What happened?
LoadBalancer works fine with flannel enabled. On cilium with default settings, External-IP can't be reached.
What did you expect to happen?
External-IP suppose to work in cilium. Only orbstack internal dns is working.
How can we reproduce it (as minimally and precisely as possible)?
Flannel:
experimental:
docker:
image: "gpu-lab/vm-container:v2"
nodes:
- name: worker-1
image: "gpu-lab/vm-container:v2"
- name: worker-2
image: "gpu-lab/vm-container:v2"
- name: worker-3
image: "gpu-lab/vm-container:v2"
registryProxy:
enabled: true
deploy:
cni:
flannel:
enabled: true
kubeProxy:
enabled: true
controlPlane:
distro:
k8s:
version: "v1.35.0"
sudo vcluster create monitoring -f clusters/monitoring.yaml
Password:
22:47:45 info Ensuring environment for vCluster monitoring...
22:47:45 done Created network vcluster.monitoring
22:47:48 info Starting vCluster standalone monitoring
22:47:50 info Waiting for vCluster standalone node to be joined...
22:48:06 done vCluster standalone node joined successfully
22:48:06 info Adding node worker-1 to vCluster monitoring
22:48:07 info Joining node vcluster.node.monitoring.worker-1 to vCluster monitoring...
22:48:12 info Adding node worker-2 to vCluster monitoring
22:48:13 info Joining node vcluster.node.monitoring.worker-2 to vCluster monitoring...
22:48:19 info Adding node worker-3 to vCluster monitoring
22:48:20 info Joining node vcluster.node.monitoring.worker-3 to vCluster monitoring...
22:48:26 done Successfully created virtual cluster monitoring
22:48:26 info Finding docker container vcluster.cp.monitoring...
22:48:27 info Waiting for vCluster kubeconfig to be available...
22:48:27 info Waiting for vCluster to become ready...
22:48:27 done vCluster is ready
22:48:28 done Switched active kube context to vcluster-docker_monitoring
- Use `vcluster disconnect` to return to your previous kube context
- Use `kubectl get namespaces` to access the vcluster
k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-59f86b59ff-brhgk 1/1 Running 0 10s
default nginx-59f86b59ff-vrdvw 1/1 Running 0 10s
default nginx-59f86b59ff-xtsnk 1/1 Running 0 10s
kube-flannel kube-flannel-ds-4wc4m 1/1 Running 0 64s
kube-flannel kube-flannel-ds-5mknb 1/1 Running 0 58s
kube-flannel kube-flannel-ds-qvc6k 1/1 Running 0 44s
kube-flannel kube-flannel-ds-rxfbm 1/1 Running 0 52s
kube-system coredns-79cf5f4c56-p97gk 1/1 Running 0 68s
kube-system kube-proxy-f2rd5 1/1 Running 0 64s
kube-system kube-proxy-k7hkp 1/1 Running 0 44s
kube-system kube-proxy-npzl6 1/1 Running 0 58s
kube-system kube-proxy-q47gb 1/1 Running 0 52s
local-path-storage local-path-provisioner-5b9b9995f4-972rx 1/1 Running 0 68s
k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 80s
nginx-loadbalancer LoadBalancer 10.105.25.235 192.168.107.254 80:31115/TCP 14s
curl -svk http://192.168.107.254
* Trying 192.168.107.254:80...
* Connected to 192.168.107.254 (192.168.107.254) port 80
> GET / HTTP/1.1
> Host: 192.168.107.254
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.29.8
< Date: Thu, 07 May 2026 18:49:22 GMT
< Content-Type: text/html
< Content-Length: 896
< Last-Modified: Tue, 07 Apr 2026 11:37:12 GMT
< Connection: keep-alive
< ETag: "69d4ec68-380"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, nginx is successfully installed and working.
Further configuration is required for the web server, reverse proxy,
API gateway, load balancer, content cache, or other features.</p>
<p>For online documentation and support please refer to
<a href="https://nginx.org/">nginx.org</a>.<br/>
To engage with the community please visit
<a href="https://community.nginx.org/">community.nginx.org</a>.<br/>
For enterprise grade support, professional services, additional
security features and capabilities please refer to
<a href="https://f5.com/nginx">f5.com/nginx</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host 192.168.107.254 left intactCilium:
...
deploy:
cni:
flannel:
enabled: false
kubeProxy:
enabled: true
sudo vcluster create monitoring -f clusters/monitoring.yaml
22:51:26 info Ensuring environment for vCluster monitoring...
22:51:26 done Created network vcluster.monitoring
22:51:29 info Starting vCluster standalone monitoring
22:51:31 info Waiting for vCluster standalone node to be joined...
22:51:47 done vCluster standalone node joined successfully
22:51:47 info Adding node worker-1 to vCluster monitoring
22:51:47 info Joining node vcluster.node.monitoring.worker-1 to vCluster monitoring...
22:51:52 info Adding node worker-2 to vCluster monitoring
22:51:53 info Joining node vcluster.node.monitoring.worker-2 to vCluster monitoring...
22:51:58 info Adding node worker-3 to vCluster monitoring
22:51:59 info Joining node vcluster.node.monitoring.worker-3 to vCluster monitoring...
22:52:04 done Successfully created virtual cluster monitoring
22:52:04 info Finding docker container vcluster.cp.monitoring...
22:52:04 info Waiting for vCluster kubeconfig to be available...
22:52:04 info Waiting for vCluster to become ready...
22:52:04 done vCluster is ready
22:52:04 done Switched active kube context to vcluster-docker_monitoring
- Use `vcluster disconnect` to return to your previous kube context
- Use `kubectl get namespaces` to access the vcluster
helm install cilium cilium/cilium -n kube-system
NAME: cilium
LAST DEPLOYED: Thu May 7 22:52:14 2026
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
You have successfully installed Cilium with Hubble.
Your release version is 1.19.3.
For any further help, visit https://docs.cilium.io/en/v1.19/gettinghelp
k get po -A
NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-59f86b59ff-l9jlp 1/1 Running 0 6s
default nginx-59f86b59ff-qs2wr 1/1 Running 0 6s
default nginx-59f86b59ff-xffdl 1/1 Running 0 6s
kube-system cilium-6nbw9 1/1 Running 0 72s
kube-system cilium-c5j8j 1/1 Running 0 72s
kube-system cilium-c7pzr 1/1 Running 0 72s
kube-system cilium-envoy-7pbd7 1/1 Running 0 72s
kube-system cilium-envoy-8ttcd 1/1 Running 0 72s
kube-system cilium-envoy-mmjvd 1/1 Running 0 72s
kube-system cilium-envoy-qszwb 1/1 Running 0 72s
kube-system cilium-n68s8 1/1 Running 0 72s
kube-system cilium-operator-86b4d5df4f-6s7bk 1/1 Running 0 72s
kube-system cilium-operator-86b4d5df4f-w578j 1/1 Running 0 72s
kube-system coredns-79cf5f4c56-f9lrz 1/1 Running 0 104s
kube-system kube-proxy-9hc8q 1/1 Running 0 82s
kube-system kube-proxy-d57v6 1/1 Running 0 100s
kube-system kube-proxy-jg56h 1/1 Running 0 88s
kube-system kube-proxy-qft8f 1/1 Running 0 94s
local-path-storage local-path-provisioner-5b9b9995f4-7q7kl 1/1 Running 0 104s
k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 2m1s
nginx-loadbalancer LoadBalancer 10.96.85.229 192.168.107.254 80:32690/TCP 15s
curl -svk http://192.168.107.254
* Trying 192.168.107.254:80...
* Connected to 192.168.107.254 (192.168.107.254) port 80
> GET / HTTP/1.1
> Host: 192.168.107.254
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
* Recv failure: Connection reset by peer
* Closing connection
curl -svk vcluster.lb.monitoring.nginx-loadbalancer.default.orb.local
* Host vcluster.lb.monitoring.nginx-loadbalancer.default.orb.local:80 was resolved.
* IPv6: fd07:b51a:cc66:0:a617:db5e:c0a8:8a0f
* IPv4: 192.168.138.15
* Trying [fd07:b51a:cc66:0:a617:db5e:c0a8:8a0f]:80...
* Connected to vcluster.lb.monitoring.nginx-loadbalancer.default.orb.local (fd07:b51a:cc66:0:a617:db5e:c0a8:8a0f) port 80
> GET / HTTP/1.1
> Host: vcluster.lb.monitoring.nginx-loadbalancer.default.orb.local
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: nginx/1.29.8
< Date: Thu, 07 May 2026 18:53:54 GMT
< Content-Type: text/html
< Content-Length: 896
< Last-Modified: Tue, 07 Apr 2026 11:37:12 GMT
< Connection: keep-alive
< ETag: "69d4ec68-380"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, nginx is successfully installed and working.
Further configuration is required for the web server, reverse proxy,
API gateway, load balancer, content cache, or other features.</p>
<p>For online documentation and support please refer to
<a href="https://nginx.org/">nginx.org</a>.<br/>
To engage with the community please visit
<a href="https://community.nginx.org/">community.nginx.org</a>.<br/>
For enterprise grade support, professional services, additional
security features and capabilities please refer to
<a href="https://f5.com/nginx">f5.com/nginx</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host vcluster.lb.monitoring.nginx-loadbalancer.default.orb.local left intact
orb version
Version: 2.1.1 (2010100)
Commit: 5938f7b0d94c0f51823fa763326a74302524c332 (v2.1.1)
cat .orbstack/config/docker.json
{
"features": {
"containerd-snapshotter": true
}
}
vCluster config
Details
experimental:
docker:
image: "gpu-lab/vm-container:v2"
nodes:
- name: worker-1
image: "gpu-lab/vm-container:v2"
- name: worker-2
image: "gpu-lab/vm-container:v2"
- name: worker-3
image: "gpu-lab/vm-container:v2"
registryProxy:
enabled: true
deploy:
cni:
flannel:
enabled: false
kubeProxy:
enabled: true
controlPlane:
distro:
k8s:
version: "v1.35.0"vCluster and Docker version
Details
Version: 2.1.1 (2010100)
Commit: 5938f7b0d94c0f51823fa763326a74302524c332 (v2.1.1)
docker version
Client:
Version: 29.4.0
API version: 1.54
Go version: go1.26.1
Git commit: 9d7ad9f
Built: Tue Apr 7 08:34:32 2026
OS/Arch: darwin/arm64
Context: orbstack
Server: Docker Engine - Community
Engine:
Version: 29.4.0
API version: 1.54 (minimum version 1.40)
Go version: go1.26.1
Git commit: daa0cb7f
Built: Tue Apr 7 08:35:43 2026
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: v2.2.3
GitCommit: 77c84241c7cbdd9b4eca2591793e3d4f4317c590
runc:
Version: 1.4.2
GitCommit: c241c0bb5e60a8e8c1b2e53d4eca8d0068d8d57e
docker-init:
Version: 0.19.0
GitCommit: de40ad0
vcluster version 0.34.0
uname
╭──────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ kernel-name │ Darwin │
│
│ kernel-release │ 25.4.0 │
│ kernel-version │ Darwin Kernel Version 25.4.0: Thu Mar 19 19:31:17 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T6020 │
│ machine │ arm64 │
│ operating-system │ Darwin │
╰──────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────╯Operating System
macOS (Apple Silicon)
Using vCluster Platform UI?
Yes - platform started before cluster creation
Relevant logs
Anything else we need to know?
No response
What happened?
LoadBalancer works fine with flannel enabled. On cilium with default settings, External-IP can't be reached.
What did you expect to happen?
External-IP suppose to work in cilium. Only orbstack internal dns is working.
How can we reproduce it (as minimally and precisely as possible)?
Flannel:
experimental: docker: image: "gpu-lab/vm-container:v2" nodes: - name: worker-1 image: "gpu-lab/vm-container:v2" - name: worker-2 image: "gpu-lab/vm-container:v2" - name: worker-3 image: "gpu-lab/vm-container:v2" registryProxy: enabled: true deploy: cni: flannel: enabled: true kubeProxy: enabled: true controlPlane: distro: k8s: version: "v1.35.0" sudo vcluster create monitoring -f clusters/monitoring.yaml Password: 22:47:45 info Ensuring environment for vCluster monitoring... 22:47:45 done Created network vcluster.monitoring 22:47:48 info Starting vCluster standalone monitoring 22:47:50 info Waiting for vCluster standalone node to be joined... 22:48:06 done vCluster standalone node joined successfully 22:48:06 info Adding node worker-1 to vCluster monitoring 22:48:07 info Joining node vcluster.node.monitoring.worker-1 to vCluster monitoring... 22:48:12 info Adding node worker-2 to vCluster monitoring 22:48:13 info Joining node vcluster.node.monitoring.worker-2 to vCluster monitoring... 22:48:19 info Adding node worker-3 to vCluster monitoring 22:48:20 info Joining node vcluster.node.monitoring.worker-3 to vCluster monitoring... 22:48:26 done Successfully created virtual cluster monitoring 22:48:26 info Finding docker container vcluster.cp.monitoring... 22:48:27 info Waiting for vCluster kubeconfig to be available... 22:48:27 info Waiting for vCluster to become ready... 22:48:27 done vCluster is ready 22:48:28 done Switched active kube context to vcluster-docker_monitoring - Use `vcluster disconnect` to return to your previous kube context - Use `kubectl get namespaces` to access the vcluster k get po -A NAMESPACE NAME READY STATUS RESTARTS AGE default nginx-59f86b59ff-brhgk 1/1 Running 0 10s default nginx-59f86b59ff-vrdvw 1/1 Running 0 10s default nginx-59f86b59ff-xtsnk 1/1 Running 0 10s kube-flannel kube-flannel-ds-4wc4m 1/1 Running 0 64s kube-flannel kube-flannel-ds-5mknb 1/1 Running 0 58s kube-flannel kube-flannel-ds-qvc6k 1/1 Running 0 44s kube-flannel kube-flannel-ds-rxfbm 1/1 Running 0 52s kube-system coredns-79cf5f4c56-p97gk 1/1 Running 0 68s kube-system kube-proxy-f2rd5 1/1 Running 0 64s kube-system kube-proxy-k7hkp 1/1 Running 0 44s kube-system kube-proxy-npzl6 1/1 Running 0 58s kube-system kube-proxy-q47gb 1/1 Running 0 52s local-path-storage local-path-provisioner-5b9b9995f4-972rx 1/1 Running 0 68s k get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 80s nginx-loadbalancer LoadBalancer 10.105.25.235 192.168.107.254 80:31115/TCP 14s curl -svk http://192.168.107.254 * Trying 192.168.107.254:80... * Connected to 192.168.107.254 (192.168.107.254) port 80 > GET / HTTP/1.1 > Host: 192.168.107.254 > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/1.1 200 OK < Server: nginx/1.29.8 < Date: Thu, 07 May 2026 18:49:22 GMT < Content-Type: text/html < Content-Length: 896 < Last-Modified: Tue, 07 Apr 2026 11:37:12 GMT < Connection: keep-alive < ETag: "69d4ec68-380" < Accept-Ranges: bytes < <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> html { color-scheme: light dark; } body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, nginx is successfully installed and working. Further configuration is required for the web server, reverse proxy, API gateway, load balancer, content cache, or other features.</p> <p>For online documentation and support please refer to <a href="https://nginx.org/">nginx.org</a>.<br/> To engage with the community please visit <a href="https://community.nginx.org/">community.nginx.org</a>.<br/> For enterprise grade support, professional services, additional security features and capabilities please refer to <a href="https://f5.com/nginx">f5.com/nginx</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> * Connection #0 to host 192.168.107.254 left intactCilium:
vCluster config
Details
vCluster and Docker version
Details
Operating System
macOS (Apple Silicon)
Using vCluster Platform UI?
Yes - platform started before cluster creation
Relevant logs
Anything else we need to know?
No response