Can't access my LoadBalancing service from the outside

[batleforc]

Is there an existing issue for this?

• [X] I have searched the existing issues

What happened?

I have a K3S Kubernetes setup with at the moment a single node.

While setting up a new service that need a Load Balancer, I ended up being unable to access it from the outside. After further digging, I found out that the service didn't get an External IP. After upgrading the cilium (uninstall then install again) no service could get an external ip.

Cilium Version

cilium-cli: v0.15.13 compiled with go1.21.3 on windows/amd64 cilium image (default): v1.14.2 cilium image (stable): v1.14.3 cilium image (running): 1.14.2

Kernel Version

Linux weebo3 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux

Kubernetes Version

v1.27.4+k3s1

Sysdump

No response

Relevant log output

No response

Anything else?

Cilium values

MTU: 0
affinity:
  podAntiAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      - labelSelector:
          matchLabels:
            k8s-app: cilium
        topologyKey: kubernetes.io/hostname
agent: true
agentNotReadyTaintKey: node.cilium.io/agent-not-ready
aksbyocni:
  enabled: false
alibabacloud:
  enabled: false
annotateK8sNode: false
authentication:
  enabled: true
  gcInterval: 5m0s
  mutual:
    port: 4250
    spire:
      adminSocketPath: /run/spire/sockets/admin.sock
      agentSocketPath: /run/spire/sockets/agent/agent.sock
      connectionTimeout: 30s
      enabled: false
      install:
        agent:
          annotations: {}
          image: ghcr.io/spiffe/spire-agent:1.6.3@sha256:8eef9857bf223181ecef10d9bbcd2f7838f3689e9bd2445bede35066a732e823
          labels: {}
          serviceAccount:
            create: true
            name: spire-agent
          skipKubeletVerification: true
        enabled: true
        namespace: cilium-spire
        server:
          annotations: {}
          ca:
            keyType: rsa-4096
            subject:
              commonName: Cilium SPIRE CA
              country: US
              organization: SPIRE
          dataStorage:
            accessMode: ReadWriteOnce
            enabled: true
            size: 1Gi
            storageClass: null
          image: ghcr.io/spiffe/spire-server:1.6.3@sha256:f4bc49fb0bd1d817a6c46204cc7ce943c73fb0a5496a78e0e4dc20c9a816ad7f
          initContainers: []
          labels: {}
          service:
            annotations: {}
            labels: {}
            type: ClusterIP
          serviceAccount:
            create: true
            name: spire-server
      serverAddress: null
      trustDomain: spiffe.cilium
  queueSize: 1024
  rotatedIdentitiesQueueSize: 1024
autoDirectNodeRoutes: false
azure:
  enabled: false
bandwidthManager:
  bbr: false
  enabled: false
bgp:
  announce:
    loadbalancerIP: false
    podCIDR: false
  enabled: false
bgpControlPlane:
  enabled: false
bpf:
  authMapMax: null
  autoMount:
    enabled: true
  ctAnyMax: null
  ctTcpMax: null
  hostLegacyRouting: null
  lbExternalClusterIP: false
  lbMapMax: 65536
  mapDynamicSizeRatio: null
  masquerade: null
  monitorAggregation: medium
  monitorFlags: all
  monitorInterval: 5s
  natMax: null
  neighMax: null
  policyMapMax: 16384
  preallocateMaps: false
  root: /sys/fs/bpf
  tproxy: null
  vlanBypass: null
bpfClockProbe: false
certgen:
  annotations:
    cronJob: {}
    job: {}
  extraVolumeMounts: []
  extraVolumes: []
  image:
    digest: sha256:4a456552a5f192992a6edcec2febb1c54870d665173a33dc7d876129b199ddbd
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/certgen
    tag: v0.1.8
    useDigest: true
  podLabels: {}
  tolerations: []
  ttlSecondsAfterFinished: 1800
cgroup:
  autoMount:
    enabled: true
    resources: {}
  hostRoot: /run/cilium/cgroupv2
cleanBpfState: false
cleanState: false
cluster:
  id: 0
  name: default
clustermesh:
  apiserver:
    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                k8s-app: clustermesh-apiserver
            topologyKey: kubernetes.io/hostname
    etcd:
      image:
        digest: sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3
        override: null
        pullPolicy: IfNotPresent
        repository: quay.io/coreos/etcd
        tag: v3.5.4
        useDigest: true
      init:
        resources: {}
      resources: {}
      securityContext: {}
    extraArgs: []
    extraEnv: []
    extraVolumeMounts: []
    extraVolumes: []
    image:
      digest: sha256:a7353669b1f7cb96cd600d98c7dd12e909d876843a7a272a1bc407e114ed225c
      override: null
      pullPolicy: IfNotPresent
      repository: quay.io/cilium/clustermesh-apiserver
      tag: v1.14.1
      useDigest: true
    kvstoremesh:
      enabled: false
      extraArgs: []
      extraEnv: []
      extraVolumeMounts: []
      image:
        digest: sha256:6a4083b79290d1278462c4e1269e927e71c2df05cc80f999d58b66b6b501bc8e
        override: null
        pullPolicy: IfNotPresent
        repository: quay.io/cilium/kvstoremesh
        tag: v1.14.1
        useDigest: true
      resources: {}
      securityContext:
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
    metrics:
      enabled: true
      etcd:
        enabled: false
        mode: basic
        port: 9963
      kvstoremesh:
        enabled: true
        port: 9964
      port: 9962
      serviceMonitor:
        annotations: {}
        enabled: false
        etcd:
          interval: 10s
          metricRelabelings: null
          relabelings: null
        interval: 10s
        kvstoremesh:
          interval: 10s
          metricRelabelings: null
          relabelings: null
        labels: {}
        metricRelabelings: null
        relabelings: null
    nodeSelector:
      kubernetes.io/os: linux
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      maxUnavailable: 1
      minAvailable: null
    podLabels: {}
    podSecurityContext: {}
    priorityClassName: ""
    replicas: 1
    resources: {}
    securityContext: {}
    service:
      annotations: {}
      externalTrafficPolicy: null
      internalTrafficPolicy: null
      nodePort: 32379
      type: NodePort
    tls:
      admin:
        cert: ""
        key: ""
      authMode: legacy
      auto:
        certManagerIssuerRef: {}
        certValidityDuration: 1095
        enabled: true
        method: helm
      ca:
        cert: ""
        key: ""
      client:
        cert: ""
        key: ""
      remote:
        cert: ""
        key: ""
      server:
        cert: ""
        extraDnsNames: []
        extraIpAddresses: []
        key: ""
    tolerations: []
    topologySpreadConstraints: []
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate
  config:
    clusters: []
    domain: mesh.cilium.io
    enabled: false
  useAPIServer: false
cni:
  binPath: /opt/cni/bin
  chainingMode: null
  chainingTarget: null
  confFileMountPath: /tmp/cni-configuration
  confPath: /etc/cni/net.d
  configMapKey: cni-config
  customConf: false
  exclusive: true
  hostConfDirMountPath: /host/etc/cni/net.d
  install: true
  logFile: /var/run/cilium/cilium-cni.log
  uninstall: false
conntrackGCInterval: ""
containerRuntime:
  integration: none
crdWaitTimeout: ""
customCalls:
  enabled: false
daemon:
  allowedConfigOverrides: null
  blockedConfigOverrides: null
  configSources: null
  runPath: /var/run/cilium
dashboards:
  annotations: {}
  enabled: false
  label: grafana_dashboard
  labelValue: "1"
  namespace: null
debug:
  enabled: false
  verbose: null
disableEndpointCRD: false
dnsPolicy: ""
dnsProxy:
  dnsRejectResponseCode: refused
  enableDnsCompression: true
  endpointMaxIpPerHostname: 50
  idleConnectionGracePeriod: 0s
  maxDeferredConnectionDeletes: 10000
  minTtl: 0
  preCache: ""
  proxyPort: 0
  proxyResponseMaxDelay: 100ms
egressGateway:
  enabled: false
  installRoutes: false
  reconciliationTriggerInterval: 1s
enableCiliumEndpointSlice: false
enableCnpStatusUpdates: false
enableCriticalPriorityClass: true
enableIPv4BIGTCP: false
enableIPv4Masquerade: true
enableIPv6BIGTCP: false
enableIPv6Masquerade: true
enableK8sEventHandover: false
enableK8sTerminatingEndpoint: true
enableRuntimeDeviceDetection: false
enableXTSocketFallback: true
encryption:
  enabled: false
  interface: ""
  ipsec:
    interface: ""
    keyFile: ""
    keyRotationDuration: 5m
    keyWatcher: true
    mountPath: ""
    secretName: ""
  keyFile: keys
  mountPath: /etc/ipsec
  nodeEncryption: false
  secretName: cilium-ipsec-keys
  type: ipsec
  wireguard:
    userspaceFallback: false
endpointHealthChecking:
  enabled: true
endpointRoutes:
  enabled: false
endpointStatus:
  enabled: false
  status: ""
eni:
  awsEnablePrefixDelegation: false
  awsReleaseExcessIPs: false
  ec2APIEndpoint: ""
  enabled: false
  eniTags: {}
  gcInterval: ""
  gcTags: {}
  iamRole: ""
  instanceTagsFilter: []
  subnetIDsFilter: []
  subnetTagsFilter: []
  updateEC2AdapterLimitViaAPI: true
envoy:
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              k8s-app: cilium-envoy
          topologyKey: kubernetes.io/hostname
  connectTimeoutSeconds: 2
  dnsPolicy: null
  enabled: false
  extraArgs: []
  extraContainers: []
  extraEnv: []
  extraHostPathMounts: []
  extraVolumeMounts: []
  extraVolumes: []
  healthPort: 9878
  idleTimeoutDurationSeconds: 60
  image:
    digest: sha256:023d09eeb8a44ae99b489f4af7ffed8b8b54f19a532e0bc6ab4c1e4b31acaab1
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/cilium-envoy
    tag: v1.25.9-f039e2bd380b7eef2f2feea5750676bb36133699
    useDigest: true
  livenessProbe:
    failureThreshold: 10
    periodSeconds: 30
  log:
    format: "[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"
    path: ""
  maxConnectionDurationSeconds: 0
  maxRequestsPerConnection: 0
  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  podLabels: {}
  podSecurityContext: {}
  priorityClassName: null
  prometheus:
    enabled: true
    port: "9964"
    serviceMonitor:
      annotations: {}
      enabled: false
      interval: 10s
      labels: {}
      metricRelabelings: null
      relabelings:
        - replacement: ${1}
          sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: node
  readinessProbe:
    failureThreshold: 3
    periodSeconds: 30
  resources: {}
  rollOutPods: false
  securityContext:
    capabilities:
      envoy:
        - NET_ADMIN
        - SYS_ADMIN
    privileged: false
    seLinuxOptions:
      level: s0
      type: spc_t
  startupProbe:
    failureThreshold: 105
    periodSeconds: 2
  terminationGracePeriodSeconds: 1
  tolerations:
    - operator: Exists
  updateStrategy:
    rollingUpdate:
      maxUnavailable: 2
    type: RollingUpdate
envoyConfig:
  enabled: false
  secretsNamespace:
    create: true
    name: cilium-secrets
etcd:
  clusterDomain: cluster.local
  enabled: false
  endpoints:
    - https://CHANGE-ME:2379
  extraArgs: []
  extraVolumeMounts: []
  extraVolumes: []
  image:
    digest: sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/cilium-etcd-operator
    tag: v2.0.7
    useDigest: true
  k8sService: false
  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  podDisruptionBudget:
    enabled: false
    maxUnavailable: 1
    minAvailable: null
  podLabels: {}
  podSecurityContext: {}
  priorityClassName: ""
  resources: {}
  securityContext: {}
  ssl: false
  tolerations:
    - operator: Exists
  topologySpreadConstraints: []
  updateStrategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
externalIPs:
  enabled: false
externalWorkloads:
  enabled: false
extraArgs: []
extraConfig: {}
extraContainers: []
extraEnv: []
extraHostPathMounts: []
extraVolumeMounts: []
extraVolumes: []
gatewayAPI:
  enabled: false
  secretsNamespace:
    create: true
    name: cilium-secrets
    sync: true
gke:
  enabled: false
healthChecking: true
healthPort: 9879
highScaleIPcache:
  enabled: false
hostFirewall:
  enabled: false
hostPort:
  enabled: false
hubble:
  enabled: true
  listenAddress: :4244
  metrics:
    dashboards:
      annotations: {}
      enabled: false
      label: grafana_dashboard
      labelValue: "1"
      namespace: null
    enableOpenMetrics: false
    enabled:
      - dns
      - drop
      - tcp
      - flow
      - port-distribution
      - icmp
      - flows-to-world
      - httpV2
    port: 9965
    serviceAnnotations: {}
    serviceMonitor:
      annotations: {}
      enabled: true
      interval: 10s
      labels: {}
      metricRelabelings: null
      relabelings:
        - replacement: ${1}
          sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: node
  peerService:
    clusterDomain: cluster.local
    targetPort: 4244
  preferIpv6: false
  relay:
    affinity:
      podAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                k8s-app: cilium
            topologyKey: kubernetes.io/hostname
    dialTimeout: null
    enabled: true
    extraEnv: []
    gops:
      enabled: true
      port: 9893
    image:
      digest: sha256:db30e85a7abc10589ce2a97d61ee18696a03dc5ea04d44b4d836d88bd75b59d8
      override: null
      pullPolicy: IfNotPresent
      repository: quay.io/cilium/hubble-relay
      tag: v1.14.1
      useDigest: true
    listenHost: ""
    listenPort: "4245"
    nodeSelector:
      kubernetes.io/os: linux
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      maxUnavailable: 1
      minAvailable: null
    podLabels: {}
    podSecurityContext:
      fsGroup: 65532
    pprof:
      address: localhost
      enabled: false
      port: 6062
    priorityClassName: ""
    prometheus:
      enabled: false
      port: 9966
      serviceMonitor:
        annotations: {}
        enabled: false
        interval: 10s
        labels: {}
        metricRelabelings: null
        relabelings: null
    replicas: 1
    resources: {}
    retryTimeout: null
    rollOutPods: false
    securityContext:
      capabilities:
        drop:
          - ALL
      runAsGroup: 65532
      runAsNonRoot: true
      runAsUser: 65532
    service:
      nodePort: 31234
      type: ClusterIP
    sortBufferDrainTimeout: null
    sortBufferLenMax: null
    terminationGracePeriodSeconds: 1
    tls:
      client:
        cert: ""
        key: ""
      server:
        cert: ""
        enabled: false
        extraDnsNames: []
        extraIpAddresses: []
        key: ""
        mtls: false
    tolerations: []
    topologySpreadConstraints: []
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate
  skipUnknownCGroupIDs: null
  socketPath: /var/run/cilium/hubble.sock
  tls:
    auto:
      certManagerIssuerRef: {}
      certValidityDuration: 1095
      enabled: true
      method: helm
      schedule: 0 0 1 */4 *
    enabled: true
    server:
      cert: ""
      extraDnsNames: []
      extraIpAddresses: []
      key: ""
  ui:
    affinity: {}
    backend:
      extraEnv: []
      extraVolumeMounts: []
      extraVolumes: []
      image:
        digest: sha256:8a79a1aad4fc9c2aa2b3e4379af0af872a89fcec9d99e117188190671c66fc2e
        override: null
        pullPolicy: IfNotPresent
        repository: quay.io/cilium/hubble-ui-backend
        tag: v0.12.0
        useDigest: true
      resources: {}
      securityContext: {}
    baseUrl: /
    enabled: true
    frontend:
      extraEnv: []
      extraVolumeMounts: []
      extraVolumes: []
      image:
        digest: sha256:1c876cfa1d5e35bc91e1025c9314f922041592a88b03313c22c1f97a5d2ba88f
        override: null
        pullPolicy: IfNotPresent
        repository: quay.io/cilium/hubble-ui
        tag: v0.12.0
        useDigest: true
      resources: {}
      securityContext: {}
      server:
        ipv6:
          enabled: true
    ingress:
      annotations: {}
      className: ""
      enabled: false
      hosts:
        - chart-example.local
      labels: {}
      tls: []
    nodeSelector:
      kubernetes.io/os: linux
    podAnnotations: {}
    podDisruptionBudget:
      enabled: false
      maxUnavailable: 1
      minAvailable: null
    podLabels: {}
    priorityClassName: ""
    replicas: 1
    rollOutPods: false
    securityContext:
      fsGroup: 1001
      runAsGroup: 1001
      runAsUser: 1001
    service:
      annotations: {}
      nodePort: 31235
      type: ClusterIP
    standalone:
      enabled: false
      tls:
        certsVolume: {}
    tls:
      client:
        cert: ""
        key: ""
    tolerations: []
    topologySpreadConstraints: []
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate
identityAllocationMode: crd
identityChangeGracePeriod: ""
image:
  digest: sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
  override: null
  pullPolicy: IfNotPresent
  repository: quay.io/cilium/cilium
  tag: v1.14.1
  useDigest: true
imagePullSecrets: null
ingressController:
  default: false
  defaultSecretName: null
  defaultSecretNamespace: null
  enabled: false
  enforceHttps: true
  ingressLBAnnotationPrefixes:
    - service.beta.kubernetes.io
    - service.kubernetes.io
    - cloud.google.com
  loadbalancerMode: dedicated
  secretsNamespace:
    create: true
    name: cilium-secrets
    sync: true
  service:
    allocateLoadBalancerNodePorts: null
    annotations: {}
    insecureNodePort: null
    labels: {}
    loadBalancerClass: null
    loadBalancerIP: null
    name: cilium-ingress
    secureNodePort: null
    type: LoadBalancer
installNoConntrackIptablesRules: false
ipMasqAgent:
  enabled: false
ipam:
  ciliumNodeUpdateRate: 15s
  mode: cluster-pool
  operator:
    autoCreateCiliumPodIPPools: {}
    clusterPoolIPv4MaskSize: 24
    clusterPoolIPv4PodCIDRList:
      - 10.0.0.0/8
    clusterPoolIPv6MaskSize: 120
    clusterPoolIPv6PodCIDRList:
      - fd00::/104
    externalAPILimitBurstSize: null
    externalAPILimitQPS: null
ipv4:
  enabled: true
ipv4NativeRoutingCIDR: ""
ipv6:
  enabled: true
ipv6NativeRoutingCIDR: ""
k8s: {}
k8sClientRateLimit:
  burst: 10
  qps: 5
k8sNetworkPolicy:
  enabled: true
k8sServiceHost: "{IP ADDRESS}"
k8sServicePort: "6443"
keepDeprecatedLabels: false
keepDeprecatedProbes: false
kubeConfigPath: ""
kubeProxyReplacementHealthzBindAddr: ""
kubeProxyReplacement: "true"
l2NeighDiscovery:
  enabled: true
  refreshPeriod: 30s
l2announcements:
  enabled: false
l2podAnnouncements:
  enabled: false
  interface: eno0
l7Proxy: true
livenessProbe:
  failureThreshold: 10
  periodSeconds: 30
loadBalancer:
  l7:
    algorithm: round_robin
    backend: disabled
    ports: []
localRedirectPolicy: false
logSystemLoad: false
maglev: {}
monitor:
  enabled: false
name: cilium
nat46x64Gateway:
  enabled: false
nodePort:
  autoProtectPortRange: true
  bindProtection: true
  enableHealthCheck: true
  enabled: false
nodeSelector:
  kubernetes.io/os: linux
nodeinit:
  affinity: {}
  bootstrapFile: /tmp/cilium-bootstrap.d/cilium-bootstrap-time
  enabled: false
  extraEnv: []
  extraVolumeMounts: []
  extraVolumes: []
  image:
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/startup-script
    tag: 62093c5c233ea914bfa26a10ba41f8780d9b737f
  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  podLabels: {}
  prestop:
    postScript: ""
    preScript: ""
  priorityClassName: ""
  resources:
    requests:
      cpu: 100m
      memory: 100Mi
  securityContext:
    capabilities:
      add:
        - SYS_MODULE
        - NET_ADMIN
        - SYS_ADMIN
        - SYS_CHROOT
        - SYS_PTRACE
    privileged: false
    seLinuxOptions:
      level: s0
      type: spc_t
  startup:
    postScript: ""
    preScript: ""
  tolerations:
    - operator: Exists
  updateStrategy:
    type: RollingUpdate
operator:
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              io.cilium/app: operator
          topologyKey: kubernetes.io/hostname
  dashboards:
    annotations: {}
    enabled: false
    label: grafana_dashboard
    labelValue: "1"
    namespace: null
  dnsPolicy: ""
  enabled: true
  endpointGCInterval: 5m0s
  extraArgs: []
  extraEnv: []
  extraHostPathMounts: []
  extraVolumeMounts: []
  extraVolumes: []
  identityGCInterval: 15m0s
  identityHeartbeatTimeout: 30m0s
  image:
    alibabacloudDigest: sha256:edecc162279afba4af27f38afc4bc716a2e91df6b5ca6f88714029b27fb5920b
    awsDigest: sha256:ff57964aefd903456745e53a4697a4f6a026d8fffdb06f53f624a23d23ade37a
    azureDigest: sha256:2cba2cee3463c9349c47b2deb8736ffe6d8589d5e4c29b7c442b992fe0ef1fb7
    genericDigest: sha256:e061de0a930534c7e3f8feda8330976367971238ccafff42659f104effd4b5f7
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/operator
    suffix: ""
    tag: v1.14.1
    useDigest: true
  nodeGCInterval: 5m0s
  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  podDisruptionBudget:
    enabled: false
    maxUnavailable: 1
    minAvailable: null
  podLabels: {}
  podSecurityContext: {}
  pprof:
    address: localhost
    enabled: false
    port: 6061
  priorityClassName: ""
  prometheus:
    enabled: true
    port: 9963
    serviceMonitor:
      annotations: {}
      enabled: true
      interval: 10s
      labels: {}
      metricRelabelings: null
      relabelings: null
  removeNodeTaints: true
  replicas: 1
  resources: {}
  rollOutPods: false
  securityContext: {}
  setNodeNetworkStatus: true
  setNodeTaints: null
  skipCNPStatusStartupClean: false
  skipCRDCreation: false
  tolerations:
    - operator: Exists
  topologySpreadConstraints: []
  unmanagedPodWatcher:
    intervalSeconds: 15
    restart: true
  updateStrategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 50%
    type: RollingUpdate
pmtuDiscovery:
  enabled: false
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
policyEnforcementMode: default
pprof:
  address: localhost
  enabled: false
  port: 6060
preflight:
  affinity:
    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchLabels:
              k8s-app: cilium
          topologyKey: kubernetes.io/hostname
  enabled: false
  extraEnv: []
  extraVolumeMounts: []
  extraVolumes: []
  image:
    digest: sha256:edc1d05ea1365c4a8f6ac6982247d5c145181704894bb698619c3827b6963a72
    override: null
    pullPolicy: IfNotPresent
    repository: quay.io/cilium/cilium
    tag: v1.14.1
    useDigest: true
  nodeSelector:
    kubernetes.io/os: linux
  podAnnotations: {}
  podDisruptionBudget:
    enabled: false
    maxUnavailable: 1
    minAvailable: null
  podLabels: {}
  podSecurityContext: {}
  priorityClassName: ""
  resources: {}
  securityContext: {}
  terminationGracePeriodSeconds: 1
  tofqdnsPreCache: ""
  tolerations:
    - effect: NoSchedule
      key: node.kubernetes.io/not-ready
    - effect: NoSchedule
      key: node-role.kubernetes.io/master
    - effect: NoSchedule
      key: node-role.kubernetes.io/control-plane
    - effect: NoSchedule
      key: node.cloudprovider.kubernetes.io/uninitialized
      value: "true"
    - key: CriticalAddonsOnly
      operator: Exists
  updateStrategy:
    type: RollingUpdate
  validateCNPs: true
priorityClassName: ""
prometheus:
  enabled: true
  metrics: null
  port: 9962
  serviceMonitor:
    annotations: {}
    enabled: true
    interval: 10s
    labels: {}
    metricRelabelings: null
    relabelings:
      - replacement: ${1}
        sourceLabels:
          - __meta_kubernetes_pod_node_name
        targetLabel: node
    trustCRDsExist: false
proxy:
  prometheus:
    enabled: true
    port: null
  sidecarImageRegex: cilium/istio_proxy
rbac:
  create: true
readinessProbe:
  failureThreshold: 3
  periodSeconds: 30
remoteNodeIdentity: true
resourceQuotas:
  cilium:
    hard:
      pods: 10k
  enabled: false
  operator:
    hard:
      pods: "15"
resources: {}
rollOutCiliumPods: false
routingMode: ""
sctp:
  enabled: false
securityContext:
  capabilities:
    applySysctlOverwrites:
      - SYS_ADMIN
      - SYS_CHROOT
      - SYS_PTRACE
    ciliumAgent:
      - CHOWN
      - KILL
      - NET_ADMIN
      - NET_RAW
      - IPC_LOCK
      - SYS_MODULE
      - SYS_ADMIN
      - SYS_RESOURCE
      - DAC_OVERRIDE
      - FOWNER
      - SETGID
      - SETUID
    cleanCiliumState:
      - NET_ADMIN
      - SYS_MODULE
      - SYS_ADMIN
      - SYS_RESOURCE
    mountCgroup:
      - SYS_ADMIN
      - SYS_CHROOT
      - SYS_PTRACE
  privileged: false
  seLinuxOptions:
    level: s0
    type: spc_t
serviceAccounts:
  cilium:
    annotations: {}
    automount: true
    create: true
    name: cilium
  clustermeshApiserver:
    annotations: {}
    automount: true
    create: true
    name: clustermesh-apiserver
  clustermeshcertgen:
    annotations: {}
    automount: true
    create: true
    name: clustermesh-apiserver-generate-certs
  envoy:
    annotations: {}
    automount: true
    create: true
    name: cilium-envoy
  etcd:
    annotations: {}
    automount: true
    create: true
    name: cilium-etcd-operator
  hubblecertgen:
    annotations: {}
    automount: true
    create: true
    name: hubble-generate-certs
  nodeinit:
    annotations: {}
    automount: true
    create: true
    enabled: false
    name: cilium-nodeinit
  operator:
    annotations: {}
    automount: true
    create: true
    name: cilium-operator
  preflight:
    annotations: {}
    automount: true
    create: true
    name: cilium-pre-flight
  relay:
    annotations: {}
    automount: false
    create: true
    name: hubble-relay
  ui:
    annotations: {}
    automount: true
    create: true
    name: hubble-ui
sleepAfterInit: false
socketLB:
  enabled: true
  hostNamespaceOnly: true
startupProbe:
  failureThreshold: 105
  periodSeconds: 2
svcSourceRangeCheck: true
synchronizeK8sNodes: true
terminationGracePeriodSeconds: 1
tls:
  ca:
    cert: ""
    certValidityDuration: 1095
    key: ""
  caBundle:
    enabled: false
    key: ca.crt
    name: cilium-root-ca.crt
    useSecret: false
  secretsBackend: local
tolerations:
  - operator: Exists
tunnel: vxlan
tunnelPort: 0
tunnelProtocol: ""
updateStrategy:
  rollingUpdate:
    maxUnavailable: 2
  type: RollingUpdate
vtep:
  cidr: ""
  enabled: false
  endpoint: ""
  mac: ""
  mask: ""
waitForKubeProxy: false
wellKnownIdentities:
  enabled: false

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

[lmb]

This doesn't sound like a bug to me, more like you're not sure how to configure things. Have you tried asking on the slack channel?

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[github-actions[bot]]

This issue has not seen any activity since it was marked stale. Closing.