Skip to content

Wireguard Allowed IPs not propagated correctly after node restart #35644

New issue
New issue
Closed
#35750
Closed
Wireguard Allowed IPs not propagated correctly after node restart#35644
#35750
Labels
affects/v1.16This issue affects v1.16 brancharea/agentCilium agent related.area/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.feature/wireguardRelates to Cilium's Wireguard featurekind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.needs/triageThis issue requires triaging to establish severity and next steps.
@m-sarti

Description

@m-sarti
m-sarti
opened on Oct 30, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.16.0 and lower than v1.17.0

What happened?

Restarting a node it happens that it cannot reach any kubernetes address. Investigating I saw that it is due to the fact that, after the restart of the node, the other Wireguard peers do not receive the correct list of allowed ips and in particular the host address is missing.
The situation can only be restored by doing a rolling restart of the daemonset.

How can we reproduce the issue?

  • Check the status of wg of a peer:
root@vin-54:~# wg show | grep "172.16.6.39" -B 1 -A 2
peer: 2aU6+YDRxbJGAWevAisNMpGf+7ouC5LMxF8p1L7oHAc=
  endpoint: 172.16.6.39:51871
  allowed ips: 172.16.6.39/32, 10.6.30.52/32, 10.6.30.20/32, 10.6.30.90/32
  • Restart the peer
  • Check the status again and assert that the host address missing
root@vin-54:~# wg show | grep "172.16.6.39" -B 1 -A 4
peer: 2aU6+YDRxbJGAWevAisNMpGf+7ouC5LMxF8p1L7oHAc=
  endpoint: 172.16.6.39:51871
  allowed ips: 10.6.30.68/32, 10.6.30.228/32

Cilium Version

Client: 1.16.3 f221719 2024-10-09T15:17:46+00:00 go version go1.22.8 linux/amd64
Daemon: 1.16.3 f221719 2024-10-09T15:17:46+00:00 go version go1.22.8 linux/amd64

Kernel Version

Linux vin-53 5.15.0-71-generic #78-Ubuntu SMP Tue Apr 18 09:00:29 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.2", GitCommit:"7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647", GitTreeState:"clean", BuildDate:"2023-05-17T14:20:07Z", GoVersion:"go1.20.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.10", GitCommit:"0fa26aea1d5c21516b0d96fea95a77d8d429912e", GitTreeState:"clean", BuildDate:"2024-01-17T13:38:41Z", GoVersion:"go1.20.13", Compiler:"gc", Platform:"linux/amd64"}

Regression

No response

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    affects/v1.16This issue affects v1.16 brancharea/agentCilium agent related.area/encryptionImpacts encryption support such as IPSec, WireGuard, or kTLS.feature/wireguardRelates to Cilium's Wireguard featurekind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.needs/triageThis issue requires triaging to establish severity and next steps.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions