fix(ipset): ignore non-kube-router ipsets #1919

aauren · 2025-09-27T14:19:47Z

Attempt to filter out sets that we are not authoritative for to avoid race conditions with other operators (like Istio) that might be attempting to modify ipsets at the same time.

This still needs some refinement and probably a refactor or two, but wanted to get it out early so that you could test it and see if it actually resolves what you were seeing in #1918. I tried it in my cluster, and after proving that I could see kube-router modifying other ipsets, then applied this change, and saw that it no longer contained references in its output.

FYI @mjnagel @ilrudie

Attempts to fix #1918

Attempt to filter out sets that we are not authoritative for to avoid race conditions with other operators (like Istio) that might be attempting to modify ipsets at the same time.

mjnagel · 2025-09-29T15:56:47Z

This seems to behave as expected, not modifying Istio ipsets in testing. I went through testing with the steps in this gist. When using the latest image it failed due to the linked issue, but with an image built from this branch everything worked.

fix(ipset): ignore non-kube-router ipsets

3ff099a

Attempt to filter out sets that we are not authoritative for to avoid race conditions with other operators (like Istio) that might be attempting to modify ipsets at the same time.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(ipset): ignore non-kube-router ipsets #1919

fix(ipset): ignore non-kube-router ipsets #1919

Uh oh!

aauren commented Sep 27, 2025

Uh oh!

mjnagel commented Sep 29, 2025

Uh oh!

Uh oh!

fix(ipset): ignore non-kube-router ipsets #1919

Are you sure you want to change the base?

fix(ipset): ignore non-kube-router ipsets #1919

Uh oh!

Conversation

aauren commented Sep 27, 2025

Uh oh!

mjnagel commented Sep 29, 2025

Uh oh!

Uh oh!