cilium: cilium dns proxy traffic doesn't make it back to the pod over IPv6

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

We created a new CiliumNetworkPolicy with the following syntax, from the examples in the documentation:

---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: test-fqdn-policy
spec:
  endpointSelector:
    matchLabels:
        name: debug
  egress:
  - toEndpoints:
    - matchLabels:
       "k8s:io.kubernetes.pod.namespace": kube-system
       "k8s:k8s-app": kube-dns
    toPorts:
      - ports:
         - port: "53"
           protocol: ANY
        rules:
          dns:
            - matchPattern: "*"
  - toFQDNs:
      - matchName: "google.com"

When this policy is created, we’re no longer able to create dns requests at all - dig google.com returns

bash-5.1# dig google.com

; <<>> DiG 9.18.3 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

Deleting the policy re-establishes the connectivity.

We see the following logs when we run cilium monitor | grep 4000:d::17c5 (the pod I’m attempting to query from)

Policy verdict log: flow 0x465d4a1f local EP ID 331, remote ID 26603, proto 17, egress, action redirect, match L3-L4, [2001:db8:4000:d::17c5]:53991 -> [2001:db8:4000:1::7e78]:53 udp
-> proxy port 33293 flow 0x465d4a1f , identity 59577->unknown state new ifindex 0 orig-ip 0.0.0.0: [2001:db8:4000:d::17c5]:53991 -> [2001:db8:4000:1::7e78]:53 udp
-> endpoint 331 flow 0xce94595a , identity 26603->59577 state reply ifindex lxc215b2ab5e197 orig-ip 2001:db8:4000:1::7e78: [2001:db8:4001::a]:53 -> [2001:db8:4000:d::17c5]:53991 udp

cilium fqdn cache list
Endpoint   Source   FQDN          TTL    ExpirationTime             IPs              
1341       lookup   google.com.   3600   2022-09-20T10:15:02.677Z   142.251.46.174

Cilium Version

1.12.0

Kernel Version

Linux <> 5.15.67

Kubernetes Version

1.24.2

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

  • I agree to follow this project’s Code of Conduct

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 15 (7 by maintainers)

Most upvoted comments

@pchaigno oh, I somehow didn’t make that connection - thank you for calling it out. I will do that!

Update: https://github.com/cilium/cilium/issues/21472

+1
waltfy on Sep 28, 2022

Cilium installed with Helm.

Please provide the full command.

+1
pchaigno on Sep 20, 2022
Read more comments on GitHub
← cilium: cilium config --all prints masks wrong
cilium: Cilium does not pick up changed node IPs →