Cilium connectivity test appear to fail

[Lur1an]

Environment

• version: 2.17.3 and 2.17.0
• Region: eu-central
• Node configuration: 3 control planes (cx22) + 2 agents (cpx31)

Issue Summary

cilium connectivity test consistently fails with both native and tunnel routing modes using default configuration. A few attempts at overriding cilium_values with different configurations also did not work. Is it acceptable to run the cluster with cilium connectivity test failing?

Configurations Tested (each time on a fresh cluster)

1. Native mode with kube_proxy disabled

cni_plugin = "cilium" 
cilium_routing_mode = "native"
disable_kube_proxy = true

Result: External connectivity fails

2. Basic Tunnel Mode

cni_plugin = "cilium"
cilium_routing_mode = "tunnel" 
disable_kube_proxy = false

Result: External connectivity fails

Error

❌ command "ping -c 1 -W 2 94.130.185.14" failed: command failed (pod=cilium-test-1/client3-75555c5f5-cxtjr, container=client3): command terminated with exit code 1
ℹ️  ping stdout:
PING 94.130.185.14 (94.130.185.14) 56(84) bytes of data.

--- 94.130.185.14 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Kube.tf file

terraform {
  required_version = ">= 1.5.0"
  required_providers {
    hcloud = {
      source  = "hetznercloud/hcloud"
      version = ">= 1.51.0"
    }
  }
}

module "kube-hetzner" {
  providers = {
    hcloud = hcloud
  }

  source  = "kube-hetzner/kube-hetzner/hcloud"
  version = "2.17.3"

  hcloud_token = var.hcloud_token

  ssh_public_key  = file(var.ssh_public_key_path)
  ssh_private_key = file(var.ssh_private_key_path)

  network_region = "eu-central"

  cluster_name                  = "staging"
  use_cluster_name_in_node_name = true
  control_plane_lb_type         = "lb11"
  use_control_plane_lb          = true

  control_plane_nodepools = [
    {
      name        = "control-plane-nbg1"
      server_type = "cx22"
      location    = "nbg1"
      labels      = []
      taints      = []
      count       = 1
    },
    {
      name        = "control-plane-hel1"
      server_type = "cx22"
      location    = "hel1"
      labels      = []
      taints      = []
      count       = 1
    },
    {
      name        = "control-plane-fsn1"
      server_type = "cx22"
      location    = "fsn1"
      labels      = []
      taints      = []
      count       = 1
    }
  ]
    agent_nodepools = [
    {
      name        = "agent-nbg1"
      server_type = "cpx31"
      location    = "nbg1"
      labels = [
        "node.kubernetes.io/role=database"
      ]
      taints    = []
      count     = 2
      min_nodes = 2
      max_nodes = 2
    },
  ]

  # Additional configuration
  automatically_upgrade_k3s = false
  automatically_upgrade_os  = true

  # Optional components - only enable what we need
  enable_longhorn          = true
  enable_rancher           = false
  enable_metrics_server    = true
  enable_cert_manager      = false
  ingress_controller       = "none"
  create_kustomization     = false
  create_kubeconfig        = false
  system_upgrade_use_drain = true
}

Screenshots

No response

Platform

Linux

[mysticaltech]

Hi @Lur1an,

This is not a bug but a configuration issue. By default, our module sets restrict_outbound_traffic = true which restricts outbound traffic to only essential ports (DNS, HTTP, HTTPS, and ICMP). This security-first approach can interfere with Cilium connectivity tests that need to reach external endpoints.

Solution

You have two options:

Option 1: Disable outbound traffic restrictions (easier)

Add this to your configuration:

restrict_outbound_traffic = false

Option 2: Keep restrictions but add specific rules

If you want to keep the security restrictions but allow specific tests, you can add custom firewall rules:

extra_firewall_rules = [
  {
    description     = "Allow all outbound traffic for testing"
    direction       = "out"
    protocol        = "tcp"
    port            = "" # Empty means all ports
    destination_ips = ["0.0.0.0/0", "::/0"]
  },
  {
    description     = "Allow all outbound UDP traffic for testing"
    direction       = "out"
    protocol        = "udp"
    port            = "" # Empty means all ports
    destination_ips = ["0.0.0.0/0", "::/0"]
  }
]

Additional Notes

Your Cilium configuration looks correct. The issue is purely related to the firewall restrictions. Once you apply either solution above and redeploy, the connectivity tests should pass.

Is it acceptable to run with failing connectivity tests?

While the cluster will function for most workloads even with these test failures, it's better to have them pass. The tests validate that pods can reach external services, which is important for:

• Pulling container images from external registries
• Accessing external APIs
• General internet connectivity from your workloads

If your workloads don't need external connectivity, you can ignore the test failures, but most real-world applications do need to reach external services.