Raising this question to top level to solicit reviewers' opinions:
I made this bypass an opt-in out of caution (i.e. not to break things elsewhere in Cilium which I don't understand that well). However, the bypass must be turned on whenever the following three conditions are met:

1. kube-apiserver address is an FQDN
2. host firewall is enabled
3. a Cilium clusterwide network policy targeting nodes has a L7 DNS rule (toy example below)

- egress:
  - toCIDR:
    - 168.63.129.16/32
    toPorts:
    - ports:
      - port: "53"
        protocol: ANY
      rules:
        dns:
        - matchPattern: '*'
  nodeSelector: {}

If these conditions are met and the bypass is not enabled, Cilium agent will break on restart (e.g. when it is upgraded), making the whole cluster dangerously unstable to unusable. My concern was that the bypass might have unintended bad effects in circumstances of which I am unaware, but perhaps it is misplaced? After all, DNS proxy has been decorating its dialer for remote DNS requests in the same way this PR does for k8s client dialer for years and years and has not caused problems. If so, the bypass ought to be enabled whenever host firewall is enabled (without an option to turn it off). An intermediate variant is to make the bypass opt-out rather than opt-in, so it can be turned off cheaply if it does happen to break something.

/test

Rebased changes on top of main to hopefully fix conformance tests, and made the bypass option on by default.

/test

@atykhyy no worries, I appreciate your patience with the review :) I'll trigger the tests & queue for automerge.

/test

Hi all,
since merging this PR, we have observed various connectivity problems / delays with k8s apiserver: #40682 which started to happen right after merging this PR - even in case of CI runs without hostFirewall etc.

For now, I would like to propose skipping backport to v1.18: #40665 (review) as during the backport, we have also seen some connectivity problems to k8s apiserver.
Let's also disable it for main: #40691 to confirm if this PR is the root-cause or something else.
cc @atykhyy @joestringer

If the connection to kube-apiserver was getting dropped, as discussed in the CI flake issue, that should be visible in cilium-agent logs, shouldn't it? Unfortunately I don't have permissions to download log artifacts to check for this (assuming these logs are there).

If the connection to kube-apiserver was getting dropped, as discussed in the CI flake issue, that should be visible in cilium-agent logs, shouldn't it? Unfortunately I don't have permissions to download log artifacts to check for this (assuming these logs are there).

Only in some cases do we log anything. If the connection fails on Watch calls then nothing is logged (things just get delayed). We have also seen #40687 where an Update failed due to broken connection. And we've seen "Heartbeat timed out, restarting client connections".

Unfortunately I don't have permissions to download log artifacts to check for this (assuming these logs are there).

I've included one of the sysdumps in the issue - previously I did not notice that it was not uploaded due to size limit. You should be able to download it from the issue now.

As Jussi says, there is not clear logs that would indicated broken watch. This is mostly based on timing when failures started to occur in CI and this PR was merged + area that this PR was changing + most likely area that was causing issues - it's a bit of a guess.

For now, I just want to disable it for a couple of days to check if it resolves issue, which would confirm that it was caused by this PR. If not, I will revert my PR that disables it.

By all means. But why would tagging k8s-clientset's outgoing packets with MagicMarkEgress make the connection flaky? Looking through that dump, it gets established without any delay worth speaking of:

2025-07-23T05:16:38.204463822Z time=2025-07-23T05:16:38.20428954Z level=debug msg="Skipped reading configuration file" error="Config File \"cilium\" Not Found in \"[/root]\""
# snip
2025-07-23T05:16:38.674517739Z time=2025-07-23T05:16:38.674446687Z level=info source=/go/src/github.com/cilium/cilium/pkg/k8s/client/cell.go:332 msg="Establishing connection to apiserver" module=agent.infra.k8s»
2025-07-23T05:16:38.681590372Z time=2025-07-23T05:16:38.681485483Z level=info source=/go/src/github.com/cilium/cilium/pkg/k8s/client/cell.go:359 msg="Connected to apiserver" module=agent.infra.k8s-client

The only thing that looks suspicious to me is that iptables rules disable conntrack when they see this mark. Could that be it? But then wouldn't DNS proxy that uses the same mark have the same sort of problem (it would manifest in a different place)?

By all means. But why would tagging k8s-clientset's outgoing packets with MagicMarkEgress make the connection flaky? Looking through that dump, it gets established without any delay worth speaking of:

2025-07-23T05:16:38.204463822Z time=2025-07-23T05:16:38.20428954Z level=debug msg="Skipped reading configuration file" error="Config File \"cilium\" Not Found in \"[/root]\""
# snip
2025-07-23T05:16:38.674517739Z time=2025-07-23T05:16:38.674446687Z level=info source=/go/src/github.com/cilium/cilium/pkg/k8s/client/cell.go:332 msg="Establishing connection to apiserver" module=agent.infra.k8s»
2025-07-23T05:16:38.681590372Z time=2025-07-23T05:16:38.681485483Z level=info source=/go/src/github.com/cilium/cilium/pkg/k8s/client/cell.go:359 msg="Connected to apiserver" module=agent.infra.k8s-client

The only thing that looks suspicious to me is that iptables rules disable conntrack when they see this mark. Could that be it? But then wouldn't DNS proxy that uses the same mark have the same sort of problem (it would manifest in a different place)?

The initial connection attempt does succeed in all the failed tests, but that connection later breaks (couple minutes into it). Could well be that setting those iptables rules will make existing connections with that mark break?
Would this be easy to test?

The DNS proxy probably wouldn't be affected as it'd mostly be processing requests after the iptables rules have been set up.

Besides those iptables conttack rules there are also these routing table rules:

10:	from all fwmark 0xb00/0xf00 lookup 2005 proto kernel
# table 2005:
default via 10.244.0.14 dev cilium_host proto kernel mtu 1407 
10.244.0.14 dev cilium_host proto kernel scope link 

I don't know enough say if creating these iptables or routing rules would break an existing TCP connection. If k8s client logged when it broke, one could see if the timing matches with what the datapath module is doing. Also, if rule changes caused 'old' packets to get dropped, wouldn't it take the TCP stack time to detect that the connection is no longer alive and signal an error on k8s client's socket? k8s-client-connection-keep-alive and k8s-client-connection-timeout are both set to 30s by default and in that CI run, add them together and it's one minute. Perhaps that's the source of the delay that is causing this near-startup flakiness? Would reducing these so that the broken connection is detected and recycled sooner help?

As an aside, @jrife commented in the CI issue that this flakiness is not a security problem. If there is no way to get rid of the flakiness, I'm perfectly fine with leaving the option added by this PR as opt-in, only to be used in the specific Cilium mode of operation where it is required (which is not yet documented anyway).