Cilium v1.19.0 excessive memory usage

[cnmcavoy]

Is there an existing issue for this?

• I have searched the existing issues

Version

equal or higher than v1.19.0 and lower than v1.20.0

What happened?

After upgrading from v1.18.6 to v1.19.0 we noticed Cilium-agent was using an excessive amount of memory, sometimes so much that kubelet would be OOMkilled - killing the node's ability to recover.

Datadog metrics from Cilium:

Reverting back to v1.18.6 resolved the memory pressure.

I followed the guide here to investigate and took some pprof snapshots: https://docs.cilium.io/en/latest/contributing/development/debugging/#cpu-profiling-and-memory-leaks

Here is the pprof output after I ran kubectl exec -it -n kube-system cilium-tvtg5 -- cilium-bugtool --get-pprof --pprof-trace-seconds 10

cilium-bugtool-20260211-221005.093+0000-UTC-4259347162.zip

How can we reproduce the issue?

Cilium helm values:

cilium:
  socketLB:
    hostNamespaceOnly: true
  extraEnv:
    - name: MALLOC_ARENA_MAX
      value: "1"
  k8sServicePort: 443
  localRedirectPolicy: true
  enableIPv4Masquerade: true
  egressMasqueradeInterfaces: "eth0 primary"
  extraArgs:
    - "--api-rate-limit"
    - "endpoint-create=rate-limit:5/s,rate-burst:40,parallel-requests:40,log:true,endpoint-delete=rate-burst:40,parallel-requests:40,log:true" # 10x base rate limits, see https://docs.cilium.io/en/stable/configuration/api-rate-limiting/
    - "--enable-stale-cilium-endpoint-cleanup=false" # Disable Stale Cilium Endpoint Cleanup to solve pods with missing IPs or CiliumEndpoints after cilium restarts
  resources:
    requests:
      cpu: 250m
      memory: 128Mi
  tls:
    # Disable secretsNamespace & secretSync
    readSecretsOnlyFromSecretsNamespace: false
    secretsNamespace:
      create: false
    secretSync:
      enabled: false

  scheduling:
    mode: kube-scheduler

  cni:
    # Defaults to true.  Setting to false avoids removal of CNI configuration
    # files during upgrades in order to ensure nodes do not go unmanageable.
    uninstall: false

  logOptions:
    format: json-ts

  operator:
    nodeSelector:
      role.node.kubernetes.io/critical-addon: "true"
    tolerations:
      - operator: Exists
    priorityClassName: system-cluster-critical
    podDisruptionBudget:
      enabled: true
    prometheus:
      enabled: true

  kubeProxyReplacement: true

# enable metrics
  prometheus:
    enabled: true

  # workaround for cilium mem leak in l2 neighbor discovery error handling in 1.16.0-1.16.1+
  l2NeighDiscovery:
    enabled: false

# perf settings for high pod-churn clusters
  ipam:
    ciliumNodeUpdateRate: 5s # Ref https://github.com/cilium/cilium/pull/23017
    operator:
      externalAPILimitBurstSize: 100
      externalAPILimitQPS: 10.0
  k8sClientRateLimit:
    burst: 100
    qps: 20
  ciliumEndpointSlice:
    enabled: true

  bpf:
    policyMapMax: 65536 # limited to 16 bits https://github.com/cilium/cilium/issues/27866
    mapDynamicSizeRatio: 0.005 # Ref https://docs.cilium.io/en/stable/network/ebpf/maps/

  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 10%

  envoy:
    enabled: true
    resources:
      requests:
        cpu: 250m
        memory: 128Mi
  loadBalancer:
    l7:
      backend: envoy

### Cilium Version

v1.19.0

### Kernel Version

`6.12.58-82.121.amzn2023.x86_64` (AWS AL2023)

### Kubernetes Version

`v1.34.2-eks-ecaa3a6`

### Regression

v1.18.6

### Sysdump

_No response_

### Relevant log output

```shell

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[odinuge]

Thanks for the report @cnmcavoy! This for sure does not look expected. I took a quick peek in the pprof you added, and it seems like its related to service churn (or manual resyncs??) - but very much seems like a bug.

(and note that ^ is the inuse_space one!!)

Could this be related to the changes in #42440 @joamaki?

[joamaki]

Could this be related to the changes in #42440 @joamaki?

I'll take a look. I don't see any obvious changes in #42440 that could be causing this, though maybe this is causing a much larger single write transaction to occur.

The line numbers point to the txn.watches hash map (https://github.com/cilium/statedb/blob/c7344ec94abdd368627e531594f5922ff968ef30/part/txn.go#L220). Similar code exists in StateDB v0.4 that Cilium v1.18.x uses so not entirely clear what's causing this now, but seems clear fairly clear we shouldn't be reusing the txn.watches hash map either at all or if it's too big. The CPU profile also points to this direction as a lot of time is being spent on hash map iteration.

ROUTINE ======================== github.com/cilium/statedb/part.(*Txn[go.shape.struct { github.com/cilium/statedb.revision uint64; github.com/cilium/statedb.data interface {} }]).cloneNode in part/txn.go
  219.31MB   223.81MB (flat, cum) 22.64% of Total
         .          .    215:func (txn *Txn[T]) cloneNode(n *header[T]) *header[T] {
         .          .    216:	if txn.mutated.exists(n) {
         .          .    217:		return n
         .          .    218:	}
         .          .    219:	if n.watch != nil {
  219.31MB   219.31MB    220:		txn.watches[n.watch] = struct{}{}
         .          .    221:	}
         .     4.50MB    222:	n = n.clone(!txn.opts.rootOnlyWatch())
         .          .    223:	txn.mutated.set(n)
         .          .    224:	return n
         .          .    225:}
         .          .    226:

I'm not having any luck yet in reproducing this issue locally though. Regardless of that I'll implement a check (cilium/statedb#146) to avoid reuse of txn.watches when it gets large which should mitigate this.
This is now released as part of StateDB v0.5.7 and will make it into the next v1.19 release.

What might also help here is #43811, but it's large enough change that I'm not comfortable backporting it to v1.19.

EDIT: What I think is going on here is that there's many backends being shared by multiple services. Since we have a secondary index for backends to index them by service we may be doing a lot of index updates per backend. E.g. if we have 100 services which share the same 100 backends and we update EndpointSlice of each service we end up updating the backend->service index 1 million times (each backend change updates primary index + 100 secondary index entries). #43811 likely helps a lot here. Could you check the data in your cluster and see if you have services that share many backends with other services?

[cnmcavoy]

EDIT: What I think is going on here is that there's many backends being shared by multiple services. Since we have a secondary index for backends to index them by service we may be doing a lot of index updates per backend.

This may be the case. We do have a pattern of creating many services for the same resources, because each service may end up being part of different ingresses, or assembled together as part of one larger ingress. kubectl get services -A | wc -l returns 13230 services in the cluster this mem leak occurred in.

Attached is cilium service list from a random node in this cluster, this cluster is currently running Cilium v1.18.7:

cilium-service-list.txt

Let me know what other info you need, the sysdump is too large but I can attach individual contents if needed.