Skip to content

Link-local address is unreachable from pod's network #35153

New issue
New issue
Closed as not planned
Bug
Closed as not planned
Link-local address is unreachable from pod's network#35153
Bug
Labels
area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.info-completedThe GH issue has received a reply from the authorkind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
@maxpain

Description

@maxpain
maxpain
opened on Oct 1, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.16.0 and lower than v1.17.0

What happened?

I use Talos Linux with the forwardKubeDNSToHost: true feature.

When forwardKubeDNSToHost is enabled, Talos Linux allocates IP address 169.254.116.108 for the host DNS server.

When I enable bpf.masquerade in Cilium, 169.254.116.108 is unreachable from the pod's network.

I tried enable ipMasqAgent and set masqLinkLocal: false, but it didn't help:

ipMasqAgent:
  enabled: true
  config:
    masqLinkLocal: false
root@w1:/home/cilium# cilium-dbg bpf ipmasq list
IP PREFIX/ADDRESS   
169.254.0.0/16

siderolabs/talos#9200

How can we reproduce the issue?

Helm values:

k8sServiceHost: localhost
k8sServicePort: 7445
kubeProxyReplacement: true
installNoConntrackIptablesRules: true
routingMode: native
autoDirectNodeRoutes: true
ipv4NativeRoutingCIDR: 10.244.0.0/16
localRedirectPolicy: true

ipam:
  mode: kubernetes

bpf:
  masquerade: true

ipMasqAgent:
  enabled: true
  config:
    masqLinkLocal: false

bandwidthManager:
  enabled: true
  bbr: true

loadBalancer:
  mode: hybrid

envoy:
  enabled: false

hubble:
  enabled: true

  relay:
    enabled: true

  ui:
    enabled: true

cgroup:
  autoMount:
    enabled: false
  hostRoot: /sys/fs/cgroup

securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_ADMIN
      - SYS_RESOURCE
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: node-role.kubernetes.io/control-plane
              operator: DoesNotExist

Cilium Version

v1.16.1

Kernel Version

6.6.52-talos

Kubernetes Version

v1.31.1

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/datapathImpacts bpf/ or low-level forwarding details, including map management and monitor messages.info-completedThe GH issue has received a reply from the authorkind/community-reportThis was reported by a user in the Cilium community, eg via Slack.needs/triageThis issue requires triaging to establish severity and next steps.staleThe stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions