Cilium drops traffic without Hubble showing it #32121
Labels
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
needs/triage
This issue requires triaging to establish severity and next steps.
sig/hubble
Impacts hubble server or relay
Is there an existing issue for this?
What happened?
We applied
CiliumNetworkPolicies
to scope down the traffic for the External Secrets Operator (ESO), as described here: https://external-secrets.io/v0.8.5/guides/security-best-practices/#network-policy. These CNPs (please see the applicable ones below) function perfectly on EKS, AKS and GKE. However, on RKE2 clusters they result in a broken External Secrets Operator.The ESO is not logging anything useful, but neither is Hubble.
hubble observe -f --verdict DROPPED
gives me literally nothing. Removing the CNPs resolves the issue.(Little bit extra background ESO specific: what is extra weird is that existing secrets stay in
SecretSynced
status, as if everything is OK. Removing a secret and adding it again brings the issue to light, but without ESO throwing any meaningful error. Only when the Azure Workload Identity expires we see DNS lookups tologin.microsoftonline.com
failing, even though they are specifically allowed (see below)).Cilium Version
Client: 1.15.1 a368c8f 2024-02-14T22:16:57+00:00 go version go1.21.6 linux/amd64
Daemon: 1.15.1 a368c8f 2024-02-14T22:16:57+00:00 go version go1.21.6 linux/amd64
Kernel Version
Linux 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
v1.28.8+rke2r1
Regression
No response
Sysdump
cilium-sysdump-20240422-141909.zip
Relevant log output
No response
Anything else?
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: