Don't orphan CEPs when node IPV6 is preferred at dual stack k8s config

This commit prevents a soft deadlock in the cilium agent on dual stack k8s config with ipv6 preferred by making it check to both ip families CEP's node IPs. Fixes: #28139 Signed-off-by: Raul S. <rawmind@gmail.com>
cilium · Oct 27, 2023 · 6c5e5a8 · 6c5e5a8
1 parent 898a632
commit 6c5e5a8
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/pkg/k8s/watchers/endpointsynchronizer.go b/pkg/k8s/watchers/endpointsynchronizer.go
@@ -368,7 +368,6 @@ func updateCEPUID(scopedLog *logrus.Entry, e *endpoint.Endpoint, localCEP *ciliu
 	//
 	// The intent here is to check if a given pod is running on the same node
 	// this cilium is running on before taking over its CEP.
-	nodeIP := node.GetCiliumEndpointNodeIP()
 	pod := e.GetPod()
 	if pod == nil {
 		return fmt.Errorf("endpoint sync cannot take ownership of CEP: no pod")
@@ -377,9 +376,13 @@ func updateCEPUID(scopedLog *logrus.Entry, e *endpoint.Endpoint, localCEP *ciliu
 	if podHostIP == "" {
 		return fmt.Errorf("endpoint sync cannot take ownership of CEP: no pod HostIP")
 	}
-	if podHostIP != nodeIP {
-		return fmt.Errorf("endpoint sync cannot take ownership of CEP that is not local: CEP's pod %q, pod's hostIP %q, cilium nodeIP %q)",
-			e.GetK8sPodName(), podHostIP, nodeIP)
+	if nodeIP := node.GetIPv4().String(); podHostIP != nodeIP {
+		// Also checking node ipv6 for k8s dual stack with ipv6 preference where
+		// podHostIP is gonna be node ipv6
+		if nodeIPV6 := node.GetIPv6().String(); podHostIP != nodeIPV6 {
+			return fmt.Errorf("endpoint sync cannot take ownership of CEP that is not local: CEP's pod %q, pod's hostIP %q, cilium nodeIP %q)",
+				e.GetK8sPodName(), podHostIP, nodeIP)
+		}
 	}
 
 	// If the endpoint has a CEP UID, which does not match the current CEP, we cannot take