-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nginx Ingress controller started seeing internal IPs; bad azure-ip-masq-agent update? #2076
Comments
Hi roy-work, AKS bot here 👋 I might be just a bot, but I'm told my suggestions are normally quite good, as such:
|
Triage required from @Azure/aks-pm |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
3 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Action required from @Azure/aks-pm |
Issue needing attention of @Azure/aks-leads |
2 similar comments
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
Issue needing attention of @Azure/aks-leads |
@roy-work what AKS Version are you currently running, and is the issue still there? |
This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment. |
This issue will now be closed because it hasn't had any activity for 15 days after stale. roy-work feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion. |
What happened: at 1:48a on Saturday, our cluster appears to have seen some sort of update to
azure-ip-masq-agent
: both the CM for the agent and the DS were listed as being (re-)created at that time.Also at that time, nginx-ingress-controller started reporting that the client's IP of incoming HTTP requests as being within the 10.0.0.0/8 subnet / within the pod subnet. (It reported IPs that were node IPs on requests that clearly did not originate on nodes. All of the node IPs we noted in the logs also were from nodes on which
nginx-ingress-controller
was not running on, which I think might be relevant?)We looked at some other (unfortunately, different version of k8s) clusters, and they all had this for a
azure-ip-masq-agent-config
:However, on the problematic cluster, the config was,
Lacking any other ideas, we added the pod subnet CIDR to
nonMasqueradeCIDRs
, & restarted the pods in theazure-ip-masq-agent
DS. This appears to have corrected the issue.Why? AIUI,
ip-masq-agent
is to re-write the IP addresses of Internet-bound traffic to the node IPs. But traffic from LB to the ingress controller isn't outbound / Internet bound, so I'm at a loss as to why editing that CM had any effect at all. However, much understanding of bothkube-proxy
&ip-masq-agent
is pretty rudimentary.What you expected to happen: nginx to get the right (external) IP for incoming requests
How to reproduce it (as minimally and precisely as possible): We're not sure.
Anything else we need to know?: We use nginx-ingress in what we think is a bog standard config: there is an Azure LoadBalancer, behind that, nginx-ingress, and behind that, our services.
Environment:
kubectl version
): 1.13.xThe text was updated successfully, but these errors were encountered: