Skip to content

Gateway API with Host Network: Gateway stays PROGRAMMED: False

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.18.3 and lower than v1.19.0

What happened?

I want to create a k8s (lab singlenode) cluster with gateway API in host network mode, https://docs.cilium.io/en/latest/network/servicemesh/gateway-api/gateway-api/#host-network-mode

The underlying k8s is a kubeadm-created 1.34.2 with pretty much standard / default options, on Debian 13, with cri-o, if that matters.

I create a gateway with

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: nginx-gateway
spec:
  gatewayClassName: cilium
  listeners:
  - protocol: HTTP
    port: 23180
    name: nginx-gateway-listener-http
    allowedRoutes:
      namespaces:
        from: Same

It stays in the status

% kubectl get gateway
NAME            CLASS    ADDRESS   PROGRAMMED   AGE
nginx-gateway   cilium             False        11m

Describe says:

% kubectl describe gateway nginx-gateway 
Name:         nginx-gateway
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  gateway.networking.k8s.io/v1
Kind:         Gateway
Metadata:
  Creation Timestamp:  2025-11-15T00:57:05Z
  Generation:          1
  Resource Version:    928
  UID:                 532436dd-a157-4e72-9a51-587256b6ced6
Spec:
  Gateway Class Name:  cilium
  Listeners:
    Allowed Routes:
      Namespaces:
        From:  Same
    Name:      nginx-gateway-listener-http
    Port:      23180
    Protocol:  HTTP
Status:
  Conditions:
    Last Transition Time:  2025-11-15T00:57:05Z
    Message:               Gateway successfully scheduled
    Observed Generation:   1
    Reason:                Accepted
    Status:                True
    Type:                  Accepted
    Last Transition Time:  2025-11-15T00:57:05Z
    Message:               Gateway waiting for address
    Observed Generation:   1
    Reason:                AddressNotAssigned
    Status:                False
    Type:                  Programmed
  Listeners:
    Attached Routes:  0
    Conditions:
      Last Transition Time:  2025-11-15T00:57:05Z
      Message:               Resolved Refs
      Observed Generation:   1
      Reason:                ResolvedRefs
      Status:                True
      Type:                  ResolvedRefs
      Last Transition Time:  2025-11-15T00:57:05Z
      Message:               Listener Accepted
      Observed Generation:   1
      Reason:                Accepted
      Status:                True
      Type:                  Accepted
      Last Transition Time:  2025-11-15T00:57:05Z
      Message:               Address not ready yet
      Observed Generation:   1
      Reason:                Pending
      Status:                False
      Type:                  Programmed
    Name:                    nginx-gateway-listener-http
    Supported Kinds:
      Group:  gateway.networking.k8s.io
      Kind:   HTTPRoute
      Group:  gateway.networking.k8s.io
      Kind:   GRPCRoute
Events:       <none>

How can we reproduce the issue?

Before installing cilium, I install all CRDs as explained in the docs https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/gateway-api/#prerequisites

My values.yaml for cilium:

debug:
  enabled: true
kubeProxyReplacement: true
securityContext:
  capabilities:
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_BIND_SERVICE
      - NET_RAW
      - IPC_LOCK
      - SYS_ADMIN
      - SYS_MODULE
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
k8sServiceHost: controlplane
k8sServicePort: 6443
operator:
  replicas: 1
gatewayAPI:
  enabled: true
  hostNetwork:
    enabled: true
    # https://docs.cilium.io/en/latest/network/servicemesh/gateway-api/gateway-api/#deploy-gateway-api-listeners-on-subset-of-nodes
    # An empty selector selects all nodes and continues to expose the functionality on all Cilium nodes.
    # nodes:
    #   matchLabels:
    #     kubernetes.io/os: linux
envoy:
  enabled: true
  securityContext:
    capabilities:
      keepCapNetBindService: true
      envoy:
      # Add NET_BIND_SERVICE to the list (keep the others!)
      - NET_BIND_SERVICE
      - NET_ADMIN
      - SYS_ADMIN

Cilium Version

% kubectl exec -n kube-system ds/cilium -i -- cilium version                  
Client: 1.18.3 c1601689 2025-10-22T19:15:36+00:00 go version go1.24.9 linux/amd64
Daemon: 1.18.3 c1601689 2025-10-22T19:15:36+00:00 go version go1.24.9 linux/amd64

Kernel Version

% kubectl --kubeconfig artifacts/b1/admin.conf exec -n kube-system ds/cilium -i -- uname -a      
Linux b1-kubelet1 6.12.48+deb13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.48-1 (2025-09-20) x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

% kubectl version                                                      
Client Version: v1.34.1
Kustomize Version: v5.7.1
Server Version: v1.34.2

Regression

Not a regression, but wanted to state that I can get a working gateway-api if I don't use host network mode, but rather a setup with, for example, cilium and bgp based load balancers.

Sysdump

cilium-sysdump-20251115-021301.zip

Relevant log output

I can't see relevant log lines. Will try to attach the full log file afterwards.

Anything else?

No response

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct