search

Azure / AKS-Construction

Accelerate your onboarding to AKS with; Helper Web App, bicep templating and CI/CD samples. Flexible & secure AKS baseline implementations in a Microsoft + community maintained reference implementation.
https://azure.github.io/AKS-Construction/
MIT License
356 stars 165 forks source link

AKS Construction networking defaults are different from AKS service networking defaults #654

Closed pjlewisuk closed 8 months ago

pjlewisuk commented 1 year ago

Describe the bug When you create an AKS cluster using the Azure CLI, you can choose to pass in optional parameters such as --pod-cidr and --service-cidr. If you don't supply them, AKS uses sane defaults.

Similarly, you can configure AKS to use an existing Vnet with the --vnet-subnet-id parameter, but if you don't, AKS will create a Vnet with default CIDR configuration and use that.

The defaults for ASK vs AKS Construction are listed below:

Configuration Parameter AKS Default AKS-C Default
Vnet CIDR 10.224.0.0/12 10.240.0.0/16
Node CIDR 10.224.0.0/16 10.240.0.0/24
K8s Service CIDR 10.0.0.0/16 172.10.0.0/16
DNS Service IP 10.0.0.10 172.10.0.10
Pod CIDR 10.244.0.0/16 10.244.0.0/16

We should update AKS Construction to align with the AKS Service defaults.   To Reproduce Steps to reproduce the behavior:

  1. Go to AKS Construction homepage
  2. Click on "Networking Details"
  3. Enable "CNI Overlay Network" under "CNI Features"
  4. Observe the default network configuration at the bottom of the page under "Custom Network VNET and Kubernetes Network Configuration"

Expected behavior AKS Construction defaults should align with the AKS service defaults, unless we have a good reason to deviate from them.

Screenshots image

Additional context Add any other context about the problem here.

Gordonby commented 1 year ago

History here is that the AKS Baseline reference architecture was used instead of the Portal. The Portal doesn't necessarily volunteer the best defaults for a typical Hub-Spoke network configuration.

https://github.com/mspnp/aks-baseline/blob/e4bdff8d05f71fb5febc49b9c5b9e5c51fb591b2/cluster-stamp.bicep#L1769C1-L1777C6

    networkProfile: {
      networkPlugin: 'azure'
      networkPolicy: 'azure'
      outboundType: 'userDefinedRouting'
      loadBalancerSku: 'standard'
      loadBalancerProfile: null
      serviceCidr: '172.16.0.0/16'
      dnsServiceIP: '172.16.0.10'
    }
github-actions[bot] commented 11 months ago

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.

AmitSheth commented 11 months ago

I would like to bump this.

the defaults for AKS Construction for serviceCidr are not in the private space (RFC 1918).

172.16.0.0/16 would be a better default than 172.10.0.0/16 to avoid any possible conflict with public space.

pjlewisuk commented 10 months ago

I would like to bump this.

the defaults for AKS Construction for serviceCidr are not in the private space (RFC 1918).

172.16.0.0/16 would be a better default than 172.10.0.0/16 to avoid any possible conflict with public space.

Hi @AmitSheth, thanks for this, that's a really good shout. Have you noticed any issues with using the 172.10.0.0/16 address range, or is this just to align with best practices and the RFC definition? Happy to make the change.

github-actions[bot] commented 9 months ago

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.