Significant memory usage increase for AWS Operator with 1.18

[antonipp]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.2 and lower than v1.19.0

What happened?

We noticed a significant regression in memory usage for the AWS Operator after upgrading from 1.17 to 1.18. We started getting consistent OOMs on previously unnoticeable scale-ups in our AWS clusters (order of magnitude of 100s of nodes) with Operator memory set to 5GiB, which used to be more than enough in the past.

I managed to catch a pprof heap profile of the Operator shortly before an OOM happened, it looks like this:

So there are millions of AWS Route Table objects taking all the memory.

Looking further into it, I found #37229 added in 1.18, which added Route Tables refreshes for every single instance in the resync operation:

cilium/pkg/aws/eni/instances.go

Line 222 in 80a4025

routeTables, err := m.api.GetRouteTables(ctx)

Moreover, routeTableFilters are never set, so it fetches all route tables.

Running aws ec2 describe-route-tables > route-tables.json in one of our affected accounts, we get 12MiB:

$ du -h route-tables.json
 12M	route-tables.json

It's of course seralized differently in Operator memory but this gives some sense of the size of data retrieved at each call.

Looking at CloudTrail, we have 100s of calls per Operator (and we even have rate-limiting from time to time!).
So it's very easy for us to blow up memory now because Route Tables are quite large. Even with the VPC filter added on main, the number of calls and the number of results will still be very high.

To summarize, this is quite disrupting for our operations because it severely limits our ability to rapidly upscale clusters since we very quickly blow up the Operator. We temporarily increased the memory however we'd like to find a solution for this.

Route tables are extremely static objects which almost never change. Why should they be refreshed for every single instance, 100s of times? Moreover, it looks like the goal of this logic is "When creating a new ENI in AWS, trying the best to select a subnet with the same route table as the host's primary ENI" - but in our case this is unnecessary because our Cilium-managed ENIs are always in separate subnets from the host ENIs (we manage capacity differently for hosts vs pods). Could we have a way to completely turn off this logic maybe?

How can we reproduce the issue?

Cilium Version

Daemon: 1.18.2 e359538840 2025-09-25T14:38:13+02:00 go version go1.24.7 X:boringcrypto linux/arm64

Kernel Version

n/a

Kubernetes Version

n/a

Regression

1.17

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[antonipp]

Actually we had to completely disable this functionality on our fork because it was also breaking production in a different way: we get more and more rate-limited on DescribeRouteTable operations and this prevents the Operator from doing resync operations in time. So we get a lot of latency with the IPAM logic.

Could we at least have a proper way of turning off this functionality?

We also get spammed with these logs which are completely irrelevant:

ENI NodeSubnet and Tagged subnet are not in the same route tables, and you might have unexpected traffic routing

[antonipp]

cc @liyihuang

[liyihuang]

@antonipp I'm sorry my previous PR caused you such issue in your environment.

I had the concern about the fetching unnecessary route table when I wrote it. However, I found we dont have too much filters for other resources(like VPC SG etc) and think there should be only a few route table per VPC so I didn't filter it in my PR.

May I know why it is still an issue for you when we have the proper vpc filter from main since route table API calls are the same with other resources. The route table fetch just with other resources here. https://github.com/cilium/cilium/blob/main/pkg/aws/eni/instances.go#L226-L247 Do you have a lot of route tables per VPC? in my previous expereince, I almost only see 2 route table per VPC(one for public subnets and the other for private subnets)

for those logs, I guess that's because this bug fix(#40860) is not included in the PR.

The PR itslef should cover the case that nodes and pods are not in the same subnets. it just wants to further check if they are in the same route table to prevent the unexpected routing for the pods

[antonipp]

So I checked a couple of our VPCs, they have a very large amount of route tables (~6MiB JSON for each). Examples:

$ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=${VPC1}" > route-tables1.json
$ ls -lh route-tables1.json
-rw-r--r--  1 anton.ippolitov  staff   5.8M Oct 22 16:10 route-tables1.json

$ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=${VPC2}" > route-tables2.json
$ ls -lh route-tables2.json
-rw-r--r--  1 anton.ippolitov  staff   5.7M Oct 22 16:11 route-tables2.json

So yes, the memory usage would be halved but would still be high. In any case, even with the VPC filters, the core issues stay the same:

• The amount of API calls will still be very high because they happen on every instance resync operation, potentially causing rate-limiting
• This feature is a "nice to have" but its logic is in the critical path of all IPAM operations

Hence my proposal to have a way to deactivate it

[liyihuang]

In my test environment I can see it's around 1k per route table. if we consider the data we abstract from the AWS API, the memory usage should be minimal.

May I know how many route table do you have in your VPC? Are you having a lot of EKS clusters in a single VPC with a lot of different route tables per EKS cluster?

If so, don't you have issue with SG or subnets? I assume there are way more SGs and subnets than the route table in the AWS environment.

Here is my test account with default VPC. I have the concern that the other PR around VPC filter is not working properly.

(⎈|N/A:N/A)~/work/test/rt-size aws ec2 describe-route-tables > rt-size
(⎈|N/A:N/A)~/work/test/rt-size cat rt-size | jq .
{
  "RouteTables": [
    {
      "Associations": [
        {
          "Main": true,
          "RouteTableAssociationId": "rtbassoc-02a4580a1c4aa4b75",
          "RouteTableId": "rtb-0dcc0b6f51a1d5def",
          "AssociationState": {
            "State": "associated"
          }
        }
      ],
      "PropagatingVgws": [],
      "RouteTableId": "rtb-0dcc0b6f51a1d5def",
      "Routes": [
        {
          "DestinationCidrBlock": "172.31.0.0/16",
          "GatewayId": "local",
          "Origin": "CreateRouteTable",
          "State": "active"
        },
        {
          "DestinationCidrBlock": "0.0.0.0/0",
          "GatewayId": "igw-086a91395ed62c48a",
          "Origin": "CreateRoute",
          "State": "active"
        }
      ],
      "Tags": [],
      "VpcId": "vpc-086da0e581283005a",
      "OwnerId": "531475810781"
    }
  ]
}
(⎈|N/A:N/A)~/work/test/rt-size ls -lah
total 12K
drwxr-xr-x  2 liyih liyih 4.0K Oct 22 12:49 .
drwxrwxr-x 22 liyih liyih 4.0K Oct 22 12:48 ..
-rw-r--r--  1 liyih liyih 1.1K Oct 22 12:49 rt-size

[antonipp]

I had a look at just one of the VPCs we have (the first one from the example above), and this is what we have:

$ cat route-tables1.json | jq '.RouteTables | length'
172

$ cat route-tables1.json | jq '[.RouteTables[].Routes | length] | add'
22853

$ cat route-tables1.json | jq '[.RouteTables[].Associations | length] | add'
184

172 Route Tables, 22k total Routes, 184 Associations

We don't use EKS, it's all self-run Kubernetes.

There is technically no problem memory-wise with SGs or Subnets, their amounts are quite low:

$ aws ec2 describe-security-groups --filters "Name=vpc-id,Values=${VPC1}" > sgs1.json
$ ls -lh sgs1.json
-rw-r--r--  1 anton.ippolitov  staff   761K Oct 23 08:18 sgs1.json
$ cat sgs1.json | jq '.SecurityGroups | length'
319

$ aws ec2 describe-subnets --filters "Name=vpc-id,Values=${VPC1}" > subnets1.json
$ ls -lh subnets1.json
-rw-r--r--  1 anton.ippolitov  staff   642K Oct 23 08:17 subnets1.json
$ cat subnets1.json | jq '.Subnets | length'
183

However, we've also wanted to remove these from the critical IPAM path for a while:

cilium/pkg/aws/eni/instances.go

Lines 226 to 242 in 17afaef

	vpcs, err := m.ec2api.GetVpcs(ctx, currentVpcID)
	if err != nil {
	m.logger.Warn("Unable to synchronize EC2 VPC list", logfields.Error, err)
	return time.Time{}
	}
	subnets, err := m.ec2api.GetSubnets(ctx, currentVpcID)
	if err != nil {
	m.logger.Warn("Unable to retrieve EC2 subnets list", logfields.Error, err)
	return time.Time{}
	}
	securityGroups, err := m.ec2api.GetSecurityGroups(ctx, currentVpcID)
	if err != nil {
	m.logger.Warn("Unable to retrieve EC2 security group list", logfields.Error, err)
	return time.Time{}
	}

There is no point in refreshing them that often either since these resources basically never change. But we've been suffering from Route Tables more just because of the sheer volume of data. It also looks like the API rate-limits are lower for DescribeRouteTables calls? (at least we do get rate-limiting on Route Tables but not on Subnets or SGs)

[liyihuang]

I'm pretty suprised with the number of the route table that you have for one VPC since I expect people have a lot of subnets and SG than route tables.

you mentioned that

We don't use EKS, it's all self-run Kubernetes.

I got a bit confused since cilium should only pull those AWS resources for EKS clusters in ENI mode

I was wondering if you could share a bit about why you have so many route tables in a VPC?

I also agreed on

There is no point in refreshing them that often either since these resources basically never change.

let met think about it to see what the best way is to handle it.

I'm a bit slow this week since I'm just back from vacation and trying to catch up things