fix: set arp_ignore=1 globally in base image

Some Linux distributions set this to 2 or higher, which will break kindnet (specifically the ptp plugin). We now set this in our base image in an opinionated way so that the host system no longer decides the value as it might inadvertantly break kind networking. Signed-off-by: Shane Utt <[email protected]>
kubernetes-sigs · Mar 11, 2025 · 0671ecd · 0671ecd
1 parent 022bedd
commit 0671ecd
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/images/base/files/etc/sysctl.d/10-network-magic.conf b/images/base/files/etc/sysctl.d/10-network-magic.conf
@@ -9,3 +9,17 @@
 # Kubernetes mitigates the possible security issue caused by enabling this option.
 # ref: https://nvd.nist.gov/vuln/detail/CVE-2020-8558
 net.ipv4.conf.all.route_localnet=1
+
+# The global kernel parameter net.ipv4.conf.all.arp_ignore governs the
+# conditions under which ARP requests will be accepted or ignored. This global
+# setting will override any individual interface settings. Some host systems
+# might set this global parameter to a more restrictive setting of 2 (or
+# greater). Specifically, in mode 2, the system ignores ARP requests directed to
+# /32 addresses (this is what kindnet assigns to its veth interfaces) because
+# the request originates from a different subnet. This behavior breaks routing
+# for kindnet (specifically the ptp plugin), so we opinionatedly set this to 1
+# when kindnet is in use to ensure proper networking.
+#
+# For more information see:
+# https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html#arp_ignore
+net.ipv4.conf.all.arp_ignore=1