ClusterMesh errors occur when Cilium cannot establish multi-cluster connectivity. Common causes include certificate mismatches, missing configuration, and API server connectivity issues.
Cilium ClusterMesh enables secure networking between multiple Kubernetes clusters. When ClusterMesh configuration fails, the Cilium agents cannot establish connections to remote clusters, preventing cross-cluster pod communication. This typically involves etcd synchronization issues, certificate problems, or configuration file mismatches.
Check if ClusterMesh is enabled and running:
kubectl get deployment -n kube-system cilium-operator
kubectl get daemonset -n kube-system cilium
kubectl exec -it -n kube-system ds/cilium -- cilium-dbg clustermesh statusVerify configuration is mounted in pods:
kubectl exec -it -n kube-system ds/cilium -- \
ls -la /var/lib/cilium/clustermesh/
kubectl exec -it -n kube-system ds/cilium -- \
cat /var/lib/cilium/clustermesh/etcd-config.yamlCheck if the Kubernetes secret exists:
kubectl get secret -n kube-system clustermesh-secrets
kubectl describe secret -n kube-system clustermesh-secretsSecret should contain etcd cert/key files for each cluster.
Check certificate validity and configuration:
kubectl get secret -n kube-system clustermesh-secrets -o yaml | grep -i tls
openssl x509 -in <cert-file> -text -nooutEnsure certificates are not expired and properly signed.
Verify cluster identity matches etcd config:
kubectl exec -it -n kube-system ds/cilium -- \
grep -r "cluster-name" /etc/cilium/Cluster names in etcd-config.yaml must match actual cluster names.
All clusters must use same datapath mode:
kubectl exec -it -n kube-system ds/cilium -- \
cilium-dbg status | grep "DatapathMode"Mismatch between vxlan/native routing prevents communication.
Pod CIDR ranges must not overlap:
kubectl get nodes -o custom-columns=NAME:.metadata.name,CIDR:.spec.podCIDR
# On remote cluster, verify different CIDR rangeFrom Cilium pod, test connectivity to remote cluster:
kubectl exec -it -n kube-system ds/cilium -- \
nc -zv <remote-etcd-ip> 6379Ensure firewall allows ports 6379/6380 between clusters.
For production multi-cluster setups, use proper certificate management with external CA rather than self-signed certificates. Ensure network latency between clusters is acceptable. Implement monitoring of ClusterMesh connectivity with alerts on failures. Test failover scenarios regularly. Document cluster topology and naming conventions. Consider using service mesh (Istio, Linkerd) alongside ClusterMesh for advanced traffic management.
No subnets found for EKS cluster
How to fix "eks subnet not found" in Kubernetes
unable to compute replica count
How to fix "unable to compute replica count" in Kubernetes HPA
error: context not found
How to fix "error: context not found" in Kubernetes
default backend - 404
How to fix "default backend - 404" in Kubernetes Ingress
serviceaccount cannot list resource
How to fix "serviceaccount cannot list resource" in Kubernetes