Skip to content

Service hairpinning does not work with cilium envoy #28254

New issue
New issue
Closed
Closed
Service hairpinning does not work with cilium envoy#28254
Assignees
sayborasyoungnick
Labels
area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshinfo-completedThe GH issue has received a reply from the authorkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.
@rauanmayemir

Description

@rauanmayemir
rauanmayemir
opened on Sep 23, 2023

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

I am trying hairpinning my public domains with coredns to resolve to LB service IP, but it doesn't work. I'm hitting 403 Forbidden error with a message Access denied coming from cilium-envoy. Envoy logs have this:

[2023-09-23 11:31:39.057][70][warning][filter] [cilium/network_filter.cc:160] [C77533] cilium.network: Policy NOT FOUND for id: 154577 port: 8390

I've found prior work on #24536 and #24826 and I'm guessing that gateway api is not assuming the ingress identity.

Cilium Version

1.14.2

Kernel Version

5.15.122-flatcar

Kubernetes Version

1.27.5

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

area/agentCilium agent related.area/servicemeshGH issues or PRs regarding servicemeshinfo-completedThe GH issue has received a reply from the authorkind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions