Fix kindnet POD_SUBNET mismatch in CNCF conformance tests

Kasturi Narra · Kasturi Narra · commit 06eea11a489b · 2026-02-16T12:49:47.000+05:30
diff --git a/.github/workflows/cncf-conformance.yaml b/.github/workflows/cncf-conformance.yaml
@@ -94,6 +94,26 @@ jobs:
             sudo podman exec "${node}" systemctl disable firewalld || true
           done
 
+          # Tune conntrack to prevent table exhaustion during conformance tests.
+          # The CNCF suite runs 400+ tests, each creating pods/services/connections.
+          # TCP conntrack entries persist much longer than UDP (established: 5 days,
+          # time_wait: 120s vs UDP: 30s). When the table fills up, new TCP SYN packets
+          # are silently dropped, causing TCP DNS (dig +tcp) to fail while UDP works.
+          #
+          # nf_conntrack_max must be set on the host since it's a namespace-level
+          # kernel parameter that cannot be changed from within containers.
+          echo ""
+          echo "Tuning conntrack settings on host..."
+          sudo sysctl -w net.netfilter.nf_conntrack_max=262144
+
+          echo "Tuning conntrack settings on cluster nodes..."
+          for node in microshift-okd-1 microshift-okd-2; do
+            echo "  - Configuring conntrack on ${node}"
+            sudo podman exec "${node}" sysctl -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=10
+            sudo podman exec "${node}" sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close_wait=10
+            sudo podman exec "${node}" sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=600
+          done
+
       - name: Configure hostname resolution for cluster nodes
         shell: bash
         run: |
@@ -109,7 +129,7 @@ jobs:
             ip=$(sudo podman inspect "$node" | jq -r '.[].NetworkSettings.Networks | to_entries[0].value.IPAddress')
             if [ -n "$ip" ] && [ "$ip" != "null" ]; then
               echo "$ip $node" | sudo tee -a /etc/hosts
-              echo "  ✓ Added: $ip $node"
+              echo "  Added: $ip $node"
             else
               echo "ERROR: Could not get IP address for node: $node"
               exit 1
@@ -120,7 +140,7 @@ jobs:
           echo "Verifying hostname resolution:"
           for node in microshift-okd-1 microshift-okd-2; do
             if getent hosts "$node" > /dev/null 2>&1; then
-              echo "  ✓ $node resolves successfully"
+              echo "  $node resolves successfully"
             else
               echo "ERROR: Hostname resolution failed for node: $node"
               exit 1
