-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing security rule parameters while deploying a LoadBalancer #199
Comments
probably duplicate of #167 |
@jiel i don't think it is a duplicate. Can i ask you to tell us what Kubernetes version are you using and what is the outcome of
|
This cluster has been created 39d ago. I've created an other cluster yesterday with the same version, and I wasn't able to reproduce this issue on it. |
Here is what i have found so far:
|
I've the annotation last-applied-configuration because I created the service with kubectl apply instead of kubectl create. Anyway, I'm able to reproduce the error (on this cluster instance only) using kubectl create with a new service name. I used the same selector as an other active and working LoadBalancer Service. (I don't need a fix, just reporting the issue in case that could help) |
I am seeing this exact issue when I try following steps here: https://github.com/kubernetes/examples/tree/master/staging/elasticsearch/production_cluster Any idea, how can I fix it. |
This is show-stopper, guys. Dont know what changes were, but now Service with LB type that we created 1 month ago can NOT be init again due to external LB on Azure can not be created
|
Hi guys, we are facing the same issue. Is there any info we can provide to help you figure out you what is causing the problem? No known workarounds for now? |
We experienced the same issue in two of our clusters and discovered the same message as @novitoll did. After some debugging, we found out that AKS seems to have an issue when we create custom network security rules with |
Hey @0x7f, thanks that helps us a lot. We had indeed those rules (me and @novitoll). We have switched to acs meanwhile because of the many cluster breaking bugs we encounter, but this is still valuable info. |
Hello. I confirm @0x7f . I have those kind of rules too, and after removal, the error no longer occurs. Thanks! |
Confirmed this is an issue caused by old Azure SDK vendors. It doesn't support |
Unfortunately, the PR didn't get approved from kubernetes community. To get rid of this issue, you could either
We should also document known issues in azure cloud provider. Filed kubernetes-sigs/cloud-provider-azure#10 to add such documentation. |
AKS Cluster:
Issue:
Step 2 - Manually modified NSG "aks-agentpool-xxxxxxx-nsg" - Inbound security rules" to restrict to specific publicIp or any changes than default rules in NSG,
Step 3 - Allocate new static publicIp in Azure"52.xx.xx.x2" and try create new service with nginx2
|
@feiskyer - i think it's crucial feature / fix required here.. many a times it will be compulsory requirement to add, modify or change default NSG rules "with comma separated attributes like SourceIp/ports " in ACS/AKS/ACS-Engine. |
@amitshowry Absolutely. The fix has already been included in kubernetes v1.9.X and v1.10.X. |
Fix is available in all AKS supported Major versions including 1.12 which rolled out 1 week ago. |
Hello,
I was able a month ago to set-up a load-balancer with this config:
Today, when I try to create a similar service, the EXTERNAL-IP of the service stays in status < pending > and I got this error:
The text was updated successfully, but these errors were encountered: