agent:overlay: Add underlayProtocol 'Auto' for automatic underlay selection#43057
Merged
joestringer merged 2 commits intomainfrom Jan 29, 2026
Merged
agent:overlay: Add underlayProtocol 'Auto' for automatic underlay selection#43057joestringer merged 2 commits intomainfrom
joestringer merged 2 commits intomainfrom
Conversation
f4a1c2d to
870d388
Compare
Contributor
Author
|
/test |
870d388 to
b2ab794
Compare
Contributor
Author
|
/test |
This comment was marked as resolved.
This comment was marked as resolved.
pchaigno
approved these changes
Jan 5, 2026
b2ab794 to
fa10b0e
Compare
Contributor
Author
|
/test |
fa10b0e to
4489787
Compare
Contributor
Author
|
/test |
pchaigno
approved these changes
Jan 28, 2026
Member
pchaigno
left a comment
There was a problem hiding this comment.
In general, I'm a bit wary of auto flags as it tends to create an unstable environment for users, but in this case, it's only dependent on other config flags, so I think we should be fine.
bbe0639 to
e1deef6
Compare
e1deef6 to
539fd5d
Compare
539fd5d to
e01bf8c
Compare
Contributor
Author
|
Had to force-push again to pick up Helm and Doc-related changes I forgot to push before 😞 |
joestringer
approved these changes
Jan 28, 2026
This commit introduces a new `underlayProtocol: "auto"` option in the tunnel configuration, and this will be from this commit onwards the default option unless specified otherwise. With this option, the system will automatically detect and select the appropriate underlay protocol (IPv4 or IPv6) based on the daemon config, specifically the EnableIPv4 and EnableIPv6 settings. If both IPv4 and IPv6 are enabled, IPv4 will be preferred as we were already doing. Prior to this, we were assuming IPv4 underlay unless explicitly specified otherwise, also in case of tunneling disabled. However, that leads to MTU miscalculations in pkg/mtu in case of IPv6-only clusters with tunneling disabled. The resulting MTU computed would account for an IPv4 underlay overhead, while it should've considered the IPv6 overhead. Simply prohibiting the user from specifying a disabled underlay protocol (e.g., underlayProtocol: "ipv4" in an IPv6-only cluster) was not the best option, given it would require all users to update their Cilium config, including those running legit IPv6-only native clusters. This commit fixes this behavior transparently to all users that were not manually/explicitly setting the underlayProtocol option during installation. This commit does not fix the case in which a disabled underlayProtocol is specified (e.g., underlayProtocol: "ipv4" in an IPv6-only cluster). That will be addressed in a follow-up commit. This commit updates helm chart, agent default underlayProtocol, and documentation accordingly. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
Prior to this commit, it was still possible to specify a disabled underlayProtocol in the Cilium config. With this, we explicitly error out and inform the user that they cannot provide a disabled underlayProtocol. This makes the configuration more explicit and avoids confusion. An example is in IPv6-only clusters with IPSec enabled and tunnel underlay left to IPv4 (disabled by agent config). In this case, we would compute pods routeMTU accounting for IPv4 tunnel overhead (50B) rather than IPv6 (70B), which is incorrect. That led to connectivity issues and fragmentation. See #23917. Signed-off-by: Simone Magnani <simone.magnani@isovalent.com>
e01bf8c to
4191e42
Compare
gandro
approved these changes
Jan 29, 2026
Contributor
Author
|
/test |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Superseeds #42861.
Please refer to commit messages:
underlayProtocol: "auto". This will allow Cilium to automatically pick an enabled underlay as protocol (IPv4 first, otherwise IPv6). The change is transparent to all users who do not explicitly defineunderlayProtocol.underlayProtocol. Prior to this, Cilium did not throw any error, but it was using the wrong TunnelOverhead while computing routeMTU for pods in pkg/mtu.