-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress Controller: upstream connect error or disconnect/reset before headers. reset reason: connection failure #20942
Comments
👋 Can you help to share spec for nginx service, or how to install it as well ? |
@sayboras Added the spec for the sample nginx service that's used as a backend. |
thanks, let me test it out and get back to you soon. |
I've narrowed it down a bit: connections to the internal ClusterIP of the Cilium ingress service don't seem to have the problem. internal client pod -> Cilium ingress ClusterIP: No issues The issue still never occurs when reproducing the same scenarios for the nginx service itself, nor the nginx ingress controller. |
The connection to the backend service fails when the endpoint of that service is on the same node that received the request to the Cilium ingress controller. For example:
Cilium monitor output shows that the connection from node A (2001:db82:1d1c:8e04::a) to the backend service pod on node A (2001:db82:1d1c:8e0c::5a0f) fails in this scenario.
#20634 seems to describe the same issue. |
Hello |
Can you test it out again with latest snapshot release ? We have some users confirm that the issue is no longer happening with https://github.com/cilium/cilium/releases/tag/v1.14.0-snapshot.2 |
I spun up a fresh dualstack cluster, same configuration as before and was able to reproduce the issue. The ingress controller and backend pod being on the same node still triggers: Checked without DSR and it still occurred. |
The issue only occurs when native routing is enabled. |
I have the extact same issue using the Gateway API. Services/pods on the same node as the envoy proxy receiver causes 503. No issue when routing across nodes. Also using native routing. edit* |
I haven't taken the time to build a minimal reproduction but I did notice an error in either the API server pod or the scheduler pod. When applying an ingress. There was a missing or incorrect resource API group. So there seemed to be a malformed object being created and eventually the object was garbage collected. When I switched to using contour envoy for ingress, the issue went away. I wonder if anyone else experiencing these problems would also see the same errors logged in the API server pod or kube scheduler. I ended up switching to contour envoy for ingress and didn't have the problem anymore. Will try to reproduce when I have time. |
I was trying to replicate my prod Talos Linux cluster in docker and hit this issue 100% of time. Although the same cilium config does not produce any errors when running on actual cluster (i.e nodes are separate VMs or physical machines). Edit: This is an issue on the actual cluster as well, just gets hidden by the fact that most of the time the node receiving traffic and one hosting pod are different. If its same node, then we hit the same issue. |
Seems to be similar to this issue #28837. I have a similar problem. When the traffic hits a pod on the same node as the envoy proxy it errors in native routing mode. Works perfectly with encapsulation mode though. |
I'm too getting this on Oracle Linux 9, Kernel 5.15.x, Cilium 1.15.x ci image and k8s 1.28.5 |
Could you please try manually loading the kernel modules a couple of kernel modules and see if that resolves the issue. #25021 (comment) sudo modprobe iptable_raw
sudo modprobe xt_socket Manually load kernel modules resolved my |
Hey @sayboras, I can confirm the latest release (1.15.2) does not fix this either. |
Try setting |
I'm having the same 503 "connection timeout" issue with Gateway API and I'm running Cilium 1.15.3 with native routing on IPv6-prioritized dual-stack. I have autoDirectNodeRoutes and wireguard enabled and I'm using bgpControlPlane for exposing loadbalancer services. Full values.yaml file here I noticed a strange "ICMPv6 DestinationUnreachable" in the hubble flows, but there was other traffic on the pod too, so it might not have been from ingress/gateway. Might be a red herring, but I also didn't see the 3rd "ACK" packet from ingress, so there is definitely an issue during the handshake.
|
I'm running |
same, I tried From the affected node the connection to NodePort is failing with timeout from envoy, curl -s localhost:xxxxx
* Connected to localhost (127.0.0.1) port xxxxx
upstream connect error or disconnect/reset before headers. reset reason: connection timeout It's working though, if traffic's coming from N to S on non-affected node (+ you app, i.e. backend, is running on another node than the NodePort that's accepted the connection) It looks like related: #29967
It's clearly one node at a time: |
Tested |
👋 Appreciate if you can test with the image digest from the below. It seems like the issue is happening for native routing, in which the reply package from backend to envoy proxy is dropped. Additionally, if you have bpf.masquerade enabled, you might need to set bpf.hostLegacyRouting as well. I am still working on CI failures, however, appreciate if someone can test it out with the below image digest. https://github.com/cilium/cilium/actions/runs/8648652179/job/23713378330?pr=31280 |
So just the cilium image from that? I am assuming the first one By any chance, Do you have values.yaml file I'd need to update images if its more than one. |
Still seeing the issue with Cilium version 1.15.4. Here are the values I used for deploying autoDirectNodeRoutes: true
bandwidthManager:
enabled: true
bbr: false
bpf:
masquerade: true
cluster:
name: home-cluster
id: 1
containerRuntime:
integration: containerd
socketPath: /var/run/k3s/containerd/containerd.sock
endpointRoutes:
enabled: true
hubble:
enabled: true
metrics:
enabled:
- dns:query
- drop
- tcp
- flow
- port-distribution
- icmp
- http
relay:
enabled: true
rollOutPods: true
ui:
enabled: true
rollOutPods: true
ingress:
enabled: false
ipam:
mode: kubernetes
ipv4NativeRoutingCIDR: "10.42.0.0/16"
k8sServiceHost: "192.168.1.195"
k8sServicePort: 6443
kubeProxyReplacement: true
kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
l2announcements:
enabled: true
loadBalancer:
algorithm: maglev
mode: dsr
localRedirectPolicy: true
operator:
replicas: 1
rollOutPods: true
rollOutCiliumPods: true
securityContext:
privileged: true
routingMode: native
gatewayAPI:
enabled: true
secretsNamespace:
create: false
name: certificate Attached are the logs for the single bad Cilium pod (1.15.4), where gateway ingress traffic was unable to route to pods on the same node. Thanks @sayboras Will do some testing later today with the CI image and the setting you suggested. @nebula-it the way I find CI images is going to the job that builds operator-generic, https://github.com/cilium/cilium/actions/runs/8648652179/job/23712986461?pr=31280. Then finding the step called values image:
override: "quay.io/cilium/cilium-ci:e14988e02ce8d0f3451b177a4f97a3833df65ab3"
operator:
image:
override: "quay.io/cilium/operator-generic-ci:e14988e02ce8d0f3451b177a4f97a3833df65ab3" |
Thanks, as part of PR build, we also push one dev chart version as well. https://github.com/cilium/cilium/actions/runs/8648766222/job/23713392131
|
Still same results with
and I have tested with both:
and
|
Using Cilium chart 1.15.4 with the CI images from above. testing via:
# still encounters bad Cilium pod that refuses to route to resources on same node. Took about 5 tries to recreate.
bpf:
masquerade: true
hostLegacyRouting: false # have not been able to recreate the issue. Tried 20+ times
bpf:
masquerade: true
hostLegacyRouting: true |
The issue seems to have come back for me now after doing some unrelated node restarts. I get I have tried switching between VXLAN and native, and I have tried options like endpointRoutes, autoDirectNodeRoutes, and hostLegacyRouting. I have tried switching between envoy daemonset and embedded envoy, and I have tried disabling wireguard. I tried the 1.15.4 chart with the I suspect that I have a similar node-based intermittency issue as the others, but I use BGP load-balancing so my connections to the gateway are always hitting the same node. |
This worked for me in initial tests as well (version 1.14.9), though it is less performant than eBPF host routing, at least it seems to solve the issue |
Hey @sayboras , please let us know how the community can best assist. Really appreciate the progress made over the last couple months with optimizing envoy configurations, addressing race conditions in the operator, and other bug fixes along the way. Big thanks to the Cilium team! |
Hi all! I have been trying all suggestions on this issue and the other similar issues related to ingress/gateway api problems, which all or most have in common is the use of l2 announcements and lb-ipam. I was curious about the leases after reading this issue #32148 And it turns out that my particular case, if the backend pods are running on the same node that has the lease for the service LoadBalancer IP, then using curl from outside the cluster would fail, and even inside the cluster (the node itself) curl'ing both to LoadBalancer ip and ClusterIP also fail. but from another node within the cluster then it worked. I tried with and without DSR/Geneve, standalone or embedded envoys, I even tried using hostNetwork from this PR #30840 and the it would still not work. Although I was focusing my effort on Gateway API I have enabled (on 1.16.0-pre.2):
and seems to be working hopefully this is it. v1.15.4 and 1.16.0-pre.2
|
Hey, We have the same issue. Setting host legacy routing to true fixes issue with communicating cilium envoy to pod which is on the same host. |
Same issue. I have masquerade turned off so I have to use native routing, and this breaks the ingress. hostLegacyRouting seems to fix it. |
Is there an existing issue for this?
What happened?
When using the built-in ingress controller, the following issue occurs for a portion of requests to the ingress:
upstream connect error or disconnect/reset before headers. reset reason: connection failure
Cilium helm values:
Ingress configuration:
Nginx service:
Http request:
Also occurs when using IPv4.
The issue cannot be reproduced when using the NGINX ingress controller.
Cilium Version
Kernel Version
Kubernetes Version
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: