when source-range is added then deleted, service stays unavailable #32617
Labels
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
need-more-info
More information is required to further debug or fix the issue.
sig/agent
Cilium agent related.
sig/k8s
Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Is there an existing issue for this?
What happened?
when a valid or invalid source-range is added to a service, then removed, the service stays unavailable, as if the source-range was corrupted.
the only way to get the service available again is to include a valid source-range again or re-create it.
not a lot of tickets related to source-range, I did look at #30073 - maybe related ( ipv4 and v6 source range cidrs being mixed-up )
Cilium Version
cilium version
cilium-cli: v0.15.21 compiled with go1.21.6 on linux/amd64
cilium image (default): v1.14.6
cilium image (stable): v1.15.5
cilium image (running): 1.15.4
Kernel Version
Linux caas-bglab-comp010--10-112-182-136 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64 Intel(R) Xeon(R) Gold 6354 CPU @ 3.00GHz GenuineIntel GNU/Linux
Kubernetes Version
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.15", GitCommit:"da6089da4974a0a180c226c9353e1921fa3c248a", GitTreeState:"clean", BuildDate:"2023-10-18T13:29:23Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}
Regression
No response
Sysdump
No response
Relevant log output
the only source-range found in any of the nodes is a different namespace.
service:
Anything else?
as a general comment, it would be nice if sourceRange was integrated with NetworkPolicies and cidrGroups, because in cases where sourceIP is lost or not available (envoy, gateway, ingress), sourceRange is the only defense against ingress from external CIDR.
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: