Cilium pod cant start, and network issues in the cluster #12501
Description
Bug Report
We see events like this:
nslookup docker-registry.dev.xxxxx.net '172.xxx.186.xxx'
nslookup: write to '172.xxx.186.xxx': Operation not permitted
;; connection timed out; no servers could be reached
Description
After upgrade talos linux to v1.11.5 and the Kubernetes version to: v1.31.14, we need change our cilium install:
from:
cilium install \
--set ipam.mode=kubernetes \
--set envoy.enabled=false \
--set kubeProxyReplacement=false \
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" \
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" \
--set cgroup.autoMount.enabled=false \
--set cgroup.hostRoot=/sys/fs/cgroup
with kube-proxy.
to:
cilium upgrade
--set ipam.mode=kubernetes
--set envoy.enabled=false
--set l7Proxy=false
--set bpf.hostLegacyRouting=false
--set kubeProxyReplacement=true
--set securityContext.capabilities.ciliumAgent="{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}"
--set securityContext.capabilities.cleanCiliumState="{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}"
--set cgroup.autoMount.enabled=false
--set cgroup.hostRoot=/sys/fs/cgroup
--set k8sServiceHost=localhost
--set k8sServicePort=7445
Logs
nslookup docker-registry.dev.xxxxx.net '172.xxx.186.xxx'
nslookup: write to '172.xxx.186.xxx': Operation not permitted
;; connection timed out; no servers could be reached
Some of our healthchecks are failing some times is getting noise for our environments.
I suspected it might be something related to cgroupsv2 or some conflict with cilium or the node's DNS resolver. Could you help me with this?
Thanks in advance.