Cilium LoadBalancer w/Local and BGP drops traffic on no endpoints

[CallMeFoxie]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.16.11 and lower than v1.17.0

What happened?

Hi
For some reason when I have a LoadBalancer service with no endpoints (due to health checks etc) and BGP (with anycast using ECMP on the TOR/router level), it just drops all traffic to that given IP from within the k8s cluster when no endpoints exist and externalTrafficPolicy: Local

How can we reproduce the issue?

1. install Cilium
2. set up BGP with switch/router
3. Create a cilium loadbalancer with BGP
4. Create a svc with no existing endpoints like this

apiVersion: v1
kind: Service
metadata:
  annotations:
    io.cilium/lb-ipam-ips: 10.229.8.15
    io.cilium/lb-ipam-sharing-key: ashley1.oa
    lbipam.cilium.io/ips: 10.229.8.15
    lbipam.cilium.io/sharing-key: ashley1.oa
  labels:
    bgp: yespls
  name: apiserver-test
spec:
  allocateLoadBalancerNodePorts: false
  externalTrafficPolicy: Local
  internalTrafficPolicy: Cluster
  loadBalancerClass: io.cilium/bgp-control-plane
  ports:
  - name: apiserver
    port: 6443
    protocol: TCP
    targetPort: 6443
  selector:
    app: apiservers
  sessionAffinity: None
  type: LoadBalancer

5. have NO endpoints working
6. try CURLing to the 10.229.8.15 IP from within the cluster
7. observe

root@worker-az2-b8f5bfb5-l6h4q:/# curl -v http://10.229.8.15:6443
*   Trying 10.229.8.15:6443...
* Immediate connect fail for 10.229.8.15: Operation not permitted
* Closing connection 0
curl: (7) Couldn't connect to server

8. Observe IP being dropped somewhere in bpf code instead of being let go through the BGP completely disobeying any reason to ever use BGP and anycast

Cilium Version

tested with 1.15.x (multiple versions) and 1.16.8

Kernel Version

6.11.0 branch, Ubuntu

Kubernetes Version

tested 1.32.x and 1.33.x

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[CallMeFoxie]

For the record I tried both bgpv1 and bgpv2 like this:

apiVersion: v1
items:
- apiVersion: cilium.io/v2alpha1
  kind: CiliumBGPPeerConfig
  metadata:
    name: openstack
  spec:
    gracefulRestart:
      enabled: true
      restartTimeSeconds: 240
    families:
      - afi: ipv4
        safi: unicast
        advertisements:
          matchLabels:
            bgp: yespls
      - afi: ipv6
        safi: unicast
        advertisements:
          matchLabels:
            bgp: yespls

- apiVersion: cilium.io/v2alpha1
  kind: CiliumBGPAdvertisement
  metadata:
    name: openstack
    labels:
      bgp: yespls
  spec:
    advertisements:
      - advertisementType: "CiliumPodIPPool"
        selector:
          matchLabels:
            bgp: yespls
      - advertisementType: "Service"
        service:
          addresses:
          - LoadBalancerIP
        selector:
          matchLabels:
            bgp: yespls

- apiVersion: cilium.io/v2alpha1
  kind: CiliumBGPClusterConfig
  metadata:
    name: openstack
  spec:
    nodeSelector:
      matchExpressions:
      - key: scif.cz/tor
        operator: NotIn
        values:
        - localhop
    bgpInstances:
    - name: "openstack"
      localASN: 4294967294
      peers:
      - name: openstack-v4
        peerASN: 4294967294
        peerAddress: 10.255.20.111
        peerConfigRef:
          name: openstack
      - name: openstack-v6
        peerASN: 4294967294
        peerAddress: xxx
        peerConfigRef:
          name: openstack
- apiVersion: cilium.io/v2alpha1
  kind: CiliumBGPClusterConfig
  metadata:
    name: localhop
  spec:
    nodeSelector:
      matchExpressions:
      - key: scif.cz/tor
        operator: In
        values:
        - localhop
    bgpInstances:
    - name: localhop
      localASN: 4294967293
      peers:
      - name: local-v4
        peerASN: 4294967293
        peerAddress: 192.168.192.168
        peerConfigRef:
          name: openstack
      - name: local-v6
        peerASN: 4294967293
        peerAddress: fd00:dead:beef:face:0:0:0:1
        peerConfigRef:
          name: openstack
kind: List
metadata:
  resourceVersion: ""

[joestringer]

Could you share hubble observe output for the dropped traffic as well?

From what I recall this was a deliberate choice because Cilium is responsible to translate the service to its backend destination, but if there are no backends then Cilium cannot guarantee the traffic reaches the destination. In the past we had users confused why the traffic could pass through the service translation layer and either (a) get dropped by policy because the VIP isn't translated, or (b) the traffic is routed to the stack and the user hasn't configured routing for those IPs to get the traffic to its destination (+ get replies back to the source).

If there's another different use case around anycast then maybe it'd be worth putting together a proposal on how to change this behavior in Cilium to enable your use case.

[CallMeFoxie]

Basically my use case is that we want to host something across datacentres - or at least across two k8s clusters for fail over/HA in case of some maintenance. We want to make sure that if both instances of <some component> fail in one datacentre it gets switched to another locality by the means of anycast as any other component using Bird that we already have for users outside of k8s (we found clustermesh to be unreliable if things go bad - currently we have several thousand nodes across 160 clusters, but that's another topic). I'll check the Hubble tomorrow. Thanks so far!Dne 9. 7. 2025 19:46 napsal uživatel Joe Stringer ***@***.***>:joestringer left a comment (cilium/cilium#40438) Could you share hubble observe output for the dropped traffic as well? From what I recall this was a deliberate choice because Cilium is responsible to translate the service to its backend destination, but if there are no backends then Cilium cannot guarantee the traffic reaches the destination. In the past we had users confused why the traffic could pass through the service translation layer and either (a) get dropped by policy because the VIP isn't translated, or (b) the traffic is routed to the stack and the user hasn't configured routing for those IPs to get the traffic to its destination (+ get replies back to the source). If there's another different use case around anycast then maybe it'd be worth putting together a proposal on how to change this behavior in Cilium to enable your use case. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>

[borkmann]

Cc @dylandreimerink / @rastislavs Wdyt? If there is externalTrafficPolicy=Local should the BGP side only really announce when the backend to the service is residing on the local node, but not otherwise?

[CallMeFoxie]

Cc @dylandreimerink / @rastislavs Wdyt? If there is externalTrafficPolicy=Local should the BGP side only really announce when the backend to the service is residing on the local node, but not otherwise?

That's exactly what's happening and is correct - Local has that feature. I can not see the route (when the pod goes down) being announced on BGP anywhere (or from the outside using lookingglass on the network) in that datacentre.

However this gets stuck somewhere up the line in BPF most likely, as what @joestringer said. I cannot access the VIP from that cluster even though it is being run from another cluster during some downtime/crash/whatever problem and it completely negates the whole point of using BGP anycast as failover :(

[dylandreimerink]

Cc dylandreimerink / rastislavs Wdyt? If there is externalTrafficPolicy=Local should the BGP side only really announce when the backend to the service is residing on the local node, but not otherwise?

Yes. With externalTrafficPolicy=Local BGP only announces from the nodes that have a backend for that service. Because in this mode, we will never do a second layer of loadbalacing. Traffic entering the node will be answered by the endpoint on that node or be dropped. No service loadbancing in BPF.

What I wonder is, what do we mean by "no endpoints" here. Are there 0 pods that match a selector. Or do they exist, but they are not "Ready". If there are no pods matching the service, I would expect the BGP logic to not announce the service with externalTrafficPolicy=Local at all, and thus allow for failover at the BGP level. If there are pods, but they are not "Ready", question becomes if BGP takes the health of an endpoint into account like the BPF logic does.

In any case, this sounds like undesired behavior, I agree with @CallMeFoxie that you want to not announce the service IP if a node/cluster cannot process traffic for it. We just have to understand what is going wrong.

[CallMeFoxie]

It definitely happens when there are 0 pods that would match the selector.

Pretty sure it happens as well when there are "matching pods but all are not ready" as well, but I'm gonna test that in a second.

The BGP does NOT get announced - which is correct - especially with Local settings. But as I said - it gets stuck somewhere probably around BPF code. I sent @oblazek to check it out and debug it locally meanwhile :)

[CallMeFoxie]

Yup, when I have a pod in CrashLoop or NotReady it is returning Operation not permitted as well instead of just letting it flow into another cluster instance via anycast