Back to all scenarios
Scenario #30
Cluster Management
K8s v1.23, self-hosted Calico

Cluster DNS Resolution Broken After Calico CNI Update

DNS resolution broke after Calico CNI update due to iptables policy drop changes.

Find this helpful?
What Happened

New version of Calico enforced stricter iptables drop policies, blocking traffic from CoreDNS to pods.

Diagnosis Steps
  • 1DNS requests timed out.
  • 2Packet capture showed ICMP unreachable from pods to CoreDNS.
  • 3Checked Calico policy and iptables rules.
Root Cause

Calico’s default deny policy applied to kube-dns traffic.

Fix/Workaround
• Added explicit Calico policy allowing kube-dns to pod traffic.
yaml:
egress:
- action: Allow
destination:
selector: "k8s-app == 'kube-dns'"
Lessons Learned

CNI policy changes can impact DNS without warning.

How to Avoid
  • 1Review and test all network policy upgrades in staging.
  • 2Use canary upgrade strategy for CNI.
Previous ScenarioNext Scenario