New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] AKS allows creation of NodePools in different Subnets (Azure CNI) #1338
Comments
If I am not wrong this issue is more to start validating requests since users could specify multiple subnets when it isn't currently supported. But please let me mention that I love if this actually work instead of being a limitation. Already voted up for it in user voice 😸 |
Do you have any details on around how networking breaks? What plugin are you using? |
@rhummelmose any details you can share on Jorge's question above? |
I’ve experimented with this today and I was able to create a 1.17 (SLB, Azure CNI) AKS cluster with multiple node pools in different subnets with Istio over the top utilising Egress Gateways to control the flow of traffic. I haven’t attempted to place any UDRs on the subnets yet, but will do soon. I’m interested to know if this is going to be a supported scenario in the future and also what @rhummelmose has experienced in terms of breaking things. |
Sorry guys I will have to stand up a cluster again and see if I can make it break. I will close the issue if I can't reproduce it. |
I've set this issue to track this open feature ask, so let's keep this one open but update prev comments to remove the issue mentioned if its been resolved and can't be reproduced. @bhicks329 this is actively being worked on to be a supported scenario. |
Hi @jluk I was with @rhummelmose when we experienced the issue. |
That would be great @marcostrullato if you have any repro steps we can investigate |
Ok I will restore the cluster with the IaC I had, and I'll check if I can make it available to you. I'll come back early next week. |
Apologize, I'm late. It's in our tasks list and will be done soon. |
Hi everyone, so we have replicated the situation once again. The source of this IaC is the akscommander code from @rhummelmose. Is there anything else I can do? Cheers |
Thanks @marcostrullato for the pointer to repro - to help us diagnose can you explain what the situation is that is not working? Is it a failure of communication between agent pools, failure during setup/provision, or something else? |
Hi @jluk what is happening is a failure in communications. It's possible to reach one of the agent pool, where the other is inaccessible. Let me drive you through the IaC code. This is the code to define the vnets (https://github.com/marcostrullato/aksiac/blob/master/aks-commander/terraform/base/main.tf)
This is the code for the agentpools (https://github.com/marcostrullato/aksiac/blob/master/aks-commander/terraform/aks/main.tf) Bear in mind I've masked/hidden names and references.
With this configuration in our environment networking does not completely work. @rhummelmose anything else to add? Regards |
Able to reproduce: adding a second pool in another subnet works:
However: AzureCNI: Kubernet: So I think it just needs to be either documented or the |
Also, RT association survives scaling operations and adding another nodepool (but the latter requires additional association of course). |
Thanks for the input @ams0 this is in-line with what we're working on. The likely rollout is Azure CNI coverage first, Kubenet following that a bit later. The general improvement for BYO RT for Kubenet is being worked on right now. |
@jluk will the improvements work with current GA 1.15.7 or only 1.17? |
@scivm hopefully this is an AKS release that won't be required to be tied to an K8S version since it seems only Azure specific resources are required to be properly configured. |
Azure CNI subnet per pool should work for all the supported AKS k8s versions. |
Is there an anticipate GA date for this feature? |
I have found out that Kubernetes Network Policies do not work between node pools in different subnets. We're running AKS with Azure CNI and Azure networking policy. Is this related to this issue or should I create a support ticket? |
Our guess is that this is related because of kube-proxy --cluster-cidr:
|
Pods in a pool with a unique subnet (outside |
@jluk We are in need of this feature. Our scenario is described below. This feature would allow us to better allocate and plan IP space that is shared with our on-prem network via VNET peering. We use Azure CNI and our current cluster strategy is to use a shared cluster for all workloads (those that require on-prem connectivity and those that do not). We would like to move the distinction of whether or not a workload can reach on-prem from a peered VNET from the cluster level to the node pool level. Today, we are limited to using one VNET per cluster since nodepools cannot be created on separate VNETs. One app that requires on-prem connectivity dictates that all workloads then unnecessarily consume peered IP space, which can be costly with CNI. Ideally, workloads that do not require on-prem connectivity could be run separately on subnets on private/unpeered nodepools, which would reduce the amount of on-prem network space that is consumed. |
We need to be able to scale out AKS deployment with the ability to add additional VNETs and subnets after initial deployment. Many organisations are just not 'buying' that migration to a larger VNET / subnet is the only option. |
I totally agree with @mapdegree . From the start of a project you already have defined your limitations in terms of pod count per Subnet. By default its relatively easy to scale a VNET (or add a CIDR range) but its currently not possible to extend a subnet if any resources are attached to it. Therefore if you run out of IP-Addresses it is required to completely remove the subnet and create a bigger one (if the VNET is properly sized). From my POV this is not how Microsoft describes Azure because currently there is no "infinite scale" available because you always have CIDR limitations except you have reserved all private CIDR ranges and you're not peering anywhere. |
To give an update here. Kube-proxy currently expects one cluster-cidr and nats and does other things if you're not inside it. This is a known issue But there is already support to use the nodes pod cidr isntead of cluster So our current thought is to use the update the node's podcidr with a deamonset or controller. I have a prototype but we're still a month or more from delivering it. So this is all just a proposal for now and may change. You will still have to all be in the same vnet. |
Hi guys, do you have any updates regarding this issue? |
Wouldn't this introduce more problems? CURRENT SCENARIO:
FUTURE SCENARIO (if each nodepol has it's own subnet)
|
Any update on this? It seems that the kube-proxy pod cidr issue has been addressed in upstream Kubernetes. |
Hey, |
My company is also interested in this feature. Will Azure Network Policy be supported when this goes GA? |
Hi guys, any news regarding GA for this feature? Will it support Azure Network Policies when GA? Thanks. |
Hi all, wanted to give a quick update on the kube-proxy cluster CIDR issue. As of AKS release 2022-05-01, AKS now configures kube-proxy to detect local traffic using the network interface name prefix instead of cluster CIDR. This should preserve the IP addresses of traffic from secondary subnets so that network policies are applied correctly. Please note that the change applies only to Kubernetes versions 1.23.3 and later. |
Does this mean that Network Policies will start working across node pools in different subnets? |
Yes, network policies will work across different subnets. |
Thank you for the feature request. I'm closing this issue as this feature has shipped and it hasn't had activity for 7 days. |
As stated under limitations in the documentation, all node pools have to reside within the samee subnet.
The ask is to support assignment of a unique subnet per node pool in a cluster, but all shared from the same VNET.
The text was updated successfully, but these errors were encountered: