues

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-30 16:25:05 -05:00
..
2025-12-18 19:05:14 +05:30
2026-01-16 18:44:21 +01:00
2025-06-10 20:05:40 -07:00
2025-08-29 13:43:54 +02:00

Kubernetes hack GuideLines

This document describes how you can use the scripts from hack directory and gives a brief introduction and explanation of these scripts.

Overview

The hack directory contains many scripts that ensure continuous development of kubernetes, enhance the robustness of the code, improve development efficiency, etc. The explanations and descriptions of these scripts are helpful for contributors. For details, refer to the following guidelines.

Key scripts

  • verify-all.sh: This script is a vestigial redirection, Please do not add "real" logic. It is equivalent to make verify.
  • update-all.sh: This script is a vestigial redirection, Please do not add "real" logic. The true target of this makerule is hack/make-rules/update.sh.It is equivalent to make update.

Attention

Note that all scripts must be run from the Kubernetes root directory. We should run hack/verify-all.sh before submitting a PR and if anything fails run hack/update-all.sh.