Skip to content

pkg/loadbalancer: further restrict use of wildcard svc entries#43721

Merged
julianwiedmann merged 2 commits intocilium:mainfrom
ajmmm:pr/svc-wildcard-fix2
Jan 14, 2026
Merged

pkg/loadbalancer: further restrict use of wildcard svc entries#43721
julianwiedmann merged 2 commits intocilium:mainfrom
ajmmm:pr/svc-wildcard-fix2

Conversation

@ajmmm
Copy link
Copy Markdown
Member

@ajmmm ajmmm commented Jan 13, 2026

Following PR #43565, the loadbalancer's BPF reconciler was updated to avoid programming wildcard service entries with NodeIPAM allocated VIPs.

Unfortunately the fix was a little too focused and does not address use cases of different classes, e.g. those not provided by Cilium. This means we can still program a wildcard entry for an IP not allocated by Cilium, resulting in connectivity faults in a node.

This PR reverses the wildcard candidate check, such that if a loadBalancerClass is not provided by Cilium, we do not program a wildcard service entry.

Also included is additional test coverage for this.

Fixes: #43206 (again!)

This fix should be applied to the v1.19 branch as well - let me know if I should raise a separate PR for this, or if it will just be backported.

ajmmm added 2 commits January 13, 2026 13:49
@ajmmm
pkg/loadbalancer: further restrict use of wildcard svc entries
3112aef 
Following the introduction of wildcard service entries in the
loadbalancer in commit b3b0fc8, it became possible to disrupt
internal cluster traffic, where a VIP was allocated via NodeIPAM.

An initial fix was applied for this scenario in commit c4d6072,
which updated the loadbalancer's BPF reconciler to restrict the use
of wildcard service entries if using NodeIPAM, either by default or
via loadBalancerClass.

Unfortunately the revised logic still permits wildcard service
entries if non-Cilium IPAM is used, which can still cause disruption
to cluster traffic [0].

This commit reverses the loadBalancerClass check to instead only use
wildcard service entries if the loadBalancerClass is defined and is
either Cilium's BGPLoadBalancerClass or L2AnnounceLoadBalancerClass.

This change has required modification of unit tests that set a dummy
loadBalancerClass. However, additional tests will be added in the next
commit to verify this change in behaviour.

[0] cilium#43206 (comment)

Fixes: c4d6072 ("loadbalancer: do not create wildcard entries for Node-IPAM VIPs")
Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@ledger.fr>
Signed-off-by: Alasdair McWilliam <alasdair.mcwilliam@isovalent.com>
@ajmmm
pkg/loadbalancer: add test coverage for class-based wildcard entries
640381e 
This commit adds additional test coverage with respect to the programming
of wildcard service entries based on how the VIP address has been allocated.

Coverage expects wildcard service entries to be programmed for:
- undefined loadBalancerClass
- loadBalancerClass: io.cilium/bgp-control-plane
- loadBalancerClass: io.cilium/l2-announcer

Coverage expects no wildcard service entries to be programmed for:
- defined loadBalancerClass but not matching any of the above
- loadBalancerClass: io.cilium/node

Signed-off-by: Alasdair McWilliam <alasdair.mcwilliam@isovalent.com>
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jan 13, 2026
@ajmmm
Copy link
Copy Markdown
Member Author

ajmmm commented Jan 13, 2026

/test

@MrFreezeex MrFreezeex added release-note/misc This PR makes changes that have no direct user impact. needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch release-note/bug This PR fixes an issue in a previous release of Cilium. area/loadbalancing Impacts load-balancing and Kubernetes service implementations area/kpr Anything related to our kube-proxy replacement. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. release-note/misc This PR makes changes that have no direct user impact. labels Jan 13, 2026
@ajmmm
Copy link
Copy Markdown
Member Author

ajmmm commented Jan 13, 2026

/ci-l3-l4

@ajmmm ajmmm marked this pull request as ready for review January 13, 2026 15:43
@ajmmm ajmmm requested a review from a team as a code owner January 13, 2026 15:43
@ajmmm ajmmm requested a review from ysksuzuki January 13, 2026 15:43
@MrFreezeex MrFreezeex added the release-blocker/1.19 This issue will prevent the release of the next version of Cilium. label Jan 13, 2026
ysksuzuki
ysksuzuki approved these changes Jan 14, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@ysksuzuki ysksuzuki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 14, 2026
@julianwiedmann julianwiedmann added this pull request to the merge queue Jan 14, 2026
@julianwiedmann julianwiedmann removed the needs-backport/1.19 This PR / issue needs backporting to the v1.19 branch label Jan 14, 2026
@julianwiedmann
Copy link
Copy Markdown
Member

julianwiedmann commented Jan 14, 2026

This fix should be applied to the v1.19 branch as well - let me know if I should raise a separate PR for this, or if it will just be backported.

v1.19 branch hasn't been cut yet, no action needed :)

Merged via the queue into cilium:main with commit bf98364 Jan 14, 2026
82 checks passed
@github-project-automation github-project-automation bot moved this from Proposed to Done in Release blockers Jan 14, 2026
@ajmmm ajmmm deleted the pr/svc-wildcard-fix2 branch January 15, 2026 10:23
@ajmmm ajmmm mentioned this pull request Jan 15, 2026
Closed
3 tasks
@ajmmm ajmmm mentioned this pull request Jan 26, 2026
Merged
@aanm aanm removed the release-blocker/1.19 This issue will prevent the release of the next version of Cilium. label Feb 2, 2026
@cilium-release-bot cilium-release-bot bot moved this to Released in cilium v1.19.0 Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ysksuzuki ysksuzuki ysksuzuki approved these changes

Assignees

No one assigned

Labels

area/kpr Anything related to our kube-proxy replacement. area/loadbalancing Impacts load-balancing and Kubernetes service implementations ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.

Projects

Release blockers
Archived in project
cilium v1.19.0
Status: Released

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

KPR misbehaving when a kubernetes service of type LB advertise a node IP in its status

6 participants

@ajmmm @julianwiedmann @ysksuzuki @msune @MrFreezeex @aanm