Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when source-range is added then deleted, service stays unavailable #32617

Open
3 tasks done
christiancadieux opened this issue May 19, 2024 · 3 comments
Open
3 tasks done

when source-range is added then deleted, service stays unavailable #32617

christiancadieux opened this issue May 19, 2024 · 3 comments
Labels
info-completed The GH issue has received a reply from the author kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. needs/triage This issue requires triaging to establish severity and next steps. sig/agent Cilium agent related. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.

Comments

@christiancadieux
Copy link

christiancadieux commented May 19, 2024
edited

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

when a valid or invalid source-range is added to a service, then removed, the service stays unavailable, as if the source-range was corrupted.
the only way to get the service available again is to include a valid source-range again or re-create it.

not a lot of tickets related to source-range, I did look at #30073 - maybe related ( ipv4 and v6 source range cidrs being mixed-up )

Cilium Version

cilium version
cilium-cli: v0.15.21 compiled with go1.21.6 on linux/amd64
cilium image (default): v1.14.6
cilium image (stable): v1.15.5
cilium image (running): 1.15.4

Kernel Version

Linux caas-bglab-comp010--10-112-182-136 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64 Intel(R) Xeon(R) Gold 6354 CPU @ 3.00GHz GenuineIntel GNU/Linux

Kubernetes Version

Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.15", GitCommit:"da6089da4974a0a180c226c9353e1921fa3c248a", GitTreeState:"clean", BuildDate:"2023-10-18T13:29:23Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}

Regression

No response

Sysdump

No response

Relevant log output

the only source-range found in any of the nodes is a different namespace.

for i in `k get pod -n kube-system |grep cilium | awk '{print $1}'`; do   k exec -ti $i -n kube-system -- cilium bpf lb list --source-ranges; done

SOURCE RANGE (REVNAT_ID)   
10.XX.189.0/24 (1346)          

SOURCE RANGE (REVNAT_ID)   
10.XX.189.0/24 (1345)          
...

kubectl get services -A  -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.spec.loadBalancerSourceRanges}{"\n"}{end}' | grep '\['
ccadie883-2	["10.XX.189.8/24"]
tenant20-2	["6001:XX:104c:10a::9:b83b/64"]

service:

apiVersion: v1
kind: Service
metadata:
  labels:
    app: nginx-test-public
  name: nginx-public
spec:
  allocateLoadBalancerNodePorts: true
  clusterIP: 2001:XX:104c:10a:1::297b
  clusterIPs:
  - 2001:XX:104c:10a:1::297b
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  loadBalancerSourceRanges:
    - 2001:558:104c:10a::7:6be2/16 
  ipFamilies:
  - IPv6
  ipFamilyPolicy: SingleStack
  ports:
  - name: http
    nodePort: 9063
    port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: nginx-public
  sessionAffinity: None
  type: LoadBalancer
~

Anything else?

as a general comment, it would be nice if sourceRange was integrated with NetworkPolicies and cidrGroups, because in cases where sourceIP is lost or not available (envoy, gateway, ingress), sourceRange is the only defense against ingress from external CIDR.

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct
@christiancadieux christiancadieux added kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. needs/triage This issue requires triaging to establish severity and next steps. labels May 19, 2024
@lmb
Copy link
Contributor

lmb commented May 21, 2024

Does valid -> valid source range update work? Can you include the valid and invalid manifest? Your example doesn't contain loadBalancerSourceRanges.

@lmb lmb added the need-more-info More information is required to further debug or fix the issue. label May 21, 2024
@christiancadieux
Copy link
Author

christiancadieux commented May 21, 2024
edited

I added a sourceRange property.
yes - source-range works in general, it's only when it's created and then removed that the service stays unavailable, which is what the bug title says.

@github-actions github-actions bot added info-completed The GH issue has received a reply from the author and removed need-more-info More information is required to further debug or fix the issue. labels May 21, 2024
@lmb lmb added sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. sig/agent Cilium agent related. labels May 22, 2024
@lmb
Copy link
Contributor

lmb commented May 22, 2024

Thanks. I'm guessing that we treat invalid source range as no source range somewhere, and then "fixing" the manifest ends up looking like no change was made. Leaving this for the experts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
info-completed The GH issue has received a reply from the author kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. needs/triage This issue requires triaging to establish severity and next steps. sig/agent Cilium agent related. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lmb @christiancadieux