nginx Ingress controller started seeing internal IPs; bad azure-ip-masq-agent update? #2076

roy-work · 2021-01-25T23:59:20Z

What happened: at 1:48a on Saturday, our cluster appears to have seen some sort of update to azure-ip-masq-agent: both the CM for the agent and the DS were listed as being (re-)created at that time.

Also at that time, nginx-ingress-controller started reporting that the client's IP of incoming HTTP requests as being within the 10.0.0.0/8 subnet / within the pod subnet. (It reported IPs that were node IPs on requests that clearly did not originate on nodes. All of the node IPs we noted in the logs also were from nodes on which nginx-ingress-controller was not running on, which I think might be relevant?)

We looked at some other (unfortunately, different version of k8s) clusters, and they all had this for a azure-ip-masq-agent-config:

nonMasqueradeCIDRs:
  - <stuff>

However, on the problematic cluster, the config was,

data:
  ip-masq-agent: |-
    nonMasqueradeCIDRs:
    masqLinkLocal: true
    resyncInterval: 60s

Lacking any other ideas, we added the pod subnet CIDR to nonMasqueradeCIDRs, & restarted the pods in the azure-ip-masq-agent DS. This appears to have corrected the issue.

Why? AIUI, ip-masq-agent is to re-write the IP addresses of Internet-bound traffic to the node IPs. But traffic from LB to the ingress controller isn't outbound / Internet bound, so I'm at a loss as to why editing that CM had any effect at all. However, much understanding of both kube-proxy & ip-masq-agent is pretty rudimentary.

What you expected to happen: nginx to get the right (external) IP for incoming requests

How to reproduce it (as minimally and precisely as possible): We're not sure.

Anything else we need to know?: We use nginx-ingress in what we think is a bog standard config: there is an Azure LoadBalancer, behind that, nginx-ingress, and behind that, our services.

Environment:

Kubernetes version (use kubectl version): 1.13.x
Size of cluster (how many worker nodes are in the cluster?) 7
General description of workloads in the cluster (e.g. HTTP microservices, Java app, Ruby on Rails, machine learning, etc.)
Others:

The text was updated successfully, but these errors were encountered:

ghost · 2021-01-25T23:59:23Z

Hi roy-work, AKS bot here 👋
Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such:

If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster.
Please abide by the AKS repo Guidelines and Code of Conduct.
If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics?
Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS.
Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue.
If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

ghost · 2021-01-28T00:01:23Z

Triage required from @Azure/aks-pm

ghost · 2021-02-02T01:01:09Z

Action required from @Azure/aks-pm

ghost · 2021-02-17T06:02:03Z