Bug report

Hello,

Sometimes we get unmanaged pods by Cilium on newly-launched node. These pods belong to other DaemonSets that should be managed by Cilium, like fluent-bit and node-problem-detector.

Therefor we have dropped traffic by CNPs, like

<POD_IP>:45139 -> kube-system/coredns-8565fc86cf-db5xm:53 Policy denied DROPPED (UDP)

and continuously restarting pods, like fluent-bit (and no logs of containers from this node).

Cilium agent starts later than these other pods, so they are unmanaged.

There ano no suspicious errors in agent log:

{"error":"Cannot probe CONFIG_HZ","level":"info","msg":"Auto-disabling \"enable-bpf-clock-probe\" feature since KERNEL_HZ cannot be determined","subsys":"daemon"}
{"cmd":["iptables","-t","mangle","-n","-L","CILIUM_PRE_mangle"],"error":"exit status 1","level":"error","msg":"Command execution failed","subsys":"iptables"}
{"error":"required IPv4 PodCIDR not available","level":"warning","msg":"Waiting for k8s node information","subsys":"k8s"}

We use Cilium 1.9.5 as network policy engine in EKS:
Kubernetes version 1.19
Amazon VPC CNI plug-in 1.7.9
KubeProxy 1.19.6-eksbuild.2
AMI v1.19.6-eks-49a6c0
KERNEL-VERSION 5.4.95-42.163.amzn2.x86_64

HelmRelease values:

    kubeProxyReplacement: disabled
    policyEnforcementMode: "always"
    cni:
      chainingMode: aws-cni
    masquerade: false
    tunnel: disabled
    nodeinit:
      enabled: true

Earlier we did not notice this behavior on 1.8 and 1.9.0 versions.

Thanks!