-
Notifications
You must be signed in to change notification settings - Fork 292
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Disable network policy on the existing AKS Cluster (to allow migration to overlay) #3845
Comments
In progress |
Any update on this ? |
Still in progress here. Aiming at having this out in the coming months. |
Is there an estimated date when this will be complete? I have a 500 node AKS cluster and I want to disable Azure NPM to prevent putting pressure on the apiserver |
I have many workload running on the cluster and IP seems to exhaust, azure overlay is good option for it, but when can we expect the feature to disable network policy in existing CNI cluster? |
Is there any update on this feature request? We are looking for feature to move our multiple clusters(a few tens actually) to CNI overlay before they are hitting IP exhaustion situation.. |
I'll also be very interested in this new feature, I think ip exhaustion is a common problem |
@kelvin-ko @Shert We're aiming for the end of this month but could slip to next depending on a few factors out of our control. |
@chasewilson How does this feature relate to enabling a network policy on an existing cluster? We currently have no network policy on a cluster but want to enable calico. |
@arsnyder16 , yes, after this feature is complete, enabling network policy Calico on an existing cluster will be allowed. |
Hi @chasewilson , will this feature allow me to change the network policy from calico to Azure Network Policy Manager ? I want to switch my existing clusters to use long-term support, but I can't (currently) do this as they are configured to use Calico. |
Is there an update to the release schedule? |
Once this feature is rolled out, you will be able to do it in 2 steps:
|
What @chasewilson said in his comment still holds true (end of January - beginning of March) |
Do we have a release schedule when this might make it to Azure GovCloud? |
I don't believe this feature has rolled out currently. Keep an eye here for the announcement. |
i just tested updating network policy "in-place" on a cluster in west central US and it worked great! the release tracker was just updated today, so maybe it was just released. same command @zensonic ran. it didnt work in westus2, which makes sense since the "currently in operation" column in the release tracker shows it running an old version (as in @zensonic's west europe case) |
Yeah it looks like it is still rolling out. So once all regions are updated it should be fully out. |
It looks good, tested an upgrade from
|
|
hi all, we're still in the process of enabling this feature and will update this thread when it's ready. |
Is only the adding of a network policy still in the process of testing? Are we able to remove a network policy now with |
It still does not work for me :(
[image: image.png]
[image: image.png]
How do I progress from here?
…On Mon, Feb 26, 2024 at 11:22 PM cderocco5 ***@***.***> wrote:
Is only the adding a network policy still in the process testing? Are we
able to remove a network policy now with
az aks update -g -n --network-policy none
—
Reply to this email directly, view it on GitHub
<#3845 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAW4QS45HJLBC63IVWXNMLDYVUDL5AVCNFSM6AAAAAA3KJAIW6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRVGQYTENRYG4>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
still doesnt work for me in westus2 either, even though the release tracker says its complete. westcentralus does work |
just started working in westus2 |
I just upgraded the cluster to 1.27.9 - still no luck in westeurope... Still on track with early march? |
@zensonic, thanks for checking in. Yes we still are on track, there was a second toggle rollout required and it's in the process of rolling out. It doesn't have the visibility of release tracker unfortunately but it should be out soon. |
Thanks for your transparency and work on this! The release tracker shows this as updated everywhere now; is that correct? If not, what's the best way to confirm the release of this? :) |
hi all, thanks for your patience waiting for this feature! The code and configuration changes have now reached every region. We're doing a final review of the documentation and will publish that soon as well. |
Whilst we wait for the official docs, check out my blog post. https://pixelrobots.co.uk/2024/03/first-look-changing-or-disabling-your-network-policy-provider-on-aks/ |
I just migrated a cluster in germany west central from kubelet and calico as policy engine to azure-cni overlay with calico as policy engine 🎉 |
Just to chip in. It is working nicely for us as well. We are doing this in switching form calico network policy to azure in TF state/running clusters without destroying the clusters
It takes us around 2.5 hours on the clusters we run. It flips the node agents and networks in the process. It behaves like a couple of patching rounds/aks upgrades az aks update can be resumed if it times out btw. We experienced a timeout, but it could be mended by a rerun. Thanks to the very nice PG in MS for this feature! |
Thank you all for your patience and feedback! A huge shout out to @wedaly and @robogatikov for the work they put in to this feature and to get it out! |
@tsiv-at-nnit-com I am using terraform for the deployment of clusters too. For me it worked to just migrate the clusters to |
The official documentation on uninstalling Network Policy engine (Azure NPM or Calico) is here: https://learn.microsoft.com/en-us/azure/aks/use-network-policies |
Also don't hesitate to open a support ticket if you run into any issues (like upgrade request timeout for @tsiv-at-nnit-com) so we can troubleshoot. |
This is the network policy right, not the network plugin? is there away to remove the plugin as well? |
Is for the policy.. for us to get to azure network policy because of desire for long term support.. we were on calico policy, but ofc MS can not support anything but their own stuff (more or less, world is not black and white) long term.. Network plugin change is a reprovision as of now. Until a moment ago so was network policy change 😊 |
Hello Everyone, I have been trying to remove the network policy from aks cluster. For me the command itself throws an error- $ az aks update --resource-group my_rg_name --name my_cluster_name --network-policy none Examples from AI knowledge base: az aks update --resource-group MyResourceGroup --name MyManagedCluster --api-server-authorized-ip-ranges 0.0.0.0/32 az version https://docs.microsoft.com/en-US/cli/azure/aks#az_aks_update could someone help me understand the issue ? |
@gp-sharma you are disabling this on an AKS cluster that was created with Kubenet/ BYOCNI or some other plugin? Can you add that here? Assuming that you are ok aks-preview extension version 0.5.166 or higher? |
@amitmavgupta we have used "kubenet" network plugin while creating aks cluster. aks-preview version is 2.0.0b8. |
@gp-sharma I have not had any issues with Kubenet while disabling the policy and have documetned both the scenarios (see below) just in case it helps you. |
When will this change be released in a stable API? Looking forward to manage this through my IaC pipelines. |
@tnn-simon we're aiming for a July GA, thanks for the interest! @amitmavgupta thanks for the help in the comments! |
Tentative GA Date
July 2024
Is your feature request related to a problem? Please describe.
I want to upgrade an existing AKS cluster with calico network policy to overlay but that is not supported with activated network policy. So that means I cannot follow the upgrade path. #3720
Describe the solution you'd like
I want an ARM api that allows to deactivate network policy. Similar to #3084 but here to ensure the migration.
Describe alternatives you've considered
Afaik no alternatives.
This feature has been included in the v20240207 release and can be followed in release tracker
The text was updated successfully, but these errors were encountered: