#180 k8s in custom Vnet - configurable kubeClusterCidr, kubeServiceCidr, kubeDnsServiceIp #191
Conversation
Hi @alxlchnr, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution! TTYL, MSBOT; |
Hi, I am closing and re-opening this PR to bump the CLA bot. Sorry for the inconvenience! |
Hi @alxlchnr, I'm your friendly neighborhood Microsoft Pull Request Bot (You can call me MSBOT). Thanks for your contribution! TTYL, MSBOT; |
@alxlchnr - thanks for your changes. We are CR'ing this PR this week. |
@@ -49,6 +49,11 @@ | |||
"clientPrivateKey": "clientPrivateKey", | |||
"kubeConfigCertificate": "kubeConfigCertificate", | |||
"kubeConfigPrivateKey": "kubeConfigPrivateKey" | |||
}, | |||
"kubeNetworkConfig": { | |||
"kubeDnsServiceIp": "172.17.1.10", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is the backward compatibility handled here ? I am not saying we need backward compatibility or not. Just wondering in your change, how this get treated ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well I think old files won't have kubeNetworkConfig section. In this case I use the old hardcoded values as defaults in pkg/acsengine/defaults.go
So users with old template files are still able to create the deployment templates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did my reply answer your question @rjtsdl or do you need more information?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me
@alxlchnr Is this ready for review? Can you explain the tactic you took with this, and then also rebase it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please address the questions Jing Tao and I have provided and we can proceed. (also rebase!)
@colemickens just answered Jing Tao's question. Also rebased |
I will a last test, because after rebasing i get a deployment validation error. It seems that the custom script content now exceeds the max. length for using resource group template functions. Do you have any suggestions on this? |
@colemickens so this is nothing I need to worry about? |
@alxlchnr Depends. If we do nothing we block merging for a non-trivial amount of time. I will attempt to create some sort of workaround today so that we can unblock you and others. |
That having been said, this is not properly rebased - there are 48 commits. I can't really review this in this state. |
You were right, I'm sorry. May be it's better now. |
@alxlchnr - are you able to rebase per Coles request. We want to review and merge. |
@anhowe I just rebased. Please have a look. |
Hi! I was after this feature and master seemed to have moved on quite a lot (to do with how the .yaml contents are included in the userdata/gzipping) so I have rebased this on master here: https://github.com/ashb/acs-engine/tree/customVnet -- I have maintained @alxlchnr's authorship on the commit. I haven't opened a new pull request for this but I can do if that would be easier.
I'm having problems getting the pod networking working. Without a |
Okay so my conclusion is I can't quite get this working as is, at least not using the default networkPolicy - the IPs alone aren't enough as we don't have control over things like the agent_n_Subnet params. |
@ashb No network policy should work fine. If the route table was empty, it points to you not having correct service principal credentials. WIth the "azure" vnet network policy, this problem should actually be even easier since the pod ips will automatically come from the subnet range, so you'd actually need to adjust less flags. I'd suggest focusing on the "none" network policy for now. Check your SP credentials and see if you get any further. If not, make sure your branch is pushed and ping us and we can see if we spot what's wrong. |
@colemickens Pushed as ashb/customVnet. I'm fairly sure I've got the SP right now as the nodes are coming up and A second pair of eyes would be greatly appreciated. (The goal we are trying to achieve is to have each of our three clusters in a separate IP range. Even though they won't be speaking to each other, they will be speaking to other IaaS components in Azure and our networking team wants them to be distinct.) |
@ashb Are you on the Kubernetes Slack? I can offer some interactive assistance in ~90 minutes. Otherwise... The cluster you have now with Ready nodes, is the networking working (route table populated)? Or do you still get issues when trying to |
I am, but timezones (Europe/London here) mean I'll be done in about 60 mins. I'm trying again with a clean RG and this as the (part) input to acs-engine: {
"apiVersion": "vlabs",
"properties": {
"orchestratorProfile": {
"orchestratorType": "Kubernetes",
"kubernetesConfig": {
"dnsServiceIp": "192.168.1.255",
"serviceCidr": "192.168.1.0/24"
}
}, I'll report how I get on. I'm hopeful this one at least should work as the service Cidr range isn't routed outside and is just iptables rules on each node. (With apologies to @alxlchnr for hijacking his issue and spamming his inbox.) Update: I'm not sure if this config is meant to work or not, but it doesn't. On a working/stock ACS cluster I see this:
But on the cluster created with the above config the only thing in the KUBE-SERVICES chain is this:
(and kube-dns pod is failing because it tries to speak to 198.168.1.1 but gets a tcp dial timeout. Not unepxectedly.) |
Ah progress! I have found an error message from the kube-proxy logs:
I missed a substitution somewhere! |
@ashb That is related to a comment I was going to make -- I think you need to specify all of the custom cidrs, even if you're okay with the defaults. (We should also set defaults and then apply custom, but for the purpose of making progress now, I'd specify them all). |
I'm glad you got it working and the discussion on the issue is revived. |
this was completed in k8s in custom Vnet - configurable kubeClusterCidr, kubeServiceCidr, kubeDnsServiceIp #473 |
Re-implements the changes originally discussed in Azure#191. It makes the kubernetes cluster and subnets configurable rather than using the default 10.0.0.0/8. This is useful, for example, to allow the kubernetes cluster to communicate with other services within Azure that may also be within the 10.0.0.0/8 subnet. Fixes Azure#1161 This reverts commit 49bc7d7.
Re-implements the changes originally discussed in Azure#191. It makes the kubernetes cluster and subnets configurable rather than using the default 10.0.0.0/8. This is useful, for example, to allow the kubernetes cluster to communicate with other services within Azure that may also be within the 10.0.0.0/8 subnet. Fixes Azure#1161 This reverts commit 49bc7d7.
Re-implements the changes originally discussed in Azure#191. It makes the kubernetes cluster and subnets configurable rather than using the default 10.0.0.0/8. This is useful, for example, to allow the kubernetes cluster to communicate with other services within Azure that may also be within the 10.0.0.0/8 subnet. Fixes Azure#1161 This reverts commit 49bc7d7.
Re-implements the changes originally discussed in Azure#191. It makes the kubernetes cluster and subnets configurable rather than using the default 10.0.0.0/8. This is useful, for example, to allow the kubernetes cluster to communicate with other services within Azure that may also be within the 10.0.0.0/8 subnet. Fixes Azure#1161 This reverts commit 49bc7d7.
Re-implements the changes originally discussed in #191. It makes the kubernetes cluster and subnets configurable rather than using the default 10.0.0.0/8. This is useful, for example, to allow the kubernetes cluster to communicate with other services within Azure that may also be within the 10.0.0.0/8 subnet. Fixes #1161 This reverts commit 49bc7d7.
Problem
In #180 I adressed some harcoded IP adresses which go with the default vnet 10.0.0.0/8. But several users have reported that they have already an existing vnet which often has a different address space than the default vnet. In this case the hard coded values would not fit and cause a non working kubernetes cluster.
Solution
The idea of this PR is as follows: all hardcoded IP-Adresses should be changed to more appropriate values. In order to find the correct values it is necessary to hand over these values to acs-engine before the arm template are generated. Therefore I added three new kubernetes parameters (kubeDnsServiceIp, kubeServiceCidr, kubeClusterCidr). With these parameters I am able to find appropriate values for all previously hardcoded IP adresses.
The introduction of new kubernetes parameters may break old templates because they are not present. To overcome this issue I check for presence of the newly added parameters and if they are not present I work with default values which are the hardcoded IP adresses from the master branch
Why?
@siamak-haschemi described in #303 the manual steps which are necessary to deploy a kubernetes cluster in a custom vnet which has a different address space. In my opinion this is too much manual effort in order to deal with an apparantly frequent use case. The steps @siamak-haschemi described are the same I implemented in this PR. The PR will save future users time and manual adjustments on the generated arm templates.
This change is