Ricard Bejarano, Cisco
One very common assumption of Kubernetes practicioners, even those in the network side of things, is that Kubernetes Services behave like good old load balancers. And to a certain extent, Services do behave in a similar fashion to what one would typically classify as a round-robin load balancer. However, the reality of it is much deeper than that. Both simpler and more complex at the same time.
In this talk we'll go over an incident we had on September 2025, where a mix of this misconception, Istio's behavior, CoreDNS' failure, kube-proxy's silence, and iptables and conntrack interoperability made it look like everything was OK, yet DNS—it's always DNS—was failing.
We will go deep into how brilliantly simple Kubernetes' networking is, how Istio's DNS works on top of Kubernetes' DNS, and how both broke each other.
Ricard is a Lead Site Reliability Engineer at Cisco ThousandEyes' SRE team. You can often find him investigating the weirdest incidents, such as the one that motivated this talk. Ricard is currently writing a book about homelabbing, so go talk to him if you have a homelab!
