Network traffic stops after Retina DaemonSet restart on AKS with Cilium

[jan-machacek-kosik]

cilium.log
retina.log

We are running an AKS cluster with Cilium installed and would like to use Retina for network observability.

However, after restarting the Retina DaemonSet (e.g., due to a configuration update), all network traffic in the AKS cluster stops. The only way to restore connectivity is by restarting the Cilium agent on the affected nodes.

Additionally, after Retina restarts, the following warning repeatedly appears in the Cilium logs:

level=warning msg="Detected unexpected endpoint BPF program removal. Consider investigating whether other software running on this machine is removing Cilium's endpoint BPF programs. If endpoint BPF programs are removed, the associated pods will lose connectivity and only reinstating the programs will restore connectivity." count=12 subsys=daemon

This makes Retina a no-go for us in production.

Steps to reproduce:

• Deploy Retina in an AKS cluster with Cilium.
• Restart the Retina DaemonSet (e.g., kubectl rollout restart daemonset retina).
• Observe that network traffic stops.
• Check Cilium logs for warnings about BPF program removal.
• Restart the Cilium agent on the affected nodes to restore connectivity.

Expected behavior:
Restarting Retina should not interfere with Cilium’s BPF programs or disrupt network traffic.

Environment:

• AKS
• Cilium version: 1.17.4
• Retina version: v0.0.36
• Kubernetes version: 1.32.3

[SRodi]

Hi @jan-machacek-kosik, thanks for raising this issue. Can you share more details on how you installed Retina on your Cilium cluster?

[SRodi]

@jan-machacek-kosik I went through the logs you shared in the description, it looks like you are not using ciliumeventobserver plugin. We recommend using this plugin if you want to run Retina alongside Cilium CNI. See references here https://retina.sh/docs/Metrics/plugins/Linux/ciliumeventobserver

Can you try replace packetparser with ciliumeventobserver and let us know if this is still an issue?

[jan-machacek-kosik]

kube-system-retina-agent-pnvxh-retina.log

@SRodi

We install Retina using ArgoCD from this Helm chart:

repoURL: ghcr.io/microsoft/retina/charts  
chart: retina  
targetRevision: v0.0.36  

Today, I tried to enable the plugin "ciliumeventobserver", but it does not start.

Here is the Retina configuration:

enabledPlugin_linux: '["dropreason","packetforward","linuxutil","dns","ciliumeventobserver"]'
enablePodLevel: true
remoteContext: true

I am attaching the log from the Retina container.

[SRodi]

Hi @jan-machacek-kosik , I see this log line

ts=2025-08-11T14:49:30.099Z level=error caller=ciliumeventobserver/ciliumeventobserver_linux.go:139 msg="Connection attempt failed" error="failed to dial cilium monitor socket"

I realized you are using standard control plane, the ciliumeventobserver works only with retina-hubble control plane.

Sometime ago I demo AKS+CIlium+Retina. You can find the set up I used in this repo https://github.com/SRodi/cilium-retina-hubble-demo

[jindrichpilar-kosik]

Hi @SRodi, so Retina doesn't support AKS with Microsoft managed CNI or just Pod level metrics?