On our Kubernetes clusters we have (kube-vip) virtual IPs on the lo interface. We are running cilium with kube-proxy-replacement and host-firewall, and we have a CCNP to restrict ingress to all of the host IPs. After upgrading cilium from v1.14 to v1.15 the existing CCNP starts allowing all connections to the lo VIP. Connections to other host IPs (e.g. on bond0) are still dropped as expected.
When comparing the cilium ip list output between 1.14 and 1.15, I no longer see the VIP listed as reserved:host in the new cilium version (but it shows up as reserved:world).
Is this expected behavior in cilium v1.15?
Cilium Version
v1.15 (reproduces with both v1.15.2 and v.1.15.6)
Kernel Version
6.1.90-flatcar
Kubernetes Version
v1.29.5
Regression
v1.14.11
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Cilium Users Document
[X] Are you a user of Cilium? Please add yourself to the Users doc
Code of Conduct
[X] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
What happened?
On our Kubernetes clusters we have (kube-vip) virtual IPs on the
lointerface. We are running cilium withkube-proxy-replacementandhost-firewall, and we have a CCNP to restrict ingress to all of the host IPs. After upgrading cilium from v1.14 to v1.15 the existing CCNP starts allowing all connections to theloVIP. Connections to other host IPs (e.g. onbond0) are still dropped as expected. When comparing thecilium ip listoutput between 1.14 and 1.15, I no longer see the VIP listed asreserved:hostin the new cilium version (but it shows up asreserved:world).Is this expected behavior in cilium v1.15?
Cilium Version
v1.15 (reproduces with both v1.15.2 and v.1.15.6)
Kernel Version
6.1.90-flatcar
Kubernetes Version
v1.29.5
Regression
v1.14.11
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Cilium Users Document
Code of Conduct