Skip to content

driver/kubernetes: Add retry logic for transient TLS connection errors#3493

Merged
AkihiroSuda merged 1 commit intodocker:masterfrom
Guimove:fix-k8s-tls-retry-2668
Jan 6, 2026
Merged

driver/kubernetes: Add retry logic for transient TLS connection errors#3493
AkihiroSuda merged 1 commit intodocker:masterfrom
Guimove:fix-k8s-tls-retry-2668

Conversation

@Guimove
Copy link
Contributor

@Guimove Guimove commented Oct 29, 2025

Fixes #2668

When Kubernetes marks nodes as "Ready" before their Certificate Signing Requests (CSRs) are approved, the buildx kubernetes driver can fail to connect to builder pods with transient TLS errors like:

  • "tls: internal error"
  • "context deadline exceeded"
  • "use of closed network connection"
  • "i/o timeout"

This is particularly problematic on EKS clusters with ARM64 nodes under heavy load, where multiple builders are being spawned simultaneously.

This commit adds retry logic with exponential backoff to the Dial() function in the kubernetes driver. The implementation:

  • Attempts up to 5 connection retries
  • Uses exponential backoff starting at 500ms, capped at 10s
  • Only retries on known transient connection errors
  • Logs retry attempts to stderr for visibility
  • Respects context cancellation

This allows buildx to gracefully handle the race condition where pods are marked as Running before their TLS certificates are fully ready.

@Guimove Guimove force-pushed the fix-k8s-tls-retry-2668 branch from 0780f28 to 71d3044 Compare October 29, 2025 21:36
tonistiigi
tonistiigi reviewed Oct 29, 2025
View reviewed changes
@Guimove Guimove requested a review from tonistiigi November 5, 2025 15:52
@Oliniusz Oliniusz mentioned this pull request Dec 23, 2025
Closed
3 tasks
AkihiroSuda
AkihiroSuda reviewed Dec 24, 2025
View reviewed changes
AkihiroSuda
AkihiroSuda previously approved these changes Dec 24, 2025
View reviewed changes
@AkihiroSuda
Copy link
Collaborator

AkihiroSuda commented Dec 24, 2025

Please squash the commits

@Oliniusz
Copy link

Oliniusz commented Jan 5, 2026

@Guimove - would you be able to continue with merging the PR in the close future, please?

@Guimove
Copy link
Contributor Author

Guimove commented Jan 5, 2026

@Guimove - would you be able to continue with merging the PR in the close future, please?

Will resolve the comments from @AkihiroSuda today so as soon it's validated it could be merged.

@Guimove Guimove force-pushed the fix-k8s-tls-retry-2668 branch 4 times, most recently from 9fd0db5 to 225f31d Compare January 5, 2026 09:40
@AkihiroSuda
Copy link
Collaborator

AkihiroSuda commented Jan 5, 2026

DCO check seems failing

@Guimove
driver/kubernetes: Add retry logic for transient TLS connection errors
e758a6b 
Fixes docker#2668

When Kubernetes marks nodes as "Ready" before their Certificate Signing
Requests (CSRs) are approved, the buildx kubernetes driver can fail to
connect to builder pods with transient TLS errors like:
  - "tls: internal error"
  - "context deadline exceeded"
  - "use of closed network connection"
  - "i/o timeout"

This is particularly problematic on EKS clusters with ARM64 nodes under
heavy load, where multiple builders are being spawned simultaneously.

This commit adds retry logic with exponential backoff to the Dial()
function in the kubernetes driver. The implementation:
  - Attempts up to 5 connection retries
  - Uses exponential backoff starting at 500ms, capped at 10s
  - Only retries on known transient connection errors
  - Uses errors.Is/errors.As for proper error type checking
  - Logs retry attempts using logrus for visibility
  - Respects context cancellation

This allows buildx to gracefully handle the race condition where pods
are marked as Running before their TLS certificates are fully ready.

Signed-off-by: guimove <dasilva.guillaume@live.fr>
@Guimove Guimove force-pushed the fix-k8s-tls-retry-2668 branch from 225f31d to e758a6b Compare January 5, 2026 16:46
@Guimove
Copy link
Contributor Author

Guimove commented Jan 5, 2026

@AkihiroSuda it's fixed

@Guimove
Copy link
Contributor Author

Guimove commented Jan 5, 2026

@AkihiroSuda Thanks for the validation, who can merge now ? (seems not me)

@AkihiroSuda AkihiroSuda merged commit 66f4f62 into docker:master Jan 6, 2026
138 checks passed
@crazy-max crazy-max added this to the v0.31.0 milestone Jan 6, 2026
@Oliniusz
Copy link

Oliniusz commented Jan 28, 2026

I'd like to confirm it's been working well now! Thank you.

[trends-qa-test-11-cpu-amd64 internal] booting buildkit
waiting for 1 pods to be ready, timeout: 2 minutes 39.6s done
DONE 39.6s
ERROR: error dialing backend: remote error: tls: internal error
ERROR: error dialing backend: remote error: tls: internal error
trends-qa-test-11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@tonistiigi tonistiigi Awaiting requested review from tonistiigi

Assignees

@Guimove Guimove

Labels

area/driver/kubernetes area/driver

Projects

None yet

Milestone

v0.31.0

Development

Successfully merging this pull request may close these issues.

buildx kubernetes driver sometimes returns ERROR: error dialing backend: remote error: tls: internal error

5 participants

@Guimove @AkihiroSuda @Oliniusz @tonistiigi @crazy-max