cilium: Can't ping services via kubeproxyreplacement

Bug report

The expected behavior is that kubeproxyreplacement either responds or forwards icmp to the destination pod. With kube-proxy, icmp works as expected and we can ping service IPs.

General Information

  • Cilium version (run cilium version) 1.9.0

We’re running cilium w/ maglev + dsr.

How to reproduce the issue

  1. Attempt to ping the service IP and see a hoplimit exceeded error from ICMP
  2. Run a traceroute to the service IP
  3. Observe ICMP packets loop between routers and workers running kubeproxyreplacement

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 1
  • Comments: 32 (21 by maintainers)

Most upvoted comments

IMO icmp should be dropped until the service spec supports defining icmp and it’s been explicitly set/enabled on the service.

+3
travisghansen on Jul 26, 2022

Is metallb strictly necessary? Can’t we just detect it’s a LB ip and base the logic on that?

As for the end result I agree that dropping the packet seems the appropriate thing to do (and would love to see this implemented)!

+1
travisghansen on Jul 11, 2022

Is there any news on this issue?

I believe nobody has made any progress on this. I think the proper fix would be to make the LB to answer to the ICMP echo requests instead of forwarding to stack. If you are wiling to work on this, let us know to discuss details (you can also reach us at #sig-datapath in the Cilium slack).

+1
brb on Nov 22, 2021

What are we thinking of doing with this?

+1
travisghansen on Jan 6, 2021

@gpl can you provide a pcap for the ICMP’s working with kube-proxy captured in the host with tcpdump -i any icmp -w icmp.pcap? Thank you

+1
aanm on Nov 23, 2020
Read more comments on GitHub
← cilium: Cannot reach hostNetwork pods
cilium: CI: Endpoint can still connect while Cilium is not running →