setting internal loadBalancerIP does not work

[theMichaelB]

Using the following service, attempting to specify the loadBalancerIP fails with -

Error creating load balancer (will retry): failed to ensure load balancer for service default/mongodb-service: timed out waiting for the condition

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
  name: mongodb-service
  labels:
    name: mongo
spec:
  type: LoadBalancer
  loadBalancerIP: 10.16.0.250
  ports:
  - port: 27017
  selector:
    role: mongo

Removing the loadBalancerIP line works as expected

[sauryadas]

when was this cluster created? region? basic networking or advanced?

[theMichaelB]

a few hours ago, centralus, advanced networking

[sauryadas]

@JunSun17 I believe there was a fix for this issue. can you confirm?

[JunSun17]

@theMichaelB Can you remove the loadBalancerIP field from your template file, I think it will be assigned from the subnet you provided, but not sure you can specify it.

[theMichaelB]

@JunSun17 yes if I remove it, everything works, but being able to specify the IP means we can map it via DNS etc (I know I can script it etc, but laziness!)

it is also documented at https://docs.microsoft.com/en-my/azure/aks/internal-lb

Is it possible to specify which subnet the lb is deployed to?

[JunSun17]

@theMichaelB currently AKS only takes one subnet, so you do not need to provide it. Actually I do not know you can specify the IP address in ILB creation. If so, you will need to make sure:

1. the IP is from the subnet.
2. the IP should not be assigned to a node or pod already. You can try to use a high IP from the subnet address range since IPs are allocated from the low end of the subnet range. But it general I feel it is still risky since there might be IP conflicts (depending on Azure CNI implementation, which I do not know much about it)

[theMichaelB]

@JunSun17 What would it take to get a definitive answer for this? Is the code for this going to be in ACS-Engine? or is it a custom AKS thing?

If it isn't possible then it isn't possible, (and I'll go and update the above doc)

[sauryadas]

Thanks Michael . It is not possible to specify a different subnet for the internal lb . The documentation clearly suggests : The specified IP address must reside in the same subnet as the AKS cluster and must not already be assigned to a resource. Thanks Saurya

…

________________________________ From: Michael <notifications@github.com> Sent: Monday, June 11, 2018 10:19:27 PM To: Azure/AKS Cc: Saurya Das; Comment Subject: Re: [Azure/AKS] setting internal loadBalancerIP does not work (#422) @JunSun17<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJunSun17&data=02%7C01%7Csaudas%40microsoft.com%7Cc468487a57ef40c74aca08d5d024119d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636643775692303071&sdata=zv%2B1wU5wXhMJ%2B8CAtVXHNjN1%2BcB0v2y1v8iIWvNeVBQ%3D&reserved=0> What would it take to get a definitive answer for this? Is the code for this going to be in ACS-Engine? or is it a custom AKS thing? If it isn't possible then it isn't possible, (and I'll go and update the above doc) — You are receiving this because you commented. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAKS%2Fissues%2F422%23issuecomment-396468622&data=02%7C01%7Csaudas%40microsoft.com%7Cc468487a57ef40c74aca08d5d024119d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636643775692313081&sdata=%2BB8H7gOSJDgFX4SchjQrfD9AsUqGdqj%2FnsMCkNNg0Xk%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAOrMbxa2rtu7oDAwvmX2jAOKKgmSANlJks5t709fgaJpZM4UjWBD&data=02%7C01%7Csaudas%40microsoft.com%7Cc468487a57ef40c74aca08d5d024119d%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636643775692313081&sdata=frRbzZO2t3LMspvFphm4%2FdQ239%2FSu86%2ByyTrSWhmVfQ%3D&reserved=0>.

[theMichaelB]

@sauryadas the specified IP does reside in the same subnet, and isn't already assigned to a resource.

I have also granted the Service principal access to the Vnet that the subnet is in. (it is in a different resource group - I wonder if that is the issue?)

[VincentSurelle]

Hi, I can relate to this issue.

I built an AKS Cluster with basic networking.

When specifying a LoadBalancerIP :

• First time : Worked well, got an "External Endpoint" in Kubernetes Dashboard
• Every other time : Error creating load balancer (will retry): failed to ensure load balancer for service default/mongodb-service: timed out waiting for the condition

Region : West Europe

EDIT : Built an hour ago

[VincentSurelle]

More informations :

I can make as many Load Balancer as I want but they all need to have different IPs.
Same IP with Same port obviously don't work
Same IP with Different port don't work

[sauryadas]

I think this is an Azure Loadbalancer limitation @aanandr Can you please confirm the below?
I can make as many Load Balancer as I want but they all need to have different IPs.
Same IP with Same port obviously don't work
Same IP with Different port don't work

@JunSun17 The below should work. Can you please take a look?

the specified IP does reside in the same subnet, and isn't already assigned to a resource.

[vyta]

@sauryadas @JunSun17 I am also experiencing this. Any updates?

[marrobi]

@sauryadas @aanandr getting a similar issue, AKS K8S v 1.10.3, not an internal IP, specifying a public IP for the load balancer, the IP is in a different RG. This did work earlier, same k8s version, but this was a fresh cluster. could do with some more detailed error about "the condition".

  Type     Reason                      Age              From                Message
  ----     ------                      ----             ----                -------
  Normal   EnsuringLoadBalancer        3m (x7 over 9m)  service-controller  Ensuring load balancer
  Warning  CreatingLoadBalancerFailed  3m (x7 over 9m)  service-controller  Error creating load balancer (will retry): failed to ensure load balancer for service default/my-service: timed out waiting for the condition

I've tried deleting and recreating the Service.

[marrobi]

Just tried with brand new cluster, and new IP address, same issue.

If I create a service with no IP specified the LoadBalancer gets created.

If I add the IP back, I get:

  Type    Reason                Age              From                Message
  ----    ------                ----             ----                -------
  Normal  EnsuredLoadBalancer   4m (x2 over 4m)  service-controller  Ensured load balancer
  Normal  EnsuringLoadBalancer  4m (x3 over 7m)  service-controller  Ensuring load balancer
  Normal  LoadbalancerIP        4m               service-controller  -> 13.73.148.26
  Normal  EnsuringLoadBalancer  3m               service-controller  Ensuring load balancer
  Normal  EnsuringLoadBalancer  2m               service-controller  Ensuring load balancer
  Normal  EnsuringLoadBalancer  1m               service-controller  Ensuring load balancer
  Normal  EnsuringLoadBalancer  38s              service-controller  Ensuring load balancer

Anyway I can get more logs?

[JunSun17]

@marrobi @vyta I will take a look at this reported issue and get back to you. Thanks!

[JunSun17]

@marrobi @vyta I checked and can not re-produce this issue. Specifying an IP or not in the lb yaml, both work for me without issues.

Just from the timeout error message, is your back end pod running fine? Can you also try to delete the ILB svc and recreate it to see if it works?

[marrobi]

I've tried to reproduce this morning a number of different ways - everything fresh - and all works as expected. Will update if I see it again, but could do with some guidance on getting additional logs should it occur.

[marrobi]

Something isn't right. I have no Load Balancer in the resource group. Deploy the exact same YAML, LoadBalancer is now stuck in pending:

$ kubectl get service
NAME         TYPE           CLUSTER-IP   EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP      10.0.0.1     <none>        443/TCP        22m
my-service   LoadBalancer   10.0.14.27   <pending>     80:31209/TCP   12m

And no events if do a describe:

$ kubectl describe service my-service
Name:                     my-service
Namespace:                default
Labels:                   <none>
Annotations:              kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{"service.beta.kubernetes.io/azure-load-balancer-resource-group":"tmpAKS2"},"name":"my-se...
                          service.beta.kubernetes.io/azure-load-balancer-resource-group=tmpAKS2
Selector:                 app=my-app
Type:                     LoadBalancer
IP:                       10.0.14.27
Port:                     <unset>  80/TCP
TargetPort:               80/TCP
NodePort:                 <unset>  31209/TCP
Endpoints:                10.244.0.5:80,10.244.1.5:80,10.244.2.6:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

It seems to be if I deploy a service - the first one on a cluster, delete it, then recreate it the LB doesn't get created. Similar to what @VincentSurelle says. Will try verify further.

Happy for you to ping me offline, GitHub name is MS alias to walk through. Thanks.

[marrobi]

I've narrowed down the situation in which I get the issue, and can reproduce, it's something specific around RBAC and SPs so might not be the case for all the above situations.

If you initially don't have the right rights assigned to the SP to VNets/RGs then the LB creation fails and get a semi useful error in events. this is as expected.

If I then correct the SP assignment, delete and recreate the service I get the "timed out waiting for the condition". I can't seem to recover from this. If I create a new cluster, and assign the correct SP rights prior to deploying the service all works fine.

Here's an example, using an IP in different RG, but expect it could be the same for other SP related issues.

YAML:

kind: Service
apiVersion: v1
metadata:
  name: my-service
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-resource-group: $RG
spec:
  selector:
    app: my-app
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
  loadBalancerIP: $PUBLIC_IP
  type: LoadBalancer

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  labels:
    app: my-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: nginx
        image: nginx
        ports:
        - containerPort: 80

Steps:

export RG="MyRG"

az group create -n $RG -l westeurope

az aks create -g $RG -n tmpAKS --kubernetes-version 1.10.3 --node-count 1

CLIENT_ID=$(az aks show -n tmpAKS -g $RG --query servicePrincipalProfile.clientId | sed 's/"//g')

# ASSIGN INSUFFICIENT RIGHTS - Reader
az role assignment create --role "Reader" --assignee $CLIENT_ID --resource-group $RG

az network public-ip create -g $RG -n service-ip --dns-name demo-service-ip-2  --allocation-method Static
export PUBLIC_IP=$(az  network public-ip show -n service-ip -g $RG --query ipAddress | sed 's/"//g')

az aks get-credentials -g $RG -n tmpAKS

envsubst < service-ip-rg.yaml | kubectl apply -f -

kubectl describe service my-service

# THIS DOESN'T WORK, SO I DELETE 

envsubst < service-ip-rg.yaml | kubectl delete -f -

# ASSIGN SUFFICIENT RIGHTS - Network Contributor

az role assignment create --role "Network Contributor" --assignee $CLIENT_ID --resource-group $RG

# REDEPLOY

envsubst < service-ip-rg.yaml | kubectl apply -f -

kubectl describe service my-service

Still doesn't work. I guess need to recreate a session somewhere given there is a new SP assignment? Might be completely wrong...

[JunSun17]

@marrobi Thanks for the detailed update!

Why do you:
az role assignment create --role "Reader" --assignee $CLIENT_ID --resource-group $RG

I think by default the SP should have owner role on RG, do you have to change role assignments here?

[marrobi]

As in my example the IP is in another RG the SP needs adding. You are correct that Reader isn't sufficient (it needs to be network contributor, but not necessarily Owner) . What I'm trying to show is if initially the SP has incorrect assignment, even when corrected the load balancer still had issues. It seems to be related to caching. If you leave it for say 20mins, it does seem to sort itself out. Give it a try as I've detailed and you will get the errors described in the issue.

…

________________________________ From: Jun Sun <notifications@github.com> Sent: Friday, July 6, 2018 5:41:44 PM To: Azure/AKS Cc: Marcus Robinson; Mention Subject: Re: [Azure/AKS] setting internal loadBalancerIP does not work (#422) @marrobi<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmarrobi&data=02%7C01%7CMarcus.Robinson%40microsoft.com%7Cc9afe547cb66458db13808d5e35f5cc6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636664921074901923&sdata=ERnZ4a7JKWzIRcdAo8jay0K5unhI%2FlWbP2%2BCJ0C1TL0%3D&reserved=0> Thanks for the detailed update! Why do you: az role assignment create --role "Reader" --assignee $CLIENT_ID --resource-group $RG I think by default the SP should have owner role on RG, do you have to change role assignments here? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2FAKS%2Fissues%2F422%23issuecomment-403086492&data=02%7C01%7CMarcus.Robinson%40microsoft.com%7Cc9afe547cb66458db13808d5e35f5cc6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636664921074901923&sdata=MfZm4sY%2B1Q2rplZ9seR%2BsDFZB8eAXqCxIYO4jJ8T1jg%3D&reserved=0>, or mute the thread<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAQTE7W1nNo7MZXaN-YGKu2kBa45JlaN3ks5uD5NIgaJpZM4UjWBD&data=02%7C01%7CMarcus.Robinson%40microsoft.com%7Cc9afe547cb66458db13808d5e35f5cc6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636664921074901923&sdata=n8WFzY1VSJeP3wLsp9qjYKG1TCCd7bTH0v3NlS3eshU%3D&reserved=0>.

[lfshr]

I'm hitting this issue as well. The load balancer is created fine when loadBalancerIP is not specified, but when specified, the External-IP is always "pending"

[feiskyer]

@lfshr Please check logs of kube-controller-manager and find what's wrong in that. It's probably the ip is not in same resource group as kubernetes nodes.

Refer https://docs.microsoft.com/en-us/azure/aks/view-master-logs for guides to do this.

[lfshr]

Yep, I was being stupid. Thanks @feiskyer

[millergd]

@lfshr It's a long shot, but do you remember what the issue was? I'm in the same position - pending with specific external IP but created fine without it. Optimally, I'd like to point to the hostname of specific ELB. Unfortunately I am using AWS which hasn't implemented master logs yet so I can't see the error....

[jnoller]

Closing issue as stale.

[pankajagrawal16]

I am also facing the same issue.
I also generated a private load balancer ip and that was success.

Then i deleted my helm release and tried installing it again and since then its stuck with time out or waiting error