New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for CNI to use proxy #49
Comments
@akitekt Can you outline your configuration changes you've made on your cluster? IIRC you changed the kubelet and docker daemon config to route through the proxy? |
Yes, we changed both service file to use proxy to pull docker images and talk to EKS endpoint. |
@akitekt We will also hit this problem (until we get our in-VPC EC2 service endpoints setup).
As the agent is using the AWS golang SDK, setting |
@akitekt have you resolved the issue after modified the dns.yaml? |
After upgrading to EKS 1.9, The CNI container starts to working. So EKS 1.9 + The proxy changes above ==> A private VPC version of EKS in business. |
@akitekt thank for the update! can I close this issue now. |
I have the CNI plugin running behind an HTTP proxy by setting HTTP_PROXY etc. environment variables in the pod spec: amazon-vpc-cni-k8s/misc/aws-k8s-cni.yaml Line 30 in bd3297a
|
Hello, @liwenwu-amazon I would like to extend this one with CIDR support as Kubernetes did: While setting HTTP[S]_PROXY / NO_PROXY works well it is very handy to use CIDRs in NO_PROXY (e.g. I can specify my master subnet's CIDR and don't care regarding exact IP of my master). Otherwise, I need either put all ip addresses to NO_PROXY that is very messy or maintain proper DNS records and use DNS suffix (that can be cumbersome in some env). Proxy is a strict requirement for many enterprise customers, so it would be nice to address this both for EKS and homegrown clusters with Amazon VPC CNI plugin. Best, |
Hey @akitekt @ewbankkit @liwenwu-amazon could you please share what I might be missing? I created the following for both
Updated kube-dns deployment via I also did the similar thing for Unfortunately the
Thanks for any help/pointers you can give to make this work. **Edit: Please note that after adding the |
@sdavids13 It may be that the container images for |
@xdrus Ideally this would be done in the golang HTTP client: golang/go#16704. Otherwise the logic you linked to needs to be included in both the AWS SDK for Go and client-go. |
@ewbankkit The worker node can reach out to download some of the containers, I ran
Having seen that the DNS docker images didn't get pulled on the host I went ahead and pulled the images by logging in via:
They were all able to be pulled through the proxy. As for the
Thanks for the help! |
I was able to get it working, I needed to set the proxy environment variables for the kube-proxy daemonset as well. For a quick synopsis of my current configuration here are the necessary modifications: Systemd settings:Created three files put in both
Kubernetes settings:Store proxy settings in ConfigMapCreated
Apply via Inject environment variables into containersInject the proxy environment variables ConfigMap by adding the following snippet in the container definition:
Edit the following to inject proxy environment variables:
I tried using the |
I tried all of that and I'm still in a state like this:
I don't have any idea how to get logs or troubleshoot this. I can exec into the proxy at least and it seems to have the correct environment variables. The logs for aws-node are basically empty.
|
Did you look at the kubelet logs on one of the host machines? Did you check your proxy access logs to see if any EKS traffic is being routed through the proxy? Also, after updating the various daemonsets and deployments defined above did you kill off all of the existing pods (which will then spawn new pods with the updated configuration)? |
Turns out the problem was that I needed to add the kube ip range to
no_proxy.
…On Wed, Jul 11, 2018 at 2:22 PM Steve D ***@***.***> wrote:
Did you look at the kubelet logs on one of the host machines? Did you
check your proxy access logs to see if any EKS traffic is being routed
through the proxy? Also, after updating the various daemonsets and
deployments defined above did you kill off all of the existing pods (which
will then spawn new pods with the updated configuration)?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAXuge_2x4slaCJtW3UKksRqoiWewE-Zks5uFkJxgaJpZM4SpPuv>
.
|
I thought I had all of the available private IP space available in the configuration above, did I miss one? |
Your directions were fine, I just had used our normal no_proxy string
rather than yours.
…On Wed, Jul 11, 2018 at 6:07 PM Steve D ***@***.***> wrote:
I thought I had all of the available private IP space available in the
configuration above, did I miss one?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAXugZ1BHXdAGjEcQChUSIQ6vaeB0ndZks5uFncpgaJpZM4SpPuv>
.
|
@sdavids13 Thanks for providing the solution to this issue. Can you move them to a document in ./doc ? thanks |
These solutions for worker nodes with pods (first of all aws-node) behind proxy do not work, at least for current versions of k8s and eks clusters. |
Faced with the same issue: first off to set the proxy environment variables for the kube-proxy daemonset to make services endpoints working, that aws-node pod uses. |
@MykhailoKovaliuk, here is one way how people solve this in EKS:
keep in mind, aws-node daemonset need to communicate to kubernetes service endpoint too. Without whitelist worker IP, aws-node will not able to communicate to kubernetes service endpoint. |
@liwenwu-amazon |
Do you mean no_proxy the POD's CIDR and Worker IP in kubelet extra args? Edited: It works! Holly sh***t! [Service]
Environment='HTTP_PROXY=http://your.corporate.proxy.host:8080'
Environment='HTTPS_PROXY=http://your.corporate.proxy.host:8080'
Environment='NO_PROXY=localhost,127.0.0.1,instance-data,169.254.169.254,.your.corporate.domain.com,$AWS_VPC_CIDR_HERE,$THE_NODE_IP_HERE' |
Hi all, Using the tips I found in this thread, I forked the official AWS AMI for EKS and I added the required configuration for docker and kubelets, see them here: https://github.com/fbdo/amazon-eks-ami/tree/proxy-feature I am passing the proxy configurations using the userdata.sh script, I have a Terraform script executing the bootstrap as in:
My proxy config is: I have a EKS cluster almost working, I am stuck now with the pods in the state: NAMESPACE NAME READY STATUS RESTARTS AGE In one worker node, I can see in the logs: I know, you guys already helped me a lot, but if someone has any clues it will be amazing! That issue was really make me even more hairless... Thanks! |
Seems your aws-nodes are not really in Running state: |
I followed exactly the @sdavids13 recipe, doing changes for all 3:
No success. |
I just got this working with k8s 1.11. Note that |
Patching the 3 entities with
|
I had the same problem on k8s 1.12 even after patching aws-node and kube-proxy, the pods were still trying to create and then getting into a Crash. I resolved the issue re-running to pull the config maps again.
All the pods started running fine after that, and is leveraging proxy variables now. |
Turns out you should also add the control plane endpoint to the NOPROXY environment variable, else kubelet will try to go out through your HTTP proxy to get to the control plane. This impacted me as I was spinning up an EKS cluster behind a restrictive HTTP proxy but the kubelet could not start because it was getting a 403 Forbidden when trying to go out to the EKS endpoint through the HTTP Proxy. This resulted in my NOPROXY looking more like this with
If you are using Terraform like I am to create my EKS clusters, you may have noticed that the AWS provider gives an
|
Using CNI https://aws.amazon.com/premiumsupport/knowledge-center/eks-http-proxy-configuration-automation/ Will close this ticket once the instructions have been added to the official AWS documentation. |
Following this tutorial to set up proxy for my cluster. However it seemed like the proxy does not work properly when I ssh into my node to check. Is it an issue? |
Can you please confirm if you followed the steps here - https://aws.amazon.com/premiumsupport/knowledge-center/eks-http-proxy-configuration-automation/ Also can you please explain more on the steps to repro and what issue are you seeing? Thank you! |
@pow-devops2020 Closing the issue. Feel free to reopen it if the instructions in the above doc didn't help. |
Hi,
We are running a POC using the EKS preview.
Since we are behind a corporate proxy, we need to enable proxy for the CNI.
However, After the conversation with AWS support team, it seems the CNI container does not support proxy right now.
Is this going to be on the roadmap?
Thanks
Eric Liu
The text was updated successfully, but these errors were encountered: