Cilium on Bare Metal: How UFW Silently Breaks CoreDNS and kube-apiserver Connectivity
The Symptom After standing up a Kubernetes cluster on a bare-metal node with Cilium as the CNI, CoreDNS pods were running but completely unable to reach the kube-apiserver service IP (10.96.0.1). DNS resolution inside the cluster was broken, and any pod trying to talk to the API server via the service IP timed out. The apiserver itself was healthy — direct connections to the node’s IP worked fine. The problem was specifically with the virtual service IP routed through Cilium’s BPF dataplane. ...