KPR misbehaving when a kubernetes service of type LB advertise a node IP in its status

[MrFreezeex]

Is there an existing issue for this?

• I have searched the existing issues

Version

Reproduced on main (944e308), a user also reported some issues in 1.18.4 -> #42890 (this issue is a mix of GW-API and NodeIPAM issues so I opened a separate one)

What happened?

If a node IP is advertised in a service load balancer when KPR is enabled various networks issues are happening (see the end of the reproducer below for more details). If KPR is not enabled everything works as expected.

How can we reproduce the issue?

Reproduced it in main (easiest for me but most likely reproducible in other versions):

1. make kind kind-image
2. append the following config in contrib/testing/kind-common.yaml:

defaultLBServiceIPAM: nodeipam
nodeIPAM:
  enabled: true
kubeProxyReplacement: true

3. remove kube-proxy: kubectl delete ds -n kube-system kube-proxy + docker exec -it kind-control-plane /bin/bash -c 'iptables-save | grep -v KUBE | iptables-restore' + docker exec -it kind-worker /bin/bash -c 'iptables-save | grep -v KUBE | iptables-restore'
4. Apply the following yaml:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
  labels:
    app: nginx
spec:
  type: LoadBalancer
  selector:
    app: nginx
  ports:
    - name: http
      protocol: TCP
      port: 8484
      targetPort: 80

NodeIPAM will start advertising the node IP of the worker (it exclude the control plane node by default) in the service LoadBalancer like that (didn't tested but most likely reproducible by just patching the service status since that's the only thing that NodeIPAM is doing):

status:
  loadBalancer:
    ingress:
    - ip: 172.21.0.3
      ipMode: VIP

And various issues are now happening in the worker node, like cannot being able to see logs of any pods in the worker via kubernetes API (guessing kubernetes API cannot reach the kubelet there anymore), operator fail readiness/liveness, while having a shell in one of the kind nodes a curl to the service IP (via cluster IP or the node ip) only succeeds erratically

Cilium Version

Reproduced in main it while helping a user that reported those issues in 1.18.4 (#42890) so it probably affect at least 1.18.4 and main

The commit I reproduced in main from was: 944e308

Kernel Version

Linux LPFR0512 6.8.0-88-generic #89-Ubuntu SMP PREEMPT_DYNAMIC Sat Oct 11 01:02:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

v1.34.0

Regression

Most likely but I don't know when it broke unfortunately

Sysdump

I don't know if it will help but the sysdump of my test cluster is here:
cilium-sysdump-20251209-001828.zip

Relevant log output

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[julianwiedmann]

hmpf, when you say that a LoadBalancer service is exposed on a node IP, that makes me think of #40684.

[shallot]

BTW you mention if KPR is not enabled, everything works as expected, but at the same time, KPR seems to be a prerequisite for the Gateway API? (#32596, #30592)

[MrFreezeex]

BTW you mention if KPR is not enabled, everything works as expected, but at the same time, KPR seems to be a prerequisite for the Gateway API? (#32596, #30592)

Well yes there's nothing directly involving Gateway API here, but indeed it means that Gateway API is most likely not compatible with Node IPAM because of this bug :/.

[julianwiedmann]

@ajmmm fyi, not sure whether this setup was considered when we introduced the wildcard entries

[ajmmm]

@ajmmm fyi, not sure whether this setup was considered when we introduced the wildcard entries

It wasn't.

I cannot repro this on current v1.18, but the wildcard logic wasn't back ported. (That is not to say there is not an issue, just I can't easily repro :))

I can repro this on main by just trying to start a cluster with the relevant config, eg:

bpf:
  masquerade: false
defaultLBServiceIPAM: nodeipam
nodeIPAM:
  enabled: true
kubeProxyReplacement: true

Logs are fairly consistent with the attached sys dump, e.g. failures in /healthz calls, deadline exceeded (I/O timeouts), also the sys dump only collects bugtool data for the control plane node etc.

There was a bug from commit b3b0fc8 that broke E/W connections, which has differing symptoms. It was resolved as of commit 4848630 and, from here, the repro seems to ring true.

Will investigate.

[ajmmm]

I've raised #43413 [0] but it can only be considered draft right now. I'm not convinced it will hold up to peer review as-is but it's a start.

@julianwiedmann I wonder if this should also tie into #42897 which could perhaps replace wildcard entries in their entirety. But the logic from [0] would be reusable I guess.

[julianwiedmann]

I've raised #43413 [0] but it can only be considered draft right now. I'm not convinced it will hold up to peer review as-is but it's a start.

@julianwiedmann I wonder if this should also tie into #42897 which could perhaps replace wildcard entries in their entirety. But the logic from [0] would be reusable I guess.

My gut feeling is to address the Node-IPAM regression first. And then continue on the ipcache-driven approach - although I agree that it will hopefully supersede the wildcard entries. I'm just not clear whether we also need to extend the ipcache checks in other paths (bpf_lxc) before we can drop the wildcard entries.

We might also bring the lbUnsupportedProtocolAction config into v1.19, and tie the wildcard logic to it? So that folks with Node-IPAM have an easy escape hatch.