Node IPAM LB and GatewayClass parameters leads to Reconciler error

[shallot]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.18.4 and lower than v1.19.0

What happened?

I set up three VMs with kubeadm, each with an a public IP NAT'd to their private IP, which I want to use to access HTTP/S services in k8s via DNS round-robin.

I tried installing Cilium with the Gateway API support based on the docs at
https://docs.cilium.io/en/stable/network/node-ipam/ and https://docs.cilium.io/en/stable/network/servicemesh/gateway-api/parameterized-gatewayclass/

I used these Helm chart values:

kubeSystemNamespace: cilium

ipam:
  mode: "cluster-pool"

cluster:
  pool:
    ipv4:
      cidr: "10.242.0.0/16"

kubeProxyReplacement: true

aws:
  enabled: true

nodeIPAM:
  enabled: true

defaultLBServiceIPAM: nodeipam

gatewayAPI:
  enabled: true
  hostNetwork:
    enabled: true

envoy:
  enabled: true
  securityContext:
    capabilities:
      keepCapNetBindService: true
      envoy:
        # defaults for eBPF/networking
        - NET_ADMIN
        - SYS_ADMIN
        # to bind to port 80/443 on the host
        - NET_BIND_SERVICE

Without nodeIPAM options, this got me as far as my Gateway being able to serve traffic, but would never end up Programmed, staying pending, saying "Address not ready yet".

So then I tried adding this:

apiVersion: cilium.io/v2alpha1
kind: CiliumGatewayClassConfig
metadata:
  name: node-ipam-lb
  namespace: default
spec:
  service:
    type: LoadBalancer
    loadBalancerClass: io.cilium/node

This gets accepted. Then tried adding this:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: node-ipam-lb-cilium
spec:
  controllerName: io.cilium/gateway-controller
  description: The Cilium GatewayClass for Node IPAM LB
  parametersRef:
    group: cilium.io
    kind: CiliumGatewayClassConfig
    name: node-ipam-lb
    namespace: default

Now that gets stuck with "Invalid GatewayClass", "InvalidParameters". The logs of cilium-operator say:

2025-11-20T10:44:49.334886475Z time=2025-11-20T10:44:49.334748078Z level=info msg="Reconciling GatewayClass" module=operator.operator-controlplane.leader-lifecycle.gateway-api resource=/node-ipam-lb-cilium
2025-11-20T10:44:49.343058447Z time=2025-11-20T10:44:49.342925548Z level=info msg="Reconciler error" module=operator.operator-controlplane.leader-lifecycle.controller-runtime controller=gatewayclass controllerGroup=gateway.networking.k8s.io controllerKind=GatewayClass GatewayClass.name=node-ipam-lb-cilium namespace="" name=node-ipam-lb-cilium reconcileID=8f656355-cefb-4cad-947c-a8c44f5b61a7 error="CiliumGatewayClassConfig.cilium.io "node-ipam-lb" not found"

I have no idea why it's "not found" when I can see it:

% kubectl get CiliumGatewayClassConfig.cilium.io -o yaml
apiVersion: v1
items:
- apiVersion: cilium.io/v2alpha1
  kind: CiliumGatewayClassConfig
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"cilium.io/v2alpha1","kind":"CiliumGatewayClassConfig","metadata":{"annotations":{},"name":"node-ipam-lb","namespace":"default"},"spec":{"service":{"loadBalancerClass":"io.cilium/node","type":"LoadBalancer"}}}
    creationTimestamp: "2025-11-20T10:10:20Z"
    generation: 1
    name: node-ipam-lb
    namespace: default
    resourceVersion: "23924931"
    uid: fa25e60b-c516-42d9-bd0f-0e62b8fe8319
  spec:
    service:
      externalTrafficPolicy: Cluster
      loadBalancerClass: io.cilium/node
      loadBalancerSourceRangesPolicy: Allow
      type: LoadBalancer
  status:
    conditions:
    - lastTransitionTime: "2025-11-20T10:10:20Z"
      message: Valid GatewayClassConfig
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
kind: List
metadata:
  resourceVersion: ""

I thought it might have been some sort of an implicit dependency on having to be in the cilium namespace, so I tried moving it there, but it didn't help, still the same message:

2025-11-20T10:48:47.563926662Z time=2025-11-20T10:48:47.56376508Z level=info msg="Reconciler error" module=operator.operator-controlplane.leader-lifecycle.controller-runtime controller=gatewayclass controllerGroup=gateway.networking.k8s.io controllerKind=GatewayClass GatewayClass.name=node-ipam-lb-cilium namespace="" name=node-ipam-lb-cilium reconcileID=dba40eee-13c2-487c-8d47-424371ebb30c error="CiliumGatewayClassConfig.cilium.io "node-ipam-lb" not found"

Yet:

% kubectl get CiliumGatewayClassConfig.cilium.io -o yaml -n cilium
apiVersion: v1
items:
- apiVersion: cilium.io/v2alpha1
  kind: CiliumGatewayClassConfig
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"cilium.io/v2alpha1","kind":"CiliumGatewayClassConfig","metadata":{"annotations":{},"name":"node-ipam-lb","namespace":"cilium"},"spec":{"service":{"loadBalancerClass":"io.cilium/node","type":"LoadBalancer"}}}
    creationTimestamp: "2025-11-20T10:47:53Z"
    generation: 1
    name: node-ipam-lb
    namespace: cilium
    resourceVersion: "23933257"
    uid: 2a8b974c-c125-4cf3-bdad-41326724f346
  spec:
    service:
      externalTrafficPolicy: Cluster
      loadBalancerClass: io.cilium/node
      loadBalancerSourceRangesPolicy: Allow
      type: LoadBalancer
  status:
    conditions:
    - lastTransitionTime: "2025-11-20T10:47:53Z"
      message: Valid GatewayClassConfig
      observedGeneration: 1
      reason: Accepted
      status: "True"
      type: Accepted
kind: List
metadata:
  resourceVersion: ""

Also, the same thing happens if I apply the example from the docs, https://raw.githubusercontent.com/cilium/cilium/1.18.4/examples/kubernetes/gateway/gateway-with-parameters.yaml

I'm not sure where to look next. operator/pkg/gateway-api/gatewayclass_reconcile.go in the code seems like it would explain its own errors, and this 'not found' is coming from r.Client.Get(ctx, req.NamespacedName, original)?

Please help. TIA.

How can we reproduce the issue?

The nodes I used are AWS EC2 arm64 instances within a VPC. Let me know if you need more information to reproduce.

Cilium Version

1.18.3 and 1.18.4

Kernel Version

Linux myhostnames 6.1.0-41-cloud-arm64 #1 SMP Debian 6.1.158-1 (2025-11-09) aarch64 GNU/Linux

Kubernetes Version

Client Version: v1.33.2
Kustomize Version: v5.6.0
Server Version: v1.33.3

Regression

No response

Sysdump

No response

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[shallot]

BTW, as I fiddled with this, deleting the gatewayclass, trying to drop the namespace altogether, trying to coax it somehow, I also encountered this:

2025-11-25T15:45:22.970201583Z time=2025-11-25T15:45:22.97012841Z level=info msg="Reconciling GatewayClass" module=operator.operator-controlplane.leader-lifecycle.gateway-api resource=/node-ipam-lb-cilium
2025-11-25T15:45:22.970782361Z time=2025-11-25T15:45:22.970703067Z level=info msg="Queueing gateway" module=operator.operator-controlplane.leader-lifecycle.gateway-api controller=gateway resource=/node-ipam-lb-cilium k8sNamespace=cilium gateway=gateway-linode-domains
2025-11-25T15:45:22.970873970Z time=2025-11-25T15:45:22.970790311Z level=info msg="Queueing gateway" module=operator.operator-controlplane.leader-lifecycle.gateway-api controller=gateway resource=/node-ipam-lb-cilium k8sNamespace=cilium gateway=gateway-linode-domains
2025-11-25T15:45:22.974505408Z time=2025-11-25T15:45:22.9743295Z level=error msg="Observed a panic" module=operator.operator-controlplane.leader-lifecycle.controller-runtime controller=gateway controllerGroup=gateway.networking.k8s.io controllerKind=Gateway Gateway.name=gateway-linode-domains Gateway.namespace=cilium namespace=cilium name=gateway-linode-domains reconcileID=05e1e3c0-7997-4a52-a857-58a5eb515997 panic="runtime error: invalid memory address or nil pointer dereference" panicGoValue=""invalid memory address or nil pointer dereference"" stacktrace="goroutine 838 [running]:\nk8s.io/apimachinery/pkg/util/runtime.logPanic({0x3cebf98, 0x4000ef46c0}, {0x2f0f560, 0x644fee0})\n\t/go/src/github.com/cilium/cilium/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go:132 +0x98\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile.func1()\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:108 +0xf0\npanic({0x2f0f560?, 0x644fee0?})\n\t/usr/local/go/src/runtime/panic.go:792 +0x124\ngithub.com/cilium/cilium/operator/pkg/gateway-api.(*gatewayReconciler).getGatewayClassConfig(0x40006d8af0, {0x3cebf98, 0x4000ef46c0}, 0x4001ce38c0)\n\t/go/src/github.com/cilium/cilium/operator/pkg/gateway-api/gateway_reconcile.go:356 +0xe0\ngithub.com/cilium/cilium/operator/pkg/gateway-api.(*gatewayReconciler).Reconcile(0x40006d8af0, {0x3cebf98, 0x4000ef46c0}, {{{0x40007b9ae0, 0x6}, {0x40020c1fe0, 0x16}}})\n\t/go/src/github.com/cilium/cilium/operator/pkg/gateway-api/gateway_reconcile.go:164 +0x1080\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Reconcile(0x400027ad60?, {0x3cebf98?, 0x4000ef46c0?}, {{{0x40007b9ae0?, 0x0?}, {0x40020c1fe0?, 0x0?}}})\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:119 +0x9c\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler(0x3d3d3c0, {0x3cebfd0, 0x4000b49a40}, {{{0x40007b9ae0, 0x6}, {0x40020c1fe0, 0x16}}}, 0x0)\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:334 +0x2b0\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem(0x3d3d3c0, {0x3cebfd0, 0x4000b49a40})\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:294 +0x190\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2()\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:255 +0x80\ncreated by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2 in goroutine 372\n\t/go/src/github.com/cilium/cilium/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:251 +0x550\n"
2025-11-25T15:45:22.974591167Z time=2025-11-25T15:45:22.974492904Z level=fatal msg="Panic in Kubernetes runtime handler"

It sounds like some sort of referential integrity should have prevented me from doing that.

[youngnick]

Thanks for this report @shallot. We haven't tested this configuration combination at all, so thanks for being our first tester here.

I'll need to check how hostNetwork actually works, but I seem to recall that Cilium does not generate you a LoadBalancer Service at all when you have that enabled. Host Networking is for when you have an upstream load balancer that you want to configure with all of your node IPs directly, and probably manually. It's been on my list to try and explain this a bit better for a while.

The panic that you found seems to be a result of doing a namespace dereference on a GatewayClass object after it's been deleted. I'll mark down that we need to ensure we nil check there.

[youngnick]

I checked the commit where hostNetwork was added, and I was correct. (72da224).

I will look at adding something like this to the docs on host networking:

Enabling Host Networking stops Cilium's Gateway API and Ingress support from creating any type of Service to expose the Envoy proxies. It's expected that an operator will configure an upstream load balancer will the Node IPs of all nodes in the cluster, and healthcheck per port they expose, through some other method instead.

Looking at #42956, it seems like the status for CiliumGatewayClassConfig may only be a display bug. Could you try doing the CiliumGatewayClassConfig setup again, but without hostNetwork enabled?

[shallot]

Okay, so I don't think I am on the right track then. The main reason I was trying node IPAM was because I wanted the Gateway object to get out of this seemingly bad state:

Message:               Gateway waiting for address
Observed Generation:   9
Reason:                AddressNotAssigned
Status:                False
Type:                  Programmed

If node IPAM is not the way to get there, what is?

Also, I used hostNetwork because it seems to have been a prerequisite for receiving traffic through privileged ports 80 and 443 on the nodes. Is there a better way to do that?

[youngnick]

Hmm, I think that if you do node IPAM, without using Host Networking, then things may just work. This is because, when you set up a Loadbalancer port using node IPAM, the traffic is actually redirected to a different port by eBPF code. So the Envoy won't actually be listening on 80 and 443, but any traffic that arrives on the node's address on 80 or 443 will end up at the correct port on the Envoy container.

I haven't tried this out myself yet, I will try to as soon as I can, but wanted to give you a chance first. I could be wrong, it may not work, but it's worth trying, I think.

If node IPAM does work like I described above, then the addresses will be populated into the Loadbalancer Service status, and the Gateway reconciler will bring that onto the Gateway, fixing the error.

(The way the Gateway address detection works is that it creates a Loadbalancer Service with addresses set, then waits for the status of that object to be updated with an address. When it is, the Gateway reconciler will program the Gateway's address status, and remove that error, setting the Gateway to Programmed true.)

[shallot]

I tried removing all the host network settings via helm upgrade, and removed the custom gateway class+config, and the cilium-gateway-$mygateway service which had been ClusterIP, and restarted the operator deployment.

This gets the operator to log "At least one valid address, marking gateway programmed", and the address field in kubectl get gateway shows one of the node IPs, and the cilium-gateway-$mygateway service is now type LoadBalancer, showing the same node IP.

However, HTTP/S connections on ports 80 and 443 to that IP address only work when on the nodes themselves - they do not work when the connection is made between them, and they don't work from the outside world.

In retrospect, that actually sounds somewhat logical - the firewall rules are set up with that newly registered external IP, but when the traffic actually comes from the outside to the node, it had gone through external NAT onto the node's internal IP, so inside, the internal IPs have to be listening. How do I get that to happen?

Likewise, they're not working on all the other node IPs that carry the daemonset. How do I get the gateway to register all the node IPs of all the envoy gateway pods?

[shallot]

The doc says that it "will use the ExternalIP addresses if any or the InternalIP addresses otherwise". Does that mean that instead of having AWS CCM put those external IPs onto the nodes, I should instead get rid of it so that Cilium gateway can choose internal IPs? Or maybe this mechanism is tunable, so one could tell it to go with internal IPs?

Likewise, the doc says that "If the Service has .spec.externalTrafficPolicy set to Cluster", which is the default, "Node IPAM considers all nodes as candidates for selection" - that doesn't quite say whether all candidates are supposed to be selected or does it necessarily choose some amount (like 1) out of the available ones?