Using Cilium V1.16.0 External Access with DNS-Based Policies is not working properly #33875
Description
Is there an existing issue for this?
- I have searched the existing issues
Version
higher than v1.16.0-rc.1 and lower than v1.17.0
What happened?
While following the doc https://docs.cilium.io/en/latest/security/dns/, before running step 'kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes-dns/dns-matchname.yaml', running command 'kubectl exec mediabot -- curl -I -s https://api.github.com | head -1' returns normal response; after applying dns policy, the same command hangs
How can we reproduce the issue?
Here are the steps:
- Create Kubernetes cluster using kind:
kind create cluster --name test --config kind-config.yaml
and content of kind-config.yaml is:
kind: Cluster
name: test
nodes:
- role: control-plane
image: "kindest/node:v1.30.2"
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "bgp=controlplane"
- role: worker
image: "kindest/node:v1.30.2"
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "bgp=65001"
- role: worker
image: "kindest/node:v1.30.2"
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "bgp=65001"
networking:
ipFamily: ipv4
#apiServerAddress: 127.0.0.1
apiServerPort: 6443
podSubnet: 10.1.0.0/16
serviceSubnet: 172.20.0.0/16
disableDefaultCNI: true
kubeProxyMode: none
- Install Cilium using command:
a) git clone Cilium repository
b) git switch to branch 1.16.0-rc.2
c) cd to ${patht to cilium}/install/kubernetes
d)helm upgrade --install --namespace kube-system cilium ./cilium -f ${path to custom value file}/cilium-values.yaml
e) content of cilium-values.yaml
healthChecking: true
endpointHealthChecking:
# -- Enable connectivity health checking between virtual endpoints.
enabled: false
cluster:
name: test
id: 1
ipv4:
enabled: true
enableIPv4BIGTCP: true
enableIPv6BIGTCP: false
ipv6:
enabled: false
kubeProxyReplacement: "true"
# cluster name is test
k8sServiceHost: test-control-plane
k8sServicePort: 6443
routingMode: "native"
# -- Allows to explicitly specify the IPv4 CIDR for native routing.
ipv4NativeRoutingCIDR: "10.1.0.0/16"
enableIPv4Masquerade: true
autoDirectNodeRoutes: true
enableCiliumEndpointSlice: false
endpointRoutes:
enabled: true
bpf:
masquerade: true
datapathMode: netkit
ipam:
#mode: "cluster-pool"
mode: "kubernetes"
operator:
# -- IPv4 CIDR list range to delegate to individual nodes for IPAM.
clusterPoolIPv4PodCIDRList: ["10.1.0.0/16"]
# -- IPv4 CIDR mask size to delegate to individual nodes for IPAM.
clusterPoolIPv4MaskSize: 26
bgpControlPlane:
enabled: true
operator:
replicas: 1
prometheus:
enabled: true
- Run command: kubectl create -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes-dns/dns-sw-app.yaml
- Run command: kubectl exec mediabot -- curl -I -s https://api.github.com | head -1
Get normal output: HTTP/2 200 - Run command: kubectl apply -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/kubernetes-dns/dns-matchname.yaml
- Run command: kubectl exec mediabot -- curl -I -s https://api.github.com | head -1
curl request hang here, after timeout, failure with exit code 6
7 doing same above steps with Cilium v1.15.6/v1.15.7, just comment out bpf.datapathMode in cilium-values.yaml, no curl hang, everything is normal
Cilium Version
Cilium v1.15.6/v1.15.7 --- are normal versions, no issue found with those version
Cilium V1.16.0-rc.1/ V1.16.0-rc.2 with bpf.datapathMode=netkit, http request to external domain name hang
Kernel Version
iUbuntu 6.8.0-38-generic x86_64 x86_64 x86_64 GNU/Linux (Ubuntu 24.04)
Kubernetes Version
Kubernetes v1.30.0
Kind version: kind v0.23.0 go1.21.10 linux/amd64
Regression
No response
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Cilium Users Document
- Are you a user of Cilium? Please add yourself to the Users doc
Code of Conduct
- I agree to follow this project's Code of Conduct