Skip to content

kubernetes services ips not being encapsulated

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.18.3 and lower than v1.19.0

What happened?

Hi,

Im having a very strange issue. I have a 1 node Kubernetes 1.33.4 cluster running cilium 1.8.1. I am using tunnel mode with vxlan. kubeproxyreplacement is true. Pods to pod communication seems to be working fine but Kubernetes services are not working properly. my services cidr in kubernetes is 192.168.0.0/16. cilium is assigning correct ips to the services. However whenever a pod tries to connect to one of the services i can see my the corporate firewall that an outbound connection is made from the host to the ip. for example if a service gets an ip of 192.168.88.104 i see a connection of my firewall from the host outbound to that ip 192.168.88.104 as if it where trying to go to the internet to reach that ip. This of course fails. It is like cilium is trying to use native routing instead of tunneling but only for Kubernetes services. the services do not have hostNetwork: true set. anyone have any ideas?

How can we reproduce the issue?

  1. install cilium with helm
  2. try to connect to a kubernetes service from a pod

Cilium Version

1.8.1

Kernel Version

5.14.0-503.11.1.el9_5.x86_64

Kubernetes Version

1.33.4

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct