Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating AKS clusters with custom vnet breaks the aks overlay network #15135

Closed
aemneina opened this issue Aug 19, 2018 · 5 comments
Closed

Creating AKS clusters with custom vnet breaks the aks overlay network #15135

aemneina opened this issue Aug 19, 2018 · 5 comments
Assignees
@westlywright @soumyalj
Labels
area/kontainer-engine internal kind/bug Issues that are defects reported by users or that we know have reached a real release
Milestone
v2.1

Comments

@aemneina
Copy link

Rancher versions:
rancher/server or rancher/rancher: 2.0.7

Type/provider of hosts: (VirtualBox/Bare-metal/AWS/GCE/DO)
Azure AKS

Steps to Reproduce:
I tried 4 permutations of this, but basically

  1. create vnet (can be within the same resource group or not, doesnt seem to make a difference)
  2. create an azure cluster within rancher UI
  3. open the advanced options for nodes and define the desired VNET
  4. provision cluster

Results:
After the cluster comes up, things seem to work. If you try to get pods to communicate with each other across nodes, they'll fail. I did a similar task within the Azure portal and that created a working cluster.
@deniseschannon deniseschannon added this to the v2.1 milestone Aug 27, 2018
@deniseschannon deniseschannon mentioned this issue Aug 29, 2018
Closed
@nathan-jenan-rancher
Copy link
Contributor

nathan-jenan-rancher commented Aug 30, 2018
edited
Loading

To fix this issue we need to update to the latest version of the azure go sdk and make sure the following fields are included in the API call:

networkPlugin
serviceCidr
dnsServiceIP
dockerBridgeCidr

networkPlugin can be safely defaulted to azure when a vnet is supplied, but the remaining options must be restricted based on the virtual network selected.

The serviceCidr must not fall within the address range of the selected virtual network. Azure defaults this value to 10.0.0.0/16, although it seems possible that this would overlap with the virtual network selected, so we cannot just default this field.

The dnsServiceIP field must be within the serviceCidr range. So this also cannot be hardcoded. This field defaults to 10.0.0.10 on the azure ui.

dockerBridgeCidr defaults to 172.17.0.1/16 on the azure UI. It cannot overlap with the serviceCidr or the address range of the virtual network.

This was referenced Aug 30, 2018
Merged
Merged
Merged
nathan-jenan-rancher added a commit to nathan-jenan-rancher/types that referenced this issue Aug 30, 2018
@nathan-jenan-rancher
Adding options to AKS spec
c060884 
Adding options to the AKS config so that options can be passed to support
setting a custom vnet (without these options, a cluster with a custom vnet
will not be functional).

Issue:
rancher/rancher#15135
nathan-jenan-rancher added a commit to nathan-jenan-rancher/kontainer-engine that referenced this issue Aug 30, 2018
@nathan-jenan-rancher
Adding aks options
1ce0000 
This change adds the ability to accept additional network information for the
aks driver.  These change are necessary because without these options a custom
vnet cannot be set for an aks cluster.

Issue:
rancher/rancher#15135
cjellick pushed a commit to rancher/types that referenced this issue Aug 31, 2018
@nathan-jenan-rancher
Adding options to AKS spec
027ea94 
Adding options to the AKS config so that options can be passed to support
setting a custom vnet (without these options, a cluster with a custom vnet
will not be functional).

Issue:
rancher/rancher#15135
cjellick pushed a commit to rancher/kontainer-engine that referenced this issue Aug 31, 2018
@nathan-jenan-rancher
Adding aks options
14463d5 
This change adds the ability to accept additional network information for the
aks driver.  These change are necessary because without these options a custom
vnet cannot be set for an aks cluster.

Issue:
rancher/rancher#15135
nathan-jenan-rancher added a commit to nathan-jenan-rancher/rancher that referenced this issue Aug 31, 2018
@nathan-jenan-rancher
Adding cidr info to subnets
8a24043 
This change adds cidr info to subnets that are returned as part of the azure
virtual networks endpoint.  This is to support validation of the new network
fields added to the aks driver for custom vnets.

Issue:
rancher#15135
Closed
cjellick pushed a commit that referenced this issue Aug 31, 2018
@nathan-jenan-rancher
Adding cidr info to subnets
59c5c91 
This change adds cidr info to subnets that are returned as part of the azure
virtual networks endpoint.  This is to support validation of the new network
fields added to the aks driver for custom vnets.

Issue:
#15135
@nathan-jenan-rancher
Copy link
Contributor

Backend API changes are in and can be tested but still needs UI work.

@nathan-jenan-rancher
Copy link
Contributor

The following fields are now exposed as part of the AKS driver config:

serviceCidr
dnsServiceIp
dockerBridgeCidr

We need some validation on the UI.
serviceCidr cannot overlap the virtual network address range
dnsServiceIp must fall within the serviceCidr
dockerBridgeCidr must not overlap the virtual network address range or the serviceCidr

@westlywright westlywright mentioned this issue Sep 6, 2018
Merged
6 tasks
@westlywright
Copy link
Contributor

ui changes are in latest

@deniseschannon deniseschannon added the kind/bug Issues that are defects reported by users or that we know have reached a real release label Sep 13, 2018
@soumyalj
Copy link

soumyalj commented Sep 17, 2018
edited
Loading

Tested with v2.1.0-rc1. Created a AKS cluster with a custom virtual network and providing advanced options below:

  1. Kubernetes service address range
  2. Kubernetes DNS service IP address
  3. Docker bridge address range

Cluster got created successfully.
Created few pods and pod communication across nodes was successful

root@wk1-6c8fb499d4-6swq4:/# curl http://11.0.0.11/name.html
wk2-5746cbf558-6lp2k
root@wk1-6c8fb499d4-6swq4:/# curl http://11.0.0.19/name.html
wk1-6c8fb499d4-s69ww
root@wk1-6c8fb499d4-6swq4:/# curl http://11.0.0.46/name.html
wk2-5746cbf558-7sqzf
root@wk1-6c8fb499d4-6swq4:/#
root@wk2-5746cbf558-7sqzf:/# curl http://11.0.0.86/name.html
wk1-6c8fb499d4-6swq4

DNS resolution was also fine

root@wk2-5746cbf558-7sqzf:/# dig extdns.default.svc.cluster.local +short
www.google.com.
172.217.10.228
root@wk2-5746cbf558-7sqzf:/# dig wk1dns.default.svc.cluster.local +short
11.0.0.19
11.0.0.86
root@wk2-5746cbf558-7sqzf:/#

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@westlywright westlywright

@soumyalj soumyalj

Labels
area/kontainer-engine internal kind/bug Issues that are defects reported by users or that we know have reached a real release
Projects
None yet
Milestone
v2.1
Development

No branches or pull requests
7 participants
@aemneina @westlywright @cjellick @sangeethah @deniseschannon @soumyalj @nathan-jenan-rancher