Skip to content

linkerd control plane - policy controller high cpu usage when idle #14741

New issue
New issue
Open
Open
linkerd control plane - policy controller high cpu usage when idle#14741
Labels
bug
@artyom-p

Description

@artyom-p
artyom-p
opened on Nov 20, 2025

What is the issue?

I have GatewayAPI 1.3.0 installed, which I'm using together with Contour. I need 1.3 to be able to use the CORS filter in HttpRoute.

As Linkerd supports only GatewayAPI 1.2, there are warnings in the linkerd-destination pod's policy container, as well as high CPU consumption.

How can it be reproduced?

  1. Install Gateway API 1.3 CRDS
  2. Create an HttpRoute that uses a CORS filter in namespace X
  3. Install Linkerd control plane chart, and set namespace selectors to namespace X
  4. Check linkerd-destination pod policy container logs and CPU metrics

Logs, error output, etc

2025-11-20T13:09:10.140731Z INFO httproutes.gateway.networking.k8s.io: kubert::errors: stream failed error=failed to perform initial object list: Error deserializing response: unknown variant CORS, expected one of RequestHeaderModifier, ResponseHeaderModifier, RequestMirror, RequestRedirect, URLRewrite, ExtensionRef at line 1 column 3019

2025-11-20T13:09:59.870439Z WARN httproutes.gateway.networking.k8s.io: kube_client::client: {"apiVersion":"gateway.networking.k8s.io/v1",
...
, Error("unknown variant CORS, expected one of RequestHeaderModifier, ResponseHeaderModifier, RequestMirror, RequestRedirect, URLRewrite, ExtensionRef", line: 1, column: 3019)

output of linkerd check -o short

linkerd-webhooks-and-apisvc-tls

‼ proxy-injector cert is valid for at least 60 days
certificate will expire on 2025-11-21T09:36:45Z
see https://linkerd.io/2/checks/#l5d-proxy-injector-webhook-cert-not-expiring-soon for hints
‼ sp-validator cert is valid for at least 60 days
certificate will expire on 2025-11-21T09:36:45Z
see https://linkerd.io/2/checks/#l5d-sp-validator-webhook-cert-not-expiring-soon for hints
‼ policy-validator cert is valid for at least 60 days
certificate will expire on 2025-11-21T09:36:45Z
see https://linkerd.io/2/checks/#l5d-policy-validator-webhook-cert-not-expiring-soon for hints

Status check results are √

Environment

Environment: AWS EKS 1.34
Chart: linkerd-control-plane
OS: Bottlerocket, Linux, ARM64
Repo: linkerd2-edge
Version: 2025.11.1

Possible solution

No response

Additional context

policy container CPU consumption in idle state:
Image

Also, validating webhook prevents the installation of my helm chart containing httproute with CORS.

Helm install failed for release my-release with chart mychart: cannot patch "my-route" with kind HTTPRoute: admission webhook "linkerd-policy-validator.linkerd.io" denied the request: unknown variant CORS, expected one of RequestHeaderModifier, ResponseHeaderModifier, RequestMirror, RequestRedirect, URLRewrite, ExtensionRef && cannot patch "cart-api-route" with kind HTTPRoute: admission webhook "linkerd-policy-validator.linkerd.io"

Would you like to work on fixing this bug?

no

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions